MS Graph API Permissions for OneDrive Upload - azure

I'm trying to automate file uploads to OneDrive by doing a PUT to
/drives/{drive-id}/items/{item-id}:/myfile.txt:/content. I've registered an application in Azure Active Directory but cannot figure out what permission/API I need to grant to be able to upload files. Additionally, I would like to only grant permission to the application to upload to a specific folder.
I should note that I do NOT want a delegate permission to upload files on behalf of a user - this is an automated job and won't be associated with a real user.

You can add Microsoft Graph as the API and add Files.ReadWrite.All, Sites.ReadWrite.All in Application permissions. You can choose permissions
from least to most privileged in two.
NOTE: Files.ReadWrite.All: its Display string in Application permissions is :Allows the app to read, create, update, and delete all files in all site collections without a signed in user.
This permission requires admin consent, so you need to use an admin account and click Grant permission button after adding this permission.
You can see the permissions for Uploading or replace the contents of a DriveItem in this documentation.

The administrator can't give the permission for an specific user, but the complete directory , by doing this the application will have access to all drives across the directory , which may represent a security breach.
The workaround to solve this security problem is to create another directory, with the users who will share its drives and then grant the admin consent in the registered app, with the files.readwrite.all permissions.

Related

Azure Active Directory Restrict Groups Returning with Graph API

We are trying to get list of users from a particular group in Azure Active Directory.
Steps tried:
Created new app registration
Created client secrets
Gave permissions for Graph API (application permissions) with admin consent.
Then we are getting all the users from all the groups.
Is there any way to restrict the app to only be able to return a specific group's users?
For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization, see here.
You could get the users in particular group with List members API, but the application still has the permissions for all groups.
GET https://graph.microsoft.com/v1.0/groups/{group-id}/members
So far, it's only supported to control mailbox access of an app with ApplicationAccessPolicy.

What is/are the minimum rights required to perform Revoke-AzureADUserAllRefreshToken

I would like to assign the rights for mid-level admins to revoke 365 sessions for users in Office 365 (perhaps after accounts become compromised). What are the minimum rights necessary to allow an admin to revoke sessions.
One way is to grant the user User administrator role.
Can manage all aspects of users and groups, including resetting
passwords for limited admins.
You can run Revoke-AzureADUserAllRefreshToken command in powershell or call Azure AD graph api directly by using Azure AD Graph Explorer.
The other one is to create an application and grant it 'Directory.ReadWrite.All' permission.
This will allows the app to read and write data in your organization's
directory, such as users, and groups, without a signed-in user. Does
not allow user or group deletion.
Both of them include other permissions, not only 'Revoke-AzureADUserAllRefreshToken' permission. It depends on you which one include the least permissions for you.

Not able to access Azure Active Directory

I have created a new account on portal.azure.com. When going to Azure Active Directory tab in account I am getting this error- Access denied You do not have access Looks like you don't have access to this content. To get access, please contact the owner.accessdenied
You need to have Global/Company Administrator set on your user in order to be able to view certain parts of Azure AAD. Your account administrator will be able to change the permission. See here for more information about roles in AAD

Azure AD Consent from a different Tenant

I am trying to use our multi tenant AD application to access the user's Onedrive for Business. But I keep getting an error when consenting regarding some permissions when the user belongs from a different Tenant. I am not sure which permissions i need to set so that any 365 users can.
I am using the graph API permissions and AD that read the directory. This is what the permissions look like.
Application permissions
Read files in all site collection
Read and write files in all site collections
Read and write devices
Read and Write directory data
-Read directory data
Delegated permissions
Have full access to all files user can access
Read all files that user can access
Have full access to user files
Read user files Access directory as the signed in user
Read and write directory data
Read directory data Sign in and read user profile
Read and write files that the user selects (preview)
Read files that the user selects (preview)
An administrator in the other tenant must consent for the app for the first time.
This is because you are using some scopes that require administrative consent. If you restrict yourself to only scopes that do not require admin consent, then regular users should normally be able to consent directly to your app.
One thing to note, an administrator in the other tenant can always disable end-user consent in which case they would always require admin consent for every app.

Multi Tenant Azure AD non admin login

I have an existing web app which I am trying to add Office 365 integration. I want all users to be able to log in with OAuth2, and admin users to be able to read users from the directory.
So I created an Azure AD app, and granted the "Enable sign-on and read users profiles" and "Read directory data" delegate permissions.
When an O365 admin user logs in, it works as expected. But when a O365 non-admin user logs in, they get the error "AADSTS90093: Calling principal cannot consent due to lack of permissions.".
After much trial and error (the docs are anything but clear), I figured that I need to append prompt=admin_consent to the auth url. By appending this to the auth URL, if I log in with an admin, then subsequent non-admin logins work as expected.
The problem is, that I don't know whether the user about to click the "Login with Office 365" button on my login page is an admin or not. It seems that the first person who logs into the app from the O365 domain MUST be a O365 admin, AND the auth url MUST have prompt=admin_consent. If a non-admin tries to login BEFORE an admin does, then they get the AADSTS90093 error, and there doesn't seem to be any way for my app to gracefully handle this scenario. Even worse - they can't log in at all.
What I really need here, is to have 1 login button, that will log non-admin users in but without access to the directory, and will log admin users in with access to the directory, but this doesn't seem to be possible. Google have the concept of scopes, but this seems absent from Microsofts implementation.
I see 2 potential solutions, neither of which are great:
Add a checkbox on the login page labelled "Log in as Office 365 Administrator". If this is checked, then I append the prompt=admin_consent to the auth url. The problem with this (aside from cluttering up my login page), is that it doesn't cater for non-admins trying to log in before an admin has. So most users still aren't able to log in - not great.
Create 2 Azure AD apps. One with both "Enable sign-on and read users profiles" and "Read directory data" permissions, and the other with just the "Enable sign-on and read users profiles" permission. The login page is linked to the first app, which would allow both admin and non-admin users to log in at any time. Then, on a config page in my app, I have an option to "Complete integration with O365", which presents a link to authenticate with the 2nd AAD app. This way, I can guarantee all users can perform basic log in, and I can integrate with the directory and calendar when an admin clicks the 2nd button. The downside of this, is that even if the first user to log in is an o365 admin, I won't be able to access the directory until the second auth has been completed. And secondly, my app will appear twice in the customers AAD applications list.
It seems like I am trying to achieve such a trivial thing here - to be able to log all users in, but if an admin logs in then they can access the directory. So how do you achieve this with AAD apps?
Your solution #1 is the one we recommend in our samples, take for example https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet and the sign up controllers. As of today consent in Azure AD is an "all-or-nothing" package deal, hence apps that require admin consent must be first approved by an administrator. We are working on making the consent dynamic, thanks to which you'll be able to sign in non-admin users without directory querying powers and defer that ability until an admin grants consent - but that's still quite some time out hence for the time being #1 is the supported approach.
if your app requests permissions that requires tenant admin consent, then only a tenant admin can actually grant those permissions, and thus you will see errors like the one you are having.
You can resolve your issues by reducing the permissions requested by your application to only those which a normal user can consent to.
Also make sure you are not passing the query parameter "&prompt=admin_consent" as this can only be done by an admin.
https://www.gittprogram.com/question/3306112_aadsts90093-calling-principal-cannot-consent-due-to-lack-of-permissions.html

Resources