Using the new Outlook Add-in API I want to make some calls into SharePoint Online as the user and create a few items.
Everything is in O365 and the same tenant, so I'm logged in to Outlook with the same credentials as I use to login to SharePoint.
I can see getUserIdentityTokenAsync and getCallbackTokenAsync, but can I use that token to connect to SPO directly from JS?
From what I can see these tokens are for "third party apps" and EWS respectively.
Can I use either of these tokens to authenticate with an Azure AD application? Which I know I can configure to allow access to SPO.
Ideally I'd rather not prompt the user to login again within my add-in. Which I know I can do and am doing in an Office add-in, which doesn't have the getToken methods.
Thanks
Related
I want to develop a custom ASP.NET Web API which can be used to send out emails as a user using the Microsoft Graph API. I think this will be a Multi-tenant application. Below are few ideas I have and some questions:
I have a working ASP.NET MVC web application where different users can login using their unique credentials provided by us.
I have an "Email Setup" section in my web app. Every user will navigate to this section one-time and be redirected to the "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={{client_id}}&response_type=code&redirect_uri={{redirect_uri}}&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345"
On the consent screen user will sign in using their Microsoft Office 365 credentials and provide consent to my app.
On providing consent, user will be redirected back to my web app and I will get Access token for the code returned and store the access token in a SQL database.
User navigates to a page to send email, fills in the To, Subject, Body, Attachments etc. and clicks on the "Send" button.
On send button, my ASP.NET web app will call our custom Web API to send the email. The API will have an endpoint that knows the user and will get appropriate access token from the SQL database to send email on that user's behalf.
Questions:
Do I need to register an Azure App with type "Multi-tenant" since I want to support users from different tenants?
What kind of scopes/permissions will be required in order to "Send Email" as the user?
Do I need Delegated/Application permissions on the Azure side?
How can I ensure that the email that is sent, also gets saved to that user's "Sent Items" folder on Outlook?
According to the sending email graph api, we can see it provides the Application api permission, that means you can create an azure ad application and assign the Mail.Send permission to this api and using client credential flow to generate access token to call this api, so it's not necessary to creating a multi-tenant azure ad application via this way.
And certainly, if you insist on auth code flow to generate access token to using delegate permission to call the api, you should creating a multi-tenant application so that users from different tenant can generate access token through this azure ad application.
I have an SPA based application, in which the UI uses Azure AD based authentication, in which the user is presented with a login page by Azure AD and the user logs in to get a token. I am getting the token successfully. Now the UI will call a Web API. This Web API needs to make a call to Office 365 API. I have office 365 tenant and the credentials (User2) are different from the credential the user is used to login from the UI. In this case how should I authenticate User2 to connect to Office 356 API and how should I pass the token to O365 API?
I googled for any sample but I could not find anything worth.
I have created WebApi and hosted it to Azure server, now I want to get data from Microsoft Dynamics CRM into this API with logged in Office 365 users credentials.
So when I call the WebApi from office 365 it takes Office 365 logged in user's credentials and get data from CRM of same user.
For getting Dynamics 365 data you need the access token which as you mentioned is granted by office 365 OAuth server. Assuming that you already registered your app in Azure active directory and gained your client Id and secret key, you need also give permission to your app to access Dynamics 365 (using Required permissions in Setting panel of app registration).
After setting up your app in Azure AD, then you can redirect your user to office 365 login page (OAuth 2.0 Authorization Endpoint) for getting the access token. there are different methods to do it. In my experience I used getting token using Authentication code, but generally you need to compose a url to login page with following param:
'https://login.windows.net/' + tenant + '/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&resource=<resource>'
In case of Authentication code it returns a code which you can use to acquire token. Microsoft developed some drivers which does it for you. If you use node.js you can check out adal, for sure they have something similar for dot.net.
After getting your access token, you just need to call your Dynamics 365 (resource) to get the data.
I'm trying to get familiar with Microsoft Graph API. I would like to create an Outlook Calendar add-in using the graph API. However, all of the articles I have read all seem to use the OAuth 2.0 model which requires manual sign in of the user. An add-in though, should not require a sign in by the user. If you are already using outlook, you should not have to authenticate manually in order to use the add-in. Can anyone suggest the correct authentication method for add-ins that still uses the Graph API?
I have read through this doc which appears to cover the entire scope of application types and their authentication method, but does not include add-ins. Is that because add-ins should not use Graph API?
At present, the Office add-in api is not able to provide the access token(it provides idToken and callback token) for the Microsoft Graph automatically. We still need to authenticate the user manually.
But we can call the EWS service directly in the Mail add-in. You may consider using the EWS to see whether it is helpful for your business.
Or you can use the client credential flow that could get the app-only token which doesn't need the users to interact in the authentication process.
I need the token in order to use office api discovery service (https://api.office.com/discovery/) to find SharePoint root url.
Is it possible to get access to Azure AD token from add-ins (Outlook/Office)?
Edit(To make things more clear):
As I'm building a multi-tenant Azure hosted app that should be launched via add-ins, I will have to force users to log-in in popup and give consent for application. Login is mandatory since in office add-in's we cannot find out who the logged in user is.
You can follow the documentation here on how to retrieve an authorization token - https://graph.microsoft.io/en-us/docs/platform/rest from Azure AD for the use of finding the root URL - also you can use the Microsoft Graph, which is the newer version of the Discovery service (more details about it again at the link provided).