I need the token in order to use office api discovery service (https://api.office.com/discovery/) to find SharePoint root url.
Is it possible to get access to Azure AD token from add-ins (Outlook/Office)?
Edit(To make things more clear):
As I'm building a multi-tenant Azure hosted app that should be launched via add-ins, I will have to force users to log-in in popup and give consent for application. Login is mandatory since in office add-in's we cannot find out who the logged in user is.
You can follow the documentation here on how to retrieve an authorization token - https://graph.microsoft.io/en-us/docs/platform/rest from Azure AD for the use of finding the root URL - also you can use the Microsoft Graph, which is the newer version of the Discovery service (more details about it again at the link provided).
Related
I got myself a bearer token by calling https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with the scope https://{tenantName}.sharepoint.com/.default
It's a token for a registered app in Azure AD.
When I use that token to make an API call like https://infoinnobake.sharepoint.com/_api/search/query?querytext='contentclass:STS_Site contentclass:SP.Webb'&selectproperties='Title,Path'&rowlimit=500
I only reveice 401 Unsupported app only token.
can some explain why? Is it possible to access the sharepoint online API with an registered App on Azure AD?
Follow this guide right here:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
you need to create a certificate and upload the certificate to the registered app. Than you can use the API or the SharepointClient in various programming languages
We had a similar issue (with slightly different error message: 'Token type is not allowed') when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:
Set-SPOTenant -DisableCustomAppAuthentication $false
Source:
https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed
https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists
Furthermore:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Azure Access Control (ACS), a service of Azure Active Directory (Azure
AD), has been retired on November 7, 2018. This retirement does not
impact the SharePoint Add-in model, which uses the
https://accounts.accesscontrol.windows.net hostname (which is not
impacted by this retirement). For more information, see Impact of
Azure Access Control retirement for SharePoint Add-ins. For new
tenants, apps using an ACS app-only access token is disabled by
default. We recommend using the Azure AD app-only model which is
modern and more secure. But you can change the behavior by running
‘set-spotenant -DisableCustomAppAuthentication $false' (needs the
latest SharePoint admin PowerShell).
More details:
https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5
I want to build a daemon to read and write emails using my organisation's office 365 account. My team has a private Azure Instance (not linked with any O365) and i have no admin access to o365 other than my accounts credential. How can i build a daemon service that authenticate with ms-graph and read/write emails without any user interaction?
You need to have an application definition in the directory that has the Office 365 accounts.
You can either create it directly, or you can create it as a multi-tenant application in another directory.
In the latter case, you need to grant it access to the Office 365 tenant's Azure AD.
If you haven't worked with Azure AD and the Microsoft Graph API before, I recommend you check out the samples. There are some for node.js, but the principles are the same for all other environments.
I need to integrate my web application (multi-tenant SaaS product) into my users' Dynamics CRM so it can pull their data.
I have learnt that Azure Active Directory apps can take care of such integrations (OAuth) but I cannot figure out how my users can grant my app access to their Dynamics CRM data.
Apparently, every user of mine should create an Azure AD app (with access to their Dynamics CRM account) and then my Azure AD app should be authorised to make requests on behalf of their AD app.
I have no idea how I can make this process work.
Any advice would be much appreciated.
For Dynamics CRM versions 2016 and 365, data can be accessed via the Web API.
When using the Web API by sending, for example, an HTTP GET request, a request header must be present in the format: { 'Authorization': 'Bearer' + token } where token is an OAuth 2 Bearer Token.
To obtain a token, I'd suggest using the Azure AD authentication Library (ADAL).
To authenticate with Dynamics CRM via ADAL, you'll have to register your web application under Azure Active Directory along with Dynamics CRM. Registering your app will give you a client ID which is required by the OAuth 2.0 authorisation flow. This post is very useful.
If your app will have administrative privilege, then it will have access to other user's data. There are several things you should make sure of when configuring OAuth, check this:
http://phuocle.net/crm/dynamics-365-online-s2s-authentication-full-explain.aspx
so to highlight the most important things from my perspective:
you should have a special user for handling that
this user should not have any license assigned - so you have to sign a license for him, a take it back after done configuring him
user should have a custom role (can be role copied from System Administrator)
I have created WebApi and hosted it to Azure server, now I want to get data from Microsoft Dynamics CRM into this API with logged in Office 365 users credentials.
So when I call the WebApi from office 365 it takes Office 365 logged in user's credentials and get data from CRM of same user.
For getting Dynamics 365 data you need the access token which as you mentioned is granted by office 365 OAuth server. Assuming that you already registered your app in Azure active directory and gained your client Id and secret key, you need also give permission to your app to access Dynamics 365 (using Required permissions in Setting panel of app registration).
After setting up your app in Azure AD, then you can redirect your user to office 365 login page (OAuth 2.0 Authorization Endpoint) for getting the access token. there are different methods to do it. In my experience I used getting token using Authentication code, but generally you need to compose a url to login page with following param:
'https://login.windows.net/' + tenant + '/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&resource=<resource>'
In case of Authentication code it returns a code which you can use to acquire token. Microsoft developed some drivers which does it for you. If you use node.js you can check out adal, for sure they have something similar for dot.net.
After getting your access token, you just need to call your Dynamics 365 (resource) to get the data.
Can I use office 365 login/credentials as Single Sign On? Actually I need to sign in my web application using office 365 login details.
Further I want to use following url credentials for Single Sign On in my web application.
https://portal.office.com
Indeed. Office365 identities are backed by Azure Active Directory, and you can build WebApps, WebAPIs and mobile apps secured using Azure Active Directory, so that customers of Offic365 can SSO to your applications.
The various auth scenarios supported by Azure AD are here: http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx. Code samples are here: http://msdn.microsoft.com/en-us/library/azure/dn646737.aspx.
Hope that helps.