I have an Provider Hosted SharePoint app registered using appreg.aspx. I want to get details of that app like app name, client secret start and end date using Azure Function, so that I can send alert before the app client secret expires. I have already increased the date to 3 years using the PowerShell script.
I went through the question, Alert on Client Secret Key Expiry. But it seems the solution is older. I have used PowerShell script to get app details but I want to use Azure Function as I already have few other functions so maintaining them will be easier.
Is there a way to get app details using Graph REST API?
Thank you!
Use https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '{app id of your app registered in SharePoint}' to get the the app details.
You can find client secret endDateTime in the response (the app name is also included):
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDateTime": "2021-01-16T01:56:20.4750596Z",
"keyId": "653b5550-23c0-4bff-9fab-f34e91d23dc6",
"startDateTime": "2020-01-16T01:56:20.4750596Z",
"secretText": null,
"hint": null,
"displayName": null
}
See reference here. And you can have a qucik test in Microsoft Graph Explorer.
Related
I'm trying to implement Microsoft Azures Address Validation.
I get it to work using the implicit OAuth v2 but I would like to implement this as a service.
I have added Client Sercets and tried using that method but I don't get an Auth Token back.
Am I not implementing the Auth Service correctly?
Can this API be used with our actual user logging in each time?
Micorsoft Azure Address Validation
[Azure app registration](https://i.stack.imgur.com/ck9oW.png)
[PostMan Auth](https://i.stack.imgur.com/pkERQ.png)
[Token Response](https://i.stack.imgur.com/czeQa.png)
Thanks for the Help.
I tried to reproduce the same in my environment and got the results successfully like below:
I created Azure AD Application and added API permissions:
I generated the access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://management.azure.com/.default
grant_type:client_credentials
To validate the address, I used below query:
POST https://management.azure.com/providers/Microsoft.Billing/validateAddress?api-version=2019-10-01-preview
{
"addressLine1": "55 110th Ave NE",
"city": "bellevue",
"region": "wa",
"postalCode": "98004",
"country": "us"
}
In Authorization tab, paste the access token like below:
Reference:
Address - Validate - REST API (Azure Billing)
I had seen multiple examples how to use Azure API manager using powershell to retreive password for SCM but unable to find any example using it without powershell i.e. something execution in shell command line. i am also looking for example for saving and deploying my api
You can always inspect any Azure service API in action by doing what you need in Azure portal and seeing what requests get sent. Correlating them with documentation helps. So to get access token for SCM endpoint in APIM you need:
With any Azure credentials make a GET call to https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Microsoft.ApiManagement/service/.../tenant/access/git?api-version=2018-01-01
in response you will get a payload similar to:
{
"id": "XXX",
...
}
Take "id" from that payload and make a POST call to https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Microsoft.ApiManagement/service/.../users/XXX/token?api-version=2018-01-01
you will get your token:
{
"value":"..."
}
To start, please keep in mind that I am not very experienced with coding and it would be greatly appreciated if any replies were made with clear instructions or links to resources that were fairly straight forward for a beginner.
With that out of the way, my current situation is that I need to move data automatically from a third party source into Quickbooks Online using Azure and I have very little idea how to set up the OAuth 2.0 connection to receive a valid token. I've done a test connection using Postman, successfully received a valid token, and have been able to send and receive data using the Quickbooks API. However, being able to do the same from inside of Azure (whether using AD or Logic Apps) escapes me. Please note that this needs to be a service-service connection with no user input required (e.g. no logins or prompts). I've tried setting up a GET request in Logic App to start the workflow to first receive the code by using the client_id, client_secret, and scope that is provided in the Quickbooks deverloper app keys section but it always comes back as permanently moved or a bad request. I think this is due to a bad URI but again, I'm not familiar with what URI I should be using in the GET request or even if the GET request is what I should be using in the first place. The next step of course would be to send the code and request the actual token.
My current research has only revealed information on authenticating to an AD app but all of the instructions seem to be mixing information from the old Azure platform making the process unusable. On the Quickbooks side, the information is all about creating Quickbooks apps for publication on their marketplace, which is not the goal here.
If anybody can help with this I'd appreciate it as I've spent the last couple of days trying to figure this out and getting nowhere.
{
"inputs": {
"method": "GET",
"uri": "xxxx", //This is what I need to know and where to find it
"headers": {
"client_id": "xxxx", //provided by quickbooks dev app
"client_secret": "xxxx", //provided by quickbooks dev app
"content-type": "application/json",
"scope": "com.intuit.quickbooks.accounting"
}
},
"recurrence": {
"frequency": "Minute",
"interval": 3
}
}
Error with current URI is "bad request" because it is missing api-version but could also be caused by the # symbol.
I am trying to get the expiry date of the client secrets for our AAD application. However when I use the following graph request, the passwordCredential and keyCredential fields is blank.
https://graph.windows.net/myorganization/directoryObjects/{ServicePrincipalObjectId}/?api-version=1.6
Is there a way to get this data? I see it in the manifest if I download that, just not in the Odata object
Thank you for your help!
Use this AAD Graph API below:
https://graph.windows.net/{org_domain}/applications/{obj_id}/passwordCredentials
The response will show the list of keys used by your specific AAD Application.
You can derive the expiration date of your key from the endDate field.
{
"odata.metadata": "https://graph.windows.net/{org_domain}/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)",
"value": [
{
"customKeyIdentifier": null,
"endDate": "2018-05-07T09:12:13.2177408Z",
"keyId": "{your_key_id}",
"startDate": "2016-05-07T09:12:13.2177408Z",
"value": null
}
]
}
As an alternative to using Graph API you might also consider using Get-AzAdApplication cmdlet together with Get-AzAdAppCredential, which are part of Az PowerShell
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadappcredential?view=azps-5.5.0
I'm querying the Microsoft Graph using a service app as described in this article: http://graph.microsoft.io/en-us/docs/authorization/app_only
I'm successfully able to make the POST request to the tenant-specific URL and get the JSON response specified:
{
"token_type": "Bearer",
"expires_in": "3599",
"scope": "User.Read",
"expires_on": "1449685363",
"not_before": "1449681463",
"resource": "https://graph.microsoft.com",
"access_token": "<token>"
}
except the "scope" parameter is missing. I have all "Office 365 Exchange Online" "Application Permissions" checked in my AD configuration panel. When using the returned token against the Graph API, I'm able to successfully call https://graph.microsoft.com/v1.0/users/ but no other endpoints.
I just had this issue and wanted to elaborate on the answer marked as correct since it is the correct answer but an incomplete solution. If there are no scope parameters, it means that your app is registered, however the admin has not consented to the app accessing your AD instance. Once you register your app, you have to build and go to the following URL to authorize the app (with admin account, of course):
GET https://login.microsoftonline.com/{TenantID}/adminconsent?
client_id=<APP ID>
&state=<This is optional for your app to use>
&redirect_uri=<ReturnURL>
TenantID: comes from Azure portal - if you click on the Help icon in the upper right and then choose 'Show Diagnostics' you can find the tenant id in the diagnostic JSON.
AppID: comes from the Azure portal - when you register your app, you go to the management console and cut/paste
This article has a TON of useful info for people trying to do graph integration.
You need to select the application scopes from the list available in the Microsoft Graph service then have the admin consent