We have a console application running every night which updates some project plans with CSOM. This uses the SharePointOnlineCredentials for authentication.
But the IT departments wants to change the flag of LegacyAuthProtocolsEnabled of the tenant to false. This has as consequence that SharePointOnlineCredentials can no longer be used as you can read here.
A suggested approach in the link above was to use a ClientId and ClientSecret. I've tested this with the PnP Core AutheticationManager function GetAppOnlyAuthenticatedContext. This works for a ClientContext object for SharePoint Online but it does not work after modifying this function to return a ProjectContext object. A ProjectServerError "GeneralNotLicensed" is thrown because the SharePoint Principal does not have a Project Online license (see here).
My third attempt was to use the Office365ClaimsHelper class found here. This contacts https://login.microsoftonline.com/extSTS.srf for a SAML token by providing the username and password. Now this approach works for a demo environment, but not for the production environment. I suspect because this has a Multi-Factor authentication.
To put things short: does anyone have an idea on how to get a ProjectContext object without using SharePointOnlineCredentials and without showing a pop-up to log in a user on a Multi-Factor authentication environment?
Managed to find a working solution thanks to following PowerShell script: https://blogs.technet.microsoft.com/sharepointdevelopersupport/2018/02/07/sharepoint-online-active-authentication/
Translated this to C# code and calls to Project Online CSOM work!
Related
I'm trying to use the AadHttpClient library that comes with SPFx to connect to a custom API secured by an app registration in Azure AD.
However when I run the web part in the workbench, SharePoint Online (in the tenant _layouts) I get an error in the console saying that the feature is experimental.
Error: The requested operation is part of an experimental feature that is not supported in the current environment.
As far as I can make out from this article, it should be in general release.
When connecting to Azure AD-secured APIs, we recommend that you use the MSGraphClient and AadHttpClient classes, which are now generally available. For more information about the recommended models, see Connect to Azure AD-secured APIs in SharePoint Framework solutions and Use the MSGraphClient to connect to Microsoft Graph.
When I go to the API management page in SP Admin site I get a popup stating
***Access to Azure Active Directory resources using the SharePoint Framework will be available soon.
So I'm a bit confused.
I also get an error on the API management page saying..
A null value was found with the expected type 'Edm.String[Nullable=False]'. The expected type 'Edm.String[Nullable=False]' does not allow null values.
I also get the same error when I try in PowerShell running
Get-SPOTenantServicePrincipalPermissionRequests
I'm not 100% sure I understand the relevance of the API management page - does an admin need to approve just once for the web part then all users are good to go?
I was having the same issue. The github thread can be found here. What fixed it for me was adding the account I was using as a site collection admin.
Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName
I'm trying to create a bot in a sharepoint site. To do that i need to retrieve the user info using implicit flow authentification method, however i haven't found any example using .NET and all the examples are in Node.js.
Can someone show me how to do that please ?
There are a number of .net examples online:
https://stephaneeyskens.wordpress.com/2017/01/04/microsoft-bot-framework-transparent-authentication-with-the-webchat-control/
https://github.com/Ellerbach/SharePointBot
https://www.rickvanrousselt.com/contextual-authentication-webchat-control/
https://www.linkedin.com/pulse/chat-bot-luis-sharepoint-part-one-akshay-deshmukh/
However, they are a little dated. Just this week, Microsoft released a new integrated OAuth feature for bots.
One of the Service Providers is Sharepoint:
(Related to this question)
I have an application that should be automatically usable for all customer tenants, and therefore tried this tutorial to enable preconsent.
After doing the Powershell commands and getting again the application, I can see that it is enabled:
PS C:\Windows\system32> $graphResponse.value.recordConsentConditions
SilentConsentForPartnerManagedApp
However, when creating a new tenant(or using an existing one) and trying to access Microsoft Graph's /users call, I get a 500 error until I navigate to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&prompt=admin_consent (with {0} being the cliendId of the app), sign in as an admin and accept the delegation.
Am I missing a step here?
After a contact with Microsoft support, this is a bug on their side. They told me yesterday that the engineer team acknowledged it. It will be fixed.
In order to query the MS Graph, your app will need to be granted the appropriate permissions by an end user or by an administrator of the tenant. Usually the best way to acquire consent from an administrator is by using the prompt=admin_consent parameter, as you've done above.
If for some reason you must do so via powershell, you can create an oAuth2PermissionGrant object using a consentType of AllPrincipals.
Personally I wouldn't recommend using the recordConsentConditions property. It's only there for legacy reasons - I don't even know what it does.
I am prototyping a tool that runs every few minutes and goes off to an office 365 site and to retrieve and then process information.
At the moment I have started with the MSDN guide "Remote Authentication in SharePoint Online Using Claims-Based Authentication" which points to a very helpful code sample that gets a clientcontext object based on a user logging in and then extracts the cookie.
I want to be able to run my code within task scheduler, so that you will be able to specify the office username and password in a configuration somewhere.
Does anyone have any code that will do this or a starting point.
something like
using (ClientContext ctx = SomeClass.GetContext(targetSiteUrl, username, password))
{
if (ctx != null)
{
//dostuffhere
}
}
I have seen this blog post Automatic Login for SharePoint using Claims authentication but the code on the site doesn't appear to be complete / I cannot get it working
Just to note that I am referring to the current release of office 365 (based on 2010) and not the newly available beta of 2013
so, are you wanting to allow a user to access something without them being a registered user in SharePoint? if so, you may want to look into elevating the current users privileges in code.
Can confirm that this post here has the answer. ou use the MSOnlineHelper class to do the headless authentication
Use the SharePointOnlineCredentials class to instantiate clientContext.Credentials.
The SharePointOnlineCredentials class represents an object that
provides credentials to access SharePoint Online resources.
UPDATE
I can now perform succesful UI impersonation. This was an issue with the code I was using and after viewing Jay Nathan's article I have reverted to his code and all is working great.
In response to a comment this is the code I am using to create a new site collection:
Dim newSite As SPSite = webApp.Sites.Add( _
txtWebApp.Text & "/cg/" & strURL, txtName.Text, txtDesc.Text, 1033, "SITEDEF#0", _
"DOMAIN\ACCOUNT", "NAME", "EMAIL", _
"DOMAIN\ACCOUNT", "NAME", "EMAIL")
and yes "SITEDEF#0" is a perfectly valid site defintion.
Hopefully I have overcome this issue by using an Application Page which is available as an element on the Site Actions menu (to site admins only). Using impersonation I can succesfully instigate this process. There are some additional issues which I have highlighted in another question.
ORIGINAL QUESTION
I have a need to allow non farm administrators to be able to create site collections using a very specific site definition. These people will not have access to central admin and so require a custom solution to allow the creation of these. I have tried several solutions, but want some consensus on a recommended approach.
Custom Web Service - I have written a custom web service to perform this task however this caused major headaches and even though the web service was running in an app pool using the same identity as the sharepoint app pool I could not get this to work. Also had form digest issues in trying to perform this v ia a web service.
Web Part/Application Page - No form digest issues here as we are in the SharePoint context, however I have tried using RunWithElevatedPrivileges but I still get an access denied when calling SPWebbApplication.Sites.Add(), even though all SPSite and SPWeb pbjects are being instantiated inside the elevated code block. I have tried direct impersonation at the UI level and I get an UnhandledException saying that impersonation has failed.
Application Wrapper Around stsadm - I have not attempted this yet as I am concerned about the viability of this approach, surely there is a cleaner way than this?
Some guidance on this would be useful as I cannot find much out there on this.
Thanks
I'd go with option number 1. It's probably an authorization issue. How are you accessing SharePoint? with the SDK or trough its web services?
I'd go for number 2. That code should work, maybe the impersonation code is not correct? You can't use SPContext like you normally would for instance.
Also, you are elevating to the identity of the application pool of your SharePoint site. Does this account have sufficient rights to create Site Collections?
You can check in Central Administration > Application Management > Policy for Web Application.