My requirement is described below.
User uploads the document through web-app and document saves in to shared location.
Application service (cron job or server code) , selects the documents and extracts the details.
Cron job send the details to SharePoint rest api which is protected by azure AD. (Oauth protocol)
I have a valid AZURE client ID and Secret ID which has application level access permission. I got access token by using AZURE client ID and Secret ID from AZURE AD with help of simple JAVA code but am getting following error when i call sharepoint online REST service using Oauth access token.
Error : {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
What does it mean? Can anyone help me resolve the issue ?
As SharePoint Online has strict safety standards, authentication for working with REST API consists of three steps:
1.Get the security token from Microsoft authentication portal.
2.Get the cookies from the SharePoint Online server.
3.Get the signature for requests to the SharePoint Online server.
More information is here:
http://www.wave-access.com/public_en/blog/2015/june/23/java-service-integration-with-sharepoint-online-via-rest-api.aspx
Access Office 365 from JAVA, we can use Office 365 SDKs for Java.
https://github.com/OfficeDev/Office-365-SDK-for-Java
Related
The Setup :
Am trying to access Azure PowerBI based APIs using console application since my company wants to Suspend/Resume PBI capacity to optimize costing.
Have been successful in accessing those apis as per official documentation API Emulator Window, it works by perfect as it just asks with a authentication window for username and password of my outlook account and it generates authentication token implicitly successful.
When i tried to implement calling api from my console application which will be triggered automatically scheduled, there are ways to generate authentication token programmatically. Following are the methods i used to generate the same before accessing the PBI APIs.
Approach #1 : Generating token by using Azure Active Directory Authentication Libraries..
This approach asks to add AAD authentication libraries via Nuget, upon adding the same and it goes unsuccessful as the method AcquireTokenAsync takes no parameters but tutorial specified 4 parameters to be feed into this method (function overloading missing?). So i couldnt generate token using this approach. Surely a library version problem but the official MS documentation didnt explain anything above versions available over same.
Approach #2: Authorize Active Directory without dialog box StackOverflow Question with marked as answer
This approach upon calling HTTPResponseMessage, it gets hung up without going next line or catch statement.
Approach #3: Trying to emulate token generation using POSTMAN and using the generated token on my console app to check accessibility.
This approach gives a successful token generation but when using the generated token in the console app, it says unauthorised token.
Doubt Part:
Have generated ClientID, ClientSecretID and TenantID in Azure using AppRegisteration but dont know how this gets associated with PowerBI Service in azure. Do Azure Active Directory comes in place betweeen PBIService and AppRegisteration? Based on generated AppRegisteration details have tried to access this authentication api (https://login.microsoftonline.com/tenantId/oauth2/token) to generate token. This is successfully generates a token but miserably getting failed with unauthorised access on PBI api.
Am i badly missing something? will be helpful on what wrong about this concept of accessing PBI based API getting authenticated via console app. Asusual PBI community sites didnt help much.
1. How to manage Azure Power BI Embedded capacity
If you want to manage Azure Power BI Embedded capacity with rest API, please refer to the following steps.
create a service principal and assign Azure RABC role to the sp(I use Azure CLI)
az login
#it will create a service principal and assign contributor role to the sp
az ad sp create-for-rbac -n "jonsp2"
Get Token
Post https://login.microsoftonline.com/tenantId/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type =client_credentials
&client_id=<sp app id>
&client_secret=<sp app password>
&scope=https://management.azure.com/
Call Rest API
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PowerBIDedicated/capacities/{dedicatedCapacityName}/suspend?api-version=2017-10-01
Authorization: Bearer <token>
2. How to call Power BI rest api
If you want to call Power BI rest api, please refer to the document and the document.
The detailed steps are as below
Register Azure AD application in Azure portal
Configure API permissions
Test (I test in postman)
a. get access token
b. call API
Suspend/Resume PowerBI API is described over here:
https://learn.microsoft.com/en-us/rest/api/power-bi-embedded/capacities/suspend
https://learn.microsoft.com/en-us/rest/api/power-bi-embedded/capacities/resume
Did you read the whole Azure REST API Reference?
All steps needed to send an HTTP request are documented over here:
https://learn.microsoft.com/en-us/rest/api/azure/
I got myself a bearer token by calling https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with the scope https://{tenantName}.sharepoint.com/.default
It's a token for a registered app in Azure AD.
When I use that token to make an API call like https://infoinnobake.sharepoint.com/_api/search/query?querytext='contentclass:STS_Site contentclass:SP.Webb'&selectproperties='Title,Path'&rowlimit=500
I only reveice 401 Unsupported app only token.
can some explain why? Is it possible to access the sharepoint online API with an registered App on Azure AD?
Follow this guide right here:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
you need to create a certificate and upload the certificate to the registered app. Than you can use the API or the SharepointClient in various programming languages
We had a similar issue (with slightly different error message: 'Token type is not allowed') when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:
Set-SPOTenant -DisableCustomAppAuthentication $false
Source:
https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed
https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists
Furthermore:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Azure Access Control (ACS), a service of Azure Active Directory (Azure
AD), has been retired on November 7, 2018. This retirement does not
impact the SharePoint Add-in model, which uses the
https://accounts.accesscontrol.windows.net hostname (which is not
impacted by this retirement). For more information, see Impact of
Azure Access Control retirement for SharePoint Add-ins. For new
tenants, apps using an ACS app-only access token is disabled by
default. We recommend using the Azure AD app-only model which is
modern and more secure. But you can change the behavior by running
‘set-spotenant -DisableCustomAppAuthentication $false' (needs the
latest SharePoint admin PowerShell).
More details:
https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5
Is it possible to authenticate to Sharepoint Online REST API with Azure AD application v2.0 authentication? If yes, which scope should I use for requesting my permissions. Now (for MS Graph API usage) I request "https://graph.microsoft.com/.default" as scope but didn't find any alternative to this for Sharepoint Online REST API.
I already registered an application on apps.dev.miscrosoft.com, this application is available on portal.azure.com. There I have added required permissions for Sharepoint Online.
Yes you can. To do this first you need to get a new access token using a regular refresh token you got for the graph already:
POST https://login.microsoftonline.com/{{tenantName}}/oauth2/v2.0/token
Except this time pass the following for the scope header:
https://{{tenantName}}.sharepoint.com/Sites.Read.All
Your application will need to already be consented for this scope etc...
The response will give you can access token that can be used again SPO APIs.
It should be the same authentication with Azure AD, the scope you are looking for should be the Site scopes.
https://learn.microsoft.com/en-us/graph/permissions-reference?view=graph-rest-beta#sites-permissions
Do not have SharePoint sites to check but if permission are granted to the application you should be able to query SharePoint site using Azure Graph APIs.
https://learn.microsoft.com/en-us/graph/api/resources/sharepoint?view=graph-rest-beta
Overview
https://learn.microsoft.com/en-us/graph/sharepoint-concept-overview
I have a scenario is one where the user has signed into CRM and triggers some functionality that calls a third party API to retrieve data that is not in CRM.
This API is a registered application in the Same Azure Active Directory as where the CRM resides. CRM single sign on is enabled.
I am trying to find an example of C# code which retrieves the authorization code via a CRM plugin. So far, I have managed to retrieve the token using a client secret as described in this article:
Retrieving token without the ADAL client library
I have implemented a basic call with the parameters defined in this article:
Requesting an Authorization code
But I need to pass the user session to make it work. It currently throws an error
A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).
Any help appreciated.
AFAIK, it is not suitable to interact with Azure AD using the Oauth code grant flow in the Microsoft Dynamics 365 plug-in since it required users interaction. And it is not able to send the session in the Microsoft Dynamics 365 plug-in to authenticate using ADAL library.
If you only want to access the Microsoft Dynamics 365 organization service in the CRM plug-in, there is no need to use the ADAL library to authenticate again.
It is only required that plug-in code create an instance of the service through the ServiceProvider.GetService method.
// Obtain the organization service reference.
IOrganizationServiceFactory serviceFactory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof(IOrganizationServiceFactory));
IOrganizationService service = serviceFactory.CreateOrganizationService(context.UserId);
More detail about context of Microsoft Dynamics 365 Plug-in development, please refer the link below:
Understand the data context passed to a plug-in
We are creating a hybrid (SharePoint Add-In + Provider Hosted based API) App to display the data from the SharePoint List using custom API. To retrieve the data from the list, we need the Access Token so that query can be made in the user context, without Azure AD.
We are not able to retrieve the AppOnly Access token in the new SharePoint Development Framework((SPFx)) App.
We did the following:
1) We created a Custom API using provided hosted app to retrieve the data from SharePoint List using custom business logic.
2) We hosted the API in Azure and also registered the App in SharePoint.
3) We are trying to call the API through the Add-In created using the new SharePoint Development framework(SPFx).
We are able to retrieve the request digest Token. But we were not able to create the ClientContext in our API using this Request Digest Token. But we are not able to retrieve the Access Token through SharePoint Framework(SPFx).
Is there any way to generate the AppOnly Access Token without the use of Azure AD. It would be better if the AppOnly Access Token is generated using the Client ID and Client Secret.
Thanks In Advance.
You can have a look at this examples for running with elevated privileges:
https://github.com/SharePoint/sp-dev-fx-webparts/tree/master/samples/react-sp-elevatedprivileges
Probably this is related to what you are trying to achieve.