Since I have my users log in and password, can I silently log into their Microsoft Graph?
I want to fetch info from Office 365 API from a server app, so therefor I cannot have a Microsoft Login Window popping up.
Thanks
You want to use the confidential client flow for authenticating the Graph API. See the section "Daemon or Server Application to Web API" in this document for details. Of course you'll need to be the admin of you Azure AD, or have the admin's trust and blessing, in order to use this flow as the user isn't involved in the process themselves.
I've been trying to use it for calendaring apps. The flow login works fine but be aware that there are some limitations on using the Graph API with this authentication flow type (specifically interacting with Unified Groups calendars in my case).
Related
I have to integrate SharePoint with my web app(just want to show the content of the user account).
For that, I have researched and I am looking for the SharePoint integration with REST API through OAuth process, Right now I found a different way where users have to create their SharePoint app and they have to share username and password and then I can get the data with their credential for the users.
The above approach is not a good option.
Please help if someone knows how to get share point content through the OAuth approach with REST.
You are able to connect to Microsoft Graph which hosts an API for the Office365 entities such as Calendar, Mail, Sharepoint etc.
In order to authenticate, you need to follow the OAuth 2.0 flow. This involves the generation of access tokens, which are then used in case of username/password.
More information about the MS Graph API and setting up authentication as well as a number of SDKs can be found: https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0
I want to read mails of users of a specific domain (tenant) using Outlook API. However, I don't have privileges to register new app in Azure portal, for that domain, and so am not able to use Graph API. We cannot use Outlook API without an OAuth app. In this case, using IMAP/POP3 is my only choice? How secure is to use IMAP/POP3 to read mails when compared to Azure AD Graph API? Please advise.
It depends on what you really want to achieve.
If you just want to read the messages, configuring your mailbox in Outlook or other email provider with IMAP/POP3 is a preference. You don't need to worry about its security, it has been in service for decades.
For Microsoft Graph API, to call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. See Authentication and authorization basics for Microsoft Graph to learn more details about it.
So the point is how you want to read your email.
If you are developing your own app, using Microsoft Graph API is certainly the best choice. You can test GET https://graph.microsoft.com/v1.0/me/messages to list your emails in Microsoft Graph Explorer without registering an app in Azure AD.
I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.
I'd like to add an Office365/Graph Calendar integration to an existing Node.js app (hosted on AWS). I've already done a similar integration with Google's Calendar, and it was trivial to get set up. I'm not having nearly as much luck with the Microsoft version of things.
I've found at least 4 different ways to register an app (get a clientId and clientSecret), and I seem to get different errors for each of them, but can't get any to work properly.
I think a large part of my problem is that I've never had to work in the MS ecosystem before, so I don't have a lot of the baseline knowledge that the documentation assumes.
I'm not looking to host anything with Microsoft - do I even need an Azure account?
I'd like to allow any user with an Office365 account to connect it to my app - do I need to learn about Active Directory to do this? Does this part of it require Azure?
I've found instructions for using both https://login.microsoftonline.com/common/oauth2 and https://login.microsoftonline.com/common/oauth2/v2.0 for this, do I need to worry about which version I use depending on how I registered my app?
Microsoft Graph leverage Azure AD to authenticate and authorize users. The doc refers as:
To get your app authorized, you must get the user authenticated first. You do this by redirecting the user to the Azure Active Directory (Azure AD) authorization endpoint, along with your app information, to sign in to their Office 365 account. Once the user is signed in, and consents to the permissions requested by your app (if the user has not done so already), your app will receive an authorization code required to acquire an OAuth access token.
So you need to register an Azure account for configure the Azure AD service. Refer https://graph.microsoft.io/en-us/docs/authorization/app_authorization for more info.
Meanwhile, to implement Microsoft Graph in node.js application, you can refer the following code sample for your information.
Microsoft Graph service app sample using Node.js
An Office 365 API sample app using Node, Express and Ejs
Office 365 Node.js Connect sample using Microsoft Graph
Matt, you can do this without an Azure account if you use the oauth2/v2.0 auth endpoint. When you do that, you can register on apps.dev.microsoft.com using a Microsoft account.
See this tutorial for doing it with the Outlook REST API, which is similar to the Graph (in fact, for Calendar operations the calls and entities are identical).
As the mentioned https://github.com/jasonjoh/node-tutorial example is a web app.
but i want to use it as a web service for example :-
i want to run this app on one machine(on server) and other apps made in(mobile apps, desktop and web app) could implemented or consume this services.
once user consume it my service would return [https://login.microsoftonline.com/common/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauthorize&response_type=code&client_id=9892b97f-0026-4t3f-aa4f-5cb2olpdee7e]
then this url will be open in user's device/machine browser, then user could enter his/her office 365 credentials and once he clicked on SignIn it should aging come in web service and then it authorize the user using access token which is stored on server in cookies and then get/read emails from user office 365 account.
so please suggest me is it a possible scenario ? or if you have any alternate way to do this please let me know.
Thanks in Advance
Yes, this could work. You would need a web front end for the user to sign in, but you could then use the access token from a web service. Another alternative, assuming what you mean by web service, is to run in an unattended fashion by using the client credential OAuth flow, which allows an organizational admin to grant access to all mailboxes.