This is NOT a code related question. But a question on auth while accessing Microsoft Graph.
I have a small nodeJS code that will access my own files on one drive and pull some data from an excel spreadsheet. This app is just my own, for automating a task. Is it possible for nodeJS code to access Microsoft Graph APIs without having to register this app and get admin approval?
I have a work account. My admin would not approve an app that is not going to help my organization.
It's determined by what kind of your account.
If your account is a work/school account, which is managed by your organization, you must register the application/create servicePrincipal in your organization tenant to call Microsoft Graph API. Because all company data, including your account data, is managed by your organization, not yourself.
If your account is a personal account, Microsoft Live Account, you can use Microsoft app registration portal for personal identity platform: https://apps.dev.microsoft.com/. It's managed by your own personal account.
Related
I'm developing a system where user can give access for fetching users/groups from his/her azure account.
I did following:
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Provide group.readAll, user.readAll, offline_access etc permissions
Then ask for adminconsent using
https://login.microsoftonline.com/common/adminconsent?client_id=xxxx&state=state&redirect_uri=url
After response in redirect_uri, I'm accessing "client_credentials" using client secret, which returns token.
Using that token, I'm fetching groups & users for that account using graph API.
Doc:
https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
Everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error.
User account is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization
Try signing out and signing back in with an organizational account.
I have tried through another account, which is also in azure and has few users in his account.
So Azure don't allow to fetch users/groups from any account which has users in his azure account?
Help me to find out if I missed something.
Thanks in advance!
As mentioned in the documents for both Users and groups for fetching the list of them is not supported for personal Microsoft accounts.
Hope this helps.
I am a bit confused with Office 365 subscriptions and the application I have created in Azure AD for OAuth.
I have programmatically created an Azure AD app for OAuth and have assigned it appropriate permissions for Graph API and EWS API. The app is working perfectly fine with the Dev tenant I have for my testing. I am able to programmatically access OneDrive and Mailboxes using the token created by this application.
Now I am not sure if I need to associate this app with Office 365 subscriptions. Currently, my dev tenant does not have any Azure / Office 365 subscriptions but users in the field may have Azure / Office 365 subscriptions.
I am not sure if I need to perform any specific checks for subscriptions and associate my app with any. Information I found on the net is confusing and I am unable to conclude anything from it.
Please let me know if you have any idea about this. I am a bit new to this whole thing so forgive my ignorance.
Access Graph API and EWS API only requires that you have O365 subscription.
But you don't need to do something like associating with O365 subscription.
Just make sure this Azure AD application is available in the corresponding tenant.
For example, we have a tenant #testTenant.onmicrosoft.com, and a user admin#testTenant.onmicrosoft.com.
You need to create the AAD application in this tenant #testTenant.onmicrosoft.com. And if admin#testTenant.onmicrosoft.com has O365 subscription with Exchange Online license, you can access its AAD user profile information and O365 mailbox with Graph and EWS. If the user doesn't have O365 subscription, you can also access its AAD user profile information. But the mailbox is not existing so you can't access the mailbox.
Question: Using Microsoft Graph API, is there a way to query if a logged-in user has both the Office365 and Azure subscription?
Details:
My WPF-Core app is using MS Graph to access Azure resources as well as Office365 services (Outlook schedule and OneDrive). My personal Azur Account does not have Office365 subscription. When I login with
an Azure (admin) account to my app the app can perform CRUD operations on Azure AD users.
Likewise, when I login as an MSA account (Outlook, Hotmail, etc.) the app can perform operations such as updating Outlook events, Upload/Download files to the logged-in user's OneDrive etc.
But in both case the converse is not true. For example, if I log-in using Azure AD account and try to have app update Outlook event (or upload a file to my OneDrive), I get the following error: Tenant does not have a SPO license.. So, if a user is logged-in with Azure AD account and try to click on the app's button that display or update user's outlook events I would like to display a message to the user that your Azure account does not have a SPO license. And, display a similar message in the reverse case (i.e. this Office account does not have Azure subscription etc.)
NOTE: The above scenario is not working for display purposes, as well. That is, an Azure AD login is not able to see Outlook events; and an MSA login is not able to see the Azure AD users list.
Firstly, the answer is NO. We cannot determine if the user has Azure subscription.
MS Graph mainly manages the Azure AD resources while Azure subscription mainly manages Azure resources such as Azure App Service, VM, etc.
But we can determine if a user has O365 subscription (or the license under O365 subscription).
Firstly, you could use GET https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,assignedPlans to get the logged-in user's O365 licenses.
We can find the Sharepoint license in the response:
In fact you may find more than one Sharepoint license in the response because the user may have multiple O365 subscriptions.
Besides, if the Azure subscription you mentioned actually refers to AAD subscription, then the method I described above is also suitable for querying AAD subscription.
The above content applies to AAD users.
If the logged-in user is an MSA, when you query GET https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,assignedPlans, it won't return a property named assignedPlans.
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.
I'm creating a Node app that uses OAuth2 to login a user and use the Office365 API to send and receive email, and possibly contacts and calendar events.
I have no need for Azure Active Directory that I know of. However, I am unsure of whether or not I need to register the app with Azure for the OAuth flow.
At first I followed this tutorial, which involves registering the app in the "Application Registration Portal." The OAuth token I receive currently works with the REST API for Outlook. No Azure.
Then I saw this tutorial, which seems to suggest that any app using the Office365 APIs should register an app with Azure. I don't want to do this if I don't have to, mainly because of the cost.
It is not clear to me why I need to sign up for one or the other, and my main concern is that the first tutorial is dated to the point that my app's registration with the "Application Registration Portal" will become deprecated and I will need to switch over to registration with Azure at some point. I have seen plenty of outdated tutorials and information from MS that are not clearly marked as deprecated. Can anyone help clear this up?
Sorry for the confusion. The short answer is that both these methods are still relevant, so none of them are deprecated yet.
Firstly, you're right that you need to register your app to call the Office 365 APIs.
And, you're also right that there are currently two different places to register an app: the App Registration Portal and the Active Directory section under the Azure Management Portal.
Registering on either one of these is enough to get you to a comfortable state where you can call the Office 365 APIs.
However, the convergence of the Outlook.com stack with the Exchange stack means that you are now also able to use the Office 365 Mail, Calendar and Contacts API against consumer Outlook.com accounts in addition to Office 365 accounts. If you wish to take advantage of this, you should register your app in the Application Registration Portal and NOT the Azure Management Portal.
Another advantage of registering through the Application Registration Portal is the support of dynamic permissions scopes. You don't have to specify upfront when you register your app what permissions it requires; rather, you can request permissions at runtime using the scopes parameter.
This new v2 app model for apps registered in the Application Registration Portal is currently in preview. A reason not to register apps in the Application Registration Portal is if they will be using more than just the Mail, Calendar and Contacts APIs. e.g. if your app is also using the OneDrive for Business Files API, you wouldn't be able to request tokens using the v2 app model's endpoint. In that case, you should register your app in the Active Directory section under the Azure Management Portal.