I am trying to use our multi tenant AD application to access the user's Onedrive for Business. But I keep getting an error when consenting regarding some permissions when the user belongs from a different Tenant. I am not sure which permissions i need to set so that any 365 users can.
I am using the graph API permissions and AD that read the directory. This is what the permissions look like.
Application permissions
Read files in all site collection
Read and write files in all site collections
Read and write devices
Read and Write directory data
-Read directory data
Delegated permissions
Have full access to all files user can access
Read all files that user can access
Have full access to user files
Read user files Access directory as the signed in user
Read and write directory data
Read directory data Sign in and read user profile
Read and write files that the user selects (preview)
Read files that the user selects (preview)
An administrator in the other tenant must consent for the app for the first time.
This is because you are using some scopes that require administrative consent. If you restrict yourself to only scopes that do not require admin consent, then regular users should normally be able to consent directly to your app.
One thing to note, an administrator in the other tenant can always disable end-user consent in which case they would always require admin consent for every app.
Related
We are trying to get list of users from a particular group in Azure Active Directory.
Steps tried:
Created new app registration
Created client secrets
Gave permissions for Graph API (application permissions) with admin consent.
Then we are getting all the users from all the groups.
Is there any way to restrict the app to only be able to return a specific group's users?
For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization, see here.
You could get the users in particular group with List members API, but the application still has the permissions for all groups.
GET https://graph.microsoft.com/v1.0/groups/{group-id}/members
So far, it's only supported to control mailbox access of an app with ApplicationAccessPolicy.
I would like to assign the rights for mid-level admins to revoke 365 sessions for users in Office 365 (perhaps after accounts become compromised). What are the minimum rights necessary to allow an admin to revoke sessions.
One way is to grant the user User administrator role.
Can manage all aspects of users and groups, including resetting
passwords for limited admins.
You can run Revoke-AzureADUserAllRefreshToken command in powershell or call Azure AD graph api directly by using Azure AD Graph Explorer.
The other one is to create an application and grant it 'Directory.ReadWrite.All' permission.
This will allows the app to read and write data in your organization's
directory, such as users, and groups, without a signed-in user. Does
not allow user or group deletion.
Both of them include other permissions, not only 'Revoke-AzureADUserAllRefreshToken' permission. It depends on you which one include the least permissions for you.
I'm trying to automate file uploads to OneDrive by doing a PUT to
/drives/{drive-id}/items/{item-id}:/myfile.txt:/content. I've registered an application in Azure Active Directory but cannot figure out what permission/API I need to grant to be able to upload files. Additionally, I would like to only grant permission to the application to upload to a specific folder.
I should note that I do NOT want a delegate permission to upload files on behalf of a user - this is an automated job and won't be associated with a real user.
You can add Microsoft Graph as the API and add Files.ReadWrite.All, Sites.ReadWrite.All in Application permissions. You can choose permissions
from least to most privileged in two.
NOTE: Files.ReadWrite.All: its Display string in Application permissions is :Allows the app to read, create, update, and delete all files in all site collections without a signed in user.
This permission requires admin consent, so you need to use an admin account and click Grant permission button after adding this permission.
You can see the permissions for Uploading or replace the contents of a DriveItem in this documentation.
The administrator can't give the permission for an specific user, but the complete directory , by doing this the application will have access to all drives across the directory , which may represent a security breach.
The workaround to solve this security problem is to create another directory, with the users who will share its drives and then grant the admin consent in the registered app, with the files.readwrite.all permissions.
I have set up an Azure active directory APP so that it uses the following endpoints to log a user in:
https://login.microsoftonline.com/TenanId/oauth2/authorize
https://login.microsoftonline.com/TenanId/oauth2/token
I have granted permission to the Microsoft Graph API but all I made available was the "Sign users in" in the Enable access section.
I am trying to work out if it is possible to not retrieve anything but an immutable id from the login process.
Looking at permissions it seems that the moment I grant permission to log in I am also granting permission to access my user details. Is it possible to set this up so that I only grant permission to login but not retrieve any user details using this version?
Is it possible to set this up so that I only grant permission to login
but not retrieve any user details using this version?
It's not possible.
When you give permission to user sign in, it will also let app can read user profile. The permission dispaly string is Sign-in and read user profile and its name is User.Read.
Decription: Allows users to sign-in to the app, and allows the app to
read the profile of signed-in users. It also allows the app to read
basic company information of signed-in users.
Why:
Based on Oauth/ODIC, when you use AAD Accounts to sign in your app (authentication/authorization your app via AAD), you can sign in with AAD accounts, it must need read user profile. Otherwise, your app cannot know who the user is and cannot do authentication/authorization. This is a basic permission which your app needs if it let the user sign in.
From below, what I infer is when the application is configured with Delegated Permissions it makes all requests on behalf of the signed-in user.
So, under Delegated Permissions, again we have "Access the directory as the signed-in user" option listed. What does this actually do?
Application Permissions: Your client application needs to access the
Web API directly as itself (no user context). This type of permission
requires administrator consent and is also not available for Native
client applications.
Delegated Permissions: Your client application needs to access the Web
API as the signed-in user, but with access limited by the selected
permission. This type of permission can be granted by a user unless
the permission is configured as requiring administrator consent.
So, under Delegated Permissions, we have "Access the directory as the
signed-in user" option listed. What does this actually do?
In very simple words, the application essentially impersonates you (or the logged in user) in case of delegated permissions.
To give you an example, let's say you created a web application in your Azure AD with delegated permissions to access Azure Service Management API. Now when you login into this application and try to access your Azure resources (storage accounts, VMs etc.), the application will only be able to do things you're granted permission to do in that Azure subscription. For example, if you're in Reader role in your Azure subscription (i.e. you can't create/update/delete resources). If you try to create a resource through your application you will get an error back because the application is impersonating you.
Delegated permissions require a user to login to Azure AD and present the resulting authentication token to your application. Your application can make calls by passing your client id, secret (if applicable) and the user's authentication token. Your application's effective permissions will be the lowest combination of the user and your application. For example, if your application has been granted read/write to a resource but the user only has read, your effective permissions are read. The same is true if the user has read/write but the application only has read.
Application permissions do not require a user to login. Just your client id and secret are enough. If you do not have application permissions and attempt to access the api without also presenting an authenticated user's token you will receive 401 errors.