I would like to create an API to get the SharePoint list data using CSOM and Azure functions.
This article explains to get the data from SharePoint. But i do not want to put my user name and password into the code.
Is there a SharePoint API that can be exposed by a token so that it is secure to retrieve the SharePoint List e.g. AADHttpclient.
This article explains how to secure the azure function but instead of consuming the Azure function. I would like to have an SharePoint API that i can consume in my Azure function API.
To configure permissions, you could configure your Azure Function to uses Access Token authentication. That way you will get Azure AD App created for you, and there you can configure necessary permissions for a resource. Both Microsoft Graph and SharePoint Online are available as resources.
Afterwards, you can either use Microsoft Graph API or SharePoint CSOM, depending on the API Access that you select.
Related
I want to read mails of users of a specific domain (tenant) using Outlook API. However, I don't have privileges to register new app in Azure portal, for that domain, and so am not able to use Graph API. We cannot use Outlook API without an OAuth app. In this case, using IMAP/POP3 is my only choice? How secure is to use IMAP/POP3 to read mails when compared to Azure AD Graph API? Please advise.
It depends on what you really want to achieve.
If you just want to read the messages, configuring your mailbox in Outlook or other email provider with IMAP/POP3 is a preference. You don't need to worry about its security, it has been in service for decades.
For Microsoft Graph API, to call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. See Authentication and authorization basics for Microsoft Graph to learn more details about it.
So the point is how you want to read your email.
If you are developing your own app, using Microsoft Graph API is certainly the best choice. You can test GET https://graph.microsoft.com/v1.0/me/messages to list your emails in Microsoft Graph Explorer without registering an app in Azure AD.
I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.
Is it possible to authenticate to Sharepoint Online REST API with Azure AD application v2.0 authentication? If yes, which scope should I use for requesting my permissions. Now (for MS Graph API usage) I request "https://graph.microsoft.com/.default" as scope but didn't find any alternative to this for Sharepoint Online REST API.
I already registered an application on apps.dev.miscrosoft.com, this application is available on portal.azure.com. There I have added required permissions for Sharepoint Online.
Yes you can. To do this first you need to get a new access token using a regular refresh token you got for the graph already:
POST https://login.microsoftonline.com/{{tenantName}}/oauth2/v2.0/token
Except this time pass the following for the scope header:
https://{{tenantName}}.sharepoint.com/Sites.Read.All
Your application will need to already be consented for this scope etc...
The response will give you can access token that can be used again SPO APIs.
It should be the same authentication with Azure AD, the scope you are looking for should be the Site scopes.
https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-beta#sites-permissions
Do not have SharePoint sites to check but if permission are granted to the application you should be able to query SharePoint site using Azure Graph APIs.
https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-beta
Overview
https://learn.microsoft.com/en-us/graph/sharepoint-concept-overview
I recently figured out that there are two Graph APIs availble for Azure Active Directory. There is the unified graph.microsoft.com and the AAD specific graph.windows.net:
Azure AD Graph API functionality is also available through Microsoft
Graph, a unified API that also includes APIs from other Microsoft
services like Outlook, OneDrive, OneNote, Planner, and Office Graph,
all accessed through a single endpoint with a single access token.
Source
Is there any reason to use the unifed Graph API when I only need to browse AAD objects? Will the AAD specific graph.windows.net GraphAPI get deprecated?
There has been no announcement of Azure AD Graph API's deprecation and we (and others) use it in production every day.
If you can get what you want through Azure AD Graph API, I'd say use it. If you need something else from the Microsoft Graph API (like emails or contacts), use that one.
We are creating a hybrid (SharePoint Add-In + Provider Hosted based API) App to display the data from the SharePoint List using custom API. To retrieve the data from the list, we need the Access Token so that query can be made in the user context, without Azure AD.
We are not able to retrieve the AppOnly Access token in the new SharePoint Development Framework((SPFx)) App.
We did the following:
1) We created a Custom API using provided hosted app to retrieve the data from SharePoint List using custom business logic.
2) We hosted the API in Azure and also registered the App in SharePoint.
3) We are trying to call the API through the Add-In created using the new SharePoint Development framework(SPFx).
We are able to retrieve the request digest Token. But we were not able to create the ClientContext in our API using this Request Digest Token. But we are not able to retrieve the Access Token through SharePoint Framework(SPFx).
Is there any way to generate the AppOnly Access Token without the use of Azure AD. It would be better if the AppOnly Access Token is generated using the Client ID and Client Secret.
Thanks In Advance.
You can have a look at this examples for running with elevated privileges:
https://github.com/SharePoint/sp-dev-fx-webparts/tree/master/samples/react-sp-elevatedprivileges
Probably this is related to what you are trying to achieve.