Is there a way to limit the interaction of an app that is built on the o365 api to a specific set of users? I checked in Azure, but I don't see a setting that would do that. The permissions for the app indicate the they would give it access to the entire directory.
Thanks
Currently the only scopes that are supported (when providing access to O365 APIs, Azure AD Graph or Microsoft Graph) are for the signed-in user only and tenant-wide. Unfortunately we don't have anything in-between. This is something that we are considering. Please file a request for this on UserVoice. It would also be great to understand the scenario or reason for this request.
Related
I am currently developing an Azure Web App, which uses the Microsoft identity platform. Everything works fine as a single- and multi-tenant application. I only have one big problem, where I did not find any good solution, or at least best practices.
I would like the application to support multiple tenants. This means that I definitely need a multi-tenant application. Anyways, this allows ALL Microsoft users to access my Web App, which I highly do not want. The business plan is as follows: Businesses buy the subscription/product and then gain access to the application (initially manually).
At first I thought that there might be some sort of setting in Azure to manually white-/blacklist certain tenants directly in the portal. I did not find anything regarding this, but maybe I missed it.
My second thought is, that I have to implement the logic in the server directly. This should not be a problem, but are there already any existing resources you can use, regarding this? My idea was that after/before each redirect to a page, the server checks the database, if the tenant is allowed to visit the page. If not, a redirect to a "You are not allowed to visit this page!" page should happen.
Did I miss anything major here? I am 100% certain, that this is a somewhat common use-case and therefore am baffled that I did not find anything relevant regarding this.
Single-tenant applications can be accessed only by users who have an organizational account in the same AAD where the application is registered. Multi-tenant applications can on the other hand be accessed by anyone who has a valid organizational account.
The first time you try to authenticate to a multi-tenant application it isn't registered with your organization's AAD. You have to trigger the consent flow which will allow the user to login with their organizational account and grant the application the necessary permissions.
One way to solve your problem is by restricting access to tenants in Azure Active Directory. Check this document for detailed information.
Another way is by setting up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C. Check this document for more information.
I would like to try out Microsoft GRAPH API. But as far as I can tell there is no way to test it without App Registration client and tenant id in the Azure Portal. Is this correct? I don't have access to App Registration on Azure so if this is correct then I need to contact admin, which means I need to start a whole long-winded process.
No, this is not possible, to access the graph api, (for a work or student account) there must be an app registration to give you permissions to those endpoints.
It is possible IFF you are just trying to do CRUD operations and other GET requests that doesn't require an admin consent.
You can check the same inside Graph Explorer, for the requests that require your/admin's consent.
You must also consider that the access token gets refreshed when you try to integrate it with any code.
The accepted answer is misleading. This is possible using the Microsoft Graph PowerShell SDK.
I have credentials for a tenant that is not home. To get access to applications, I need to be in the home tenant, which is why I am getting only a part of the actual applications list all over. But I managed to pull all of them by understanding the concept of service principals.
The next problem is.. How can I access which users are allowed access to these applications/servicePrincipals?
Any help would be greatly appreciated. Thank you!
According to the official document
We strongly recommend that you use Microsoft Graph instead of Azure AD
Graph API to access Azure Active Directory (Azure AD) resources.
We can list the owners for an application, but there is no api to retrieve the applications a user is allowed to access. Also, the application admin/global admin have access to all the applications.
We have a multi-tenant single page app (and backend) that uses Azure AD for authenticating users. We'd like do queries to customer's Azure AD for retrieving groups but make it an opt-in behavior for customers (tenants). The reasoning behind that is that not all customers necessary need the functionality and would rather not grant us access to their AAD unnecessarily.
Is there some way of implementing this with Azure AD?
I've been trying to test with different OAuth /authorize calls with resource IDs and scopes but mostly I end up with "AADSTS65001: The user or administrator has not consented to use the application with ID ''. Send an interactive authorization request for this user and resource." error. Configuring the web app or backend to require the permission would surely fix the error but that will also make the approval of it mandatory for all users of the app.
Is there a way of using the authorize/consent API to request access to a new application on-demand?
An ugly work-around that should work would be to have 2 client IDs and 2 backend IDs with different permissions but ADAL.js doesn't seem to be designed to work with multiple Client IDs (it's singleton, for starters). Also Application Permissions should of course work but I'm not sure how much of those are required to search for groups.
Is there a way of using the authorize/consent API to request access to
a new application on-demand?
Do take a look at Azure AD v2.0. With their incremental & dynamic consent model, it is possible to do so though I am not sure if this specific functionality (managing groups) is available there.
I had a discussion with Azure AD team member recently about this (as we are also facing the same problem) and he suggested that we take a look at this.
Essentially the way things work in Azure AD v2.0 is that you start with basic set of permissions (like sign in, read profile etc.). Then when some tenant need specific permission, you essentially ask them to grant those permissions to your application at that time only. What this means is that different users in your application have granted different permissions to your application.
If you are using MSAL, and looking for a way to dynamically change your scopes before authenticating, have a look at this: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#msalguard---dynamic-auth-request
More here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#platformbrowserdynamic
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.