The company I work in has a OneNote notebook stored in the organization SharePoint site.
I'll like to write an app that periodically accesses that notebook and do some processing on the content of it.
All the example code I've found authenticate with a user using OAuth.
Is there an example of how to authenticate as an app, not a user, and how to access the content of the OneNote notebook?
Yes - you can have authenticate via application-only permissions. The app will still need to be authorized by your SharePoint tenant, but after that it shouldn't require oauth.
https://blogs.office.com/en-us/2017/02/09/the-onenote-rest-api-now-supports-application-level-permissions/
MSDN:
https://msdn.microsoft.com/en-us/office/office365/howto/onenote-auth-appperms
Related
If I create some SharePoint Online web parts, are they run under the credentials of the user that is using the web part?
(this is what I would assume)
Say I need to make a query to the Graph API, would a SharePoint Administrator have more access that a standard cloud user?
Is there a way to run as a different user (one that has more privilege's)?
Thanks
P
var client = await this.context.msGraphClientFactory.getClient('3');
var result;
result = await client.api('groups/' + this.properties.groupGUID + '/members').get();
SPFX Webparts run in the context of the current logged in user. They will have all permissions the user is having. So if you are an admin, you will be able to do more stuff (if your webpart can do it) than as an user with "read" permissions.
If you want to do something with higher privileges you will have to use a backend like a custom API, Azure Functions or even Power Automate.
SPFx web parts runs in the context of the current user and connection in the browser.
Source: Key features of the SharePoint Framework
If you want to use MS graph in SPFx web part with specific permissions, you can request them from your web part.
when deploying the solution package to the app catalog, SharePoint creates permission requests and prompts the administrator to manage the requested permissions. For each requested permission, a global or SharePoint administrator can decide whether they want to grant or deny the specific permission. This will work for all users - SharePoint admin as well as normal users.
You can also use Application permissions and delegated permissions with Azure AD app registration.
Check below documentations for more understanding:
Use Microsoft Graph in your solution
Connect to Azure AD-secured APIs in SharePoint Framework solutions
Register an application with the Microsoft identity platform
Microsoft Graph permissions reference
I'm trying to delete terms or term sets from the default taxonomy store in a C# application which authenticates with an Azure App. I've tried using certificate and app secret authentication as well as a user account context. Using the certificate/app secret, the authentication is successful and I can read terms but receive an error when I try to delete a term:
Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: 'Access denied. You do not have permission to perform this action or access this resource.'
Tried this using both using CSOM and PnP Framework. The App has full read and write permissions for the SharePoint API and Graph API relating to SharePoint/Term Store.
Using user account, I get an error that the login/password could not be found. MFA is disabled for this account in 365 Admin, but it seems the web portal still asks for this to be set up when logging in via browser.
Using the MS Graph API and the same Azure App, I can also create terms, but Graph does not support deleting terms at the moment so this method cannot be used.
I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.
I need the token in order to use office api discovery service (https://api.office.com/discovery/) to find SharePoint root url.
Is it possible to get access to Azure AD token from add-ins (Outlook/Office)?
Edit(To make things more clear):
As I'm building a multi-tenant Azure hosted app that should be launched via add-ins, I will have to force users to log-in in popup and give consent for application. Login is mandatory since in office add-in's we cannot find out who the logged in user is.
You can follow the documentation here on how to retrieve an authorization token - https://graph.microsoft.io/en-us/docs/platform/rest from Azure AD for the use of finding the root URL - also you can use the Microsoft Graph, which is the newer version of the Discovery service (more details about it again at the link provided).
Since I have my users log in and password, can I silently log into their Microsoft Graph?
I want to fetch info from Office 365 API from a server app, so therefor I cannot have a Microsoft Login Window popping up.
Thanks
You want to use the confidential client flow for authenticating the Graph API. See the section "Daemon or Server Application to Web API" in this document for details. Of course you'll need to be the admin of you Azure AD, or have the admin's trust and blessing, in order to use this flow as the user isn't involved in the process themselves.
I've been trying to use it for calendaring apps. The flow login works fine but be aware that there are some limitations on using the Graph API with this authentication flow type (specifically interacting with Unified Groups calendars in my case).