I need to programmatically create an app in Azure AD and programmatically assign it permissions for Graph APIs. Somehow I am unable to find any good info on this. Please let me know if there is any good example of this.
I am able to create a basic app but not sure how to assign permissions to it.
I have a few basic queries:
Can we create an app and assign permissions at the same time? Or we need to first create app and then assign permissions?
How can I get a repository of all the possible permissions? Is there any way I can get a readable form of permissions and also its GUID representation?
Any C# example of this would be much appreciated.
PFB answer to your queries :
Can we create an app and assign permissions at the same time? Or we need to first create app and then assign permissions?
--> Yes you can create an app and assign permissions are the same time.
How can I get a repository of all the possible permissions? Is there any way I can get a readable form of permissions and also its GUID representation?
--> Here is the link for all the possible permissions :https://learn.microsoft.com/en-us/graph/permissions-reference
You can use Microsoft Graph explorer to execute queries and get the GUID representation.
Here is the link : https://developer.microsoft.com/en-us/graph/graph-explorer
You must first register an application in the Azure portal (or you must have an application first), and then grant the application permission or delegate permission to call MS graph api to create other applications, here is a detailed explanation Description.
Next, you can create other applications based on this application using C# code + MS graph api, and grant permissions to other applications (this is a separate operation, of course, you can also create an application and assign permissions at the same time).
At first you have to register your application in the Azure Active Directory.
Go to Azure Portal and navigate to the Azure AD -> App Registrations and create a new App.
In the Apps administration view, go to API-Permissions and click on "Add a permission". Now you can see all the available permissions you can grant to you application.
For some permissions (indicated by an orange warning sign) you have to grant admin consent afterwards.
After you have done those steps and you configured the redirect URLs (also in the Azure portal), you can access the data you have permissions from your application.
Note: You will also have to implement an authorization flow to make use of Microsoft Graph. You can find additional information here Microsoft Graph Authentication
Related
I'm currently using a SharePoint account as a Service account to get files and share them in an application I'm working on using CSOM. I filter the files according to the logged-in user to check if the user has no access to the file, then I hide it, to prevent him from trying to access it and get "Permission Denied" error.
So, I used ListItem.GetUserEffectivePermissions for this issue, but I need to grant the user only the permissions he needs to access and make that check.
I checked the official documentation of ListItem.GetUserEffectivePermissions here but unfortunately, I found no direct clue which permission does the job.
So to recap what this service account needs to do is :
1- Execute Search across all sharepoint files [SearchExecutor].
2- Get Login Name by Email using Utility.ResolvePrincipal (to be used in GetUserEffectivePermissions function).
3- Use GetUserEffectivePermissions to check if the logged-in User has permission to view the file.
I'd really appreciate your help as I'm kind of new to SharePoint and I searched a lot but found no clue about what I need.
I would recommend that you change your architectural approach. Instead of trying to manage what permissions a user has in SharePoint, let SharePoint take care of it like it already does. Instead, have your app use an OBO (On Behalf Of) token which will honor the logged on user's permissions in SharePoint and only return items that the user has access to. For a detailed overview of the OBO flow in MSAL, please refer to this article.
I have an azure web application which is accessible by all the users of our organization.
In a .Net what are the possible ways to restrict access to certain set of users of a web application. MFA is already there, but still I need to restrict it to a specific group of users.
Please let me know how can I proceed further on this using Graph API in C#.
Based on the tags it sounds like you are using Azure AD authentication.
In that case you can go to Azure Active Directory -> Enterprise applications.
Find your application in the list and open it.
Then you can go to Properties tab and set User assignment required? to Yes.
Then open the Users and groups tab and assign the users you want to be able to access the app.
I am using this UWP sample: https://github.com/microsoftgraph/msgraph-training-uwp
It demonstrates Microsoft Graph, A service for allowing useres to login to apps with their microsoft account so that the app can access the users granted data. By default, the sample requests the calandar's scope, to veiw calandar data, but I would like to edit the sample to access the scope of the user. This is because my app uses in app purchases, and is on a public machine, and I want what users do to be tied to their accounts.
However whenever I try to change the scope of the sample, the app doesnt work correctly, or it crashes. Is there something I'm missing? or is there some way to change the scope?
You can add User.Read scope to your application in the app registration in portal.azure.com. Next time you run the app and sign in , it should ask you to consent this new permission.
Then in your code you can change it to call /me rather than /me/events. It will return the users profile data like shown in Graph Explorer here https://developer.microsoft.com/en-us/graph/graph-explorer?request=me/&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com
The tutorial is also easier to follow here https://learn.microsoft.com/en-us/graph/tutorials/uwp
I am wondering if there is a way to add already existing users in an AAD tenant to a different tenant programmatically? I can only see the powershell cmdlet for adding(creating) a new user in the same tenant. Basically this is the workflow that i want to automate:
On the Azure portal. i go to the tenant and then click on Add user
When i click on Add User it asks me to provide Type of User where i choose User in another Microsoft Azure AD directory.
Is there a way to programatically do this using some code in powershell or C# or some other microsoft stack?
Basically i want to achieve automation for steps mentioned in this link: https://azure.microsoft.com/en-us/documentation/articles/active-directory-create-users-external/
No, this is not directly supported. One way to add "O365 Management APIs" application and then use office.com admin portal to import users from a csv file. But this only works if the users on the same tenant.
I have an Azure webapp that's managing it's users via Azure AD. I want the users to be able to register in my Azure AD directory to create an account (self-service), so I gave the app read-write access to the directory and setup a page using the Graph API to create the users.
Until here, everything is great. But the problem I have now is that I want to enable multi tenancy, so users of external AD directories can login to my app. This works, but I need to login as an administrator for the account because it also asks read-write access to their directory.
Is there a way to fix this? I only want read-write access to my directory to be able to create user accounts. I don't want to ask permission to touch their directory because, most probably, they wouldn't trust my app.
Thanks.
I found a quick and dirty solution: Add another app to the Active Directory. This app should be single tenant and have only permission to read and write the active directory. We can the use this app's credentials to access the Graph API and the other app's credentials to authenticate users.
I wait to see if someone has a better solution for this scenario...
sorry for the late response here. In general, an operation to create objects in a directory (like users) requires admin permissions. Also it looks like the web app you are creating uses app-only permissions, which definitely requires admin consent. In the multi-tenant case, the admin of the consenting tenant must be the one to consent to this type of app - only someone in this role really has the authority to grant consent for this level of access.
Hope the helps,
No need to use a secondary app in lieu of the authentication role - - there may be some peculiar side effects on the authenticating user anyway such as extraneous / incomplete logging, role inconsistencies, and missing system / internal references.
What are you using for login credentials for your app (TenantID etc.)?
AD is very strict in credential management, so I would go back to the app structure.
At the query level, you could make all tables entirely separate per tenant with no shared table data and include a multitenant identifier column so no one can sql inject if you were sure to include the multitenant identifier as an explicit variable.
Then in an entity model, you could inherit a multitenant interface for everyone which referred back to the tenant identifiers (as a part of EF).
This way the burden is isolated to OAuth or other libraries on top of that to take care of the third-party authentication.