I create a unified group using the graph api through a queue-triggered azure function (C#). When created, I want to tag some information on custom attributes and do other exchange-related stuff like hide from GAL. How is this best done?
I have tried using yet another queue-triggered function in order to connect to exchange online with powershell, although I have a hard time getting the credentials right having only clientid, secret and certificate thumbprint in the functions configuration. To run exchange online commandlets it seems like you have to go with actual user credentials (username, password).
I have also explored the possibilities of doing this kind of settings directly from the graph API but it seems limited in this case.
I got this working by using an Azure Automation runbook triggered by a webhook.
So after creating the unified group through graph api, a http-call is made to trigger the runbook. The runbook is then utilizing Exchange powershell module to alter group settings.
Related
We've got a Windows Service which sends emails using EWS API and is using Basic Authentication for that. As well as that it uses EWS API to check some folder in the mail box to retrieve certain email which is going to be used as template. To be honest I'm not pro in mail-servers and not sure if retirement of basic auth approach will affect us.
Another thing to consider is that our team doesn't have control over Azure tenants and it's our client's IT department who has it and they are going to create new Azure tenant for that and as far as I understood by default basic auth will be disabled for it.
So should we updated our service to Graph API in this case or would it be possible somehow to reenable basic auth for that new tenant?
Thanks!
We've got a Windows Service which sends emails using EWS API and is using Basic Authentication for that. As well as that it uses EWS API to check some folder in the mail box to retrieve certain email which is going to be used as template. To be honest I'm not pro in mail-servers and not sure if retirement of basic auth approach will affect us.
The Change to Basic Authentication has been deferred now to 2021 rather then October
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508
Another thing to consider is that our team doesn't have control over Azure tenants and it's our client's IT department who has it and they are going to create new Azure tenant for that and as far as I understood by default basic auth will be disabled for it.
It sounds like you don't quite understand how Office365 and AzureAD work as most of what your saying is incorrect. The only thing you need for oAuth is an Azure Application registration https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app . If your app is going to be used by lot of different clients then make it multi-tenant. What each client would need to do is Grant Consent for your application to be used in their tenant https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent (this is just a one off thing).
So should we updated our service to Graph API in this case or would it be possible somehow to reenable basic auth for that new tenant? Thanks!
If you use the Graph API you will still need the same registration/consent to use oAuth
Is it possible to pull work items from the DevOps API without needing a user to be logged in to get an access token every time?
I am trying to create a back-end service that pulls work items from the API every so often to generate a report. Can I just generate a one-time access key to use with that back-end service?
I've looked around the documentation, but it seemed like it all requires either a PAT or Azure Active Directory authorization/authentication.
Here's the docs for the API: Link
you can do something like this https://learn.microsoft.com/en-us/azure/devops/organizations/settings/manage-authorizations?toc=%2Fazure%2Fdevops%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdevops%2Forganizations%2Fbreadcrumb%2Ftoc.json&view=azure-devops
and
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
Basically authorize applications to use devops based on your credentials using oauth. similar to an app registration.
Thats the only way I can see without PAT and manual login each time.
Instead of your personal account, you could create a fake AAD user then add it to your Azure DevOps Service.
Use that account to create a Personal Access Token. Similar to Build Service account to pull source code/work items. This should be a easy way to track everything.
But the limitation here is also obvious: this needs involvement of IT department, and also causes additional costs, since every user is billed.
Allow personal access tokens that do not expire is not supported right now. There is a related user voice.
As an alternatively way you could use OAuth just as alphaz18 suggested. Details please refer-- Authorize access to REST APIs with OAuth 2.0
Does Azure support a programmatic way of registering an application via the users Microsoft account (Using Azure Active Directory)?
Example 1
I am unable to find anything through the Microsoft docs. Everything related to this indicate a manual application registration has to be done, then manually entered. However, I want my application to support multiple tenants without having to manually input all the information into environment variables.
I would like my application to register itself after a user has signed into their Microsoft account and allow access to my application (similar to Github integration). With that registration, it can then pull down the users tenant information and generate a key for itself.
Edit: I have found some other answers on StackOverflow that mentions using GraphAPI after obtaining a bearer token from Microsoft
Is this still the best way of doing this?
My organization currently uses Office365, and I am creating a Universal Windows Platform app that essentially needs to access the calendars of multiple accounts within the organization. I am currently using the Office365 Rest API, and already can successfully query a single account's calendar data, after getting an OAuth2.0 access token for a particular user.
After searching through multiple resources and existing Stackoverflow questions, I have tried the following with no luck to get multiple user account calendars without having to sign in to each account individually:
Performing a GET request with the graph API from Microsoft Graph API
Performing a GET request using navigation paths to users calendars using this method and other variations. (Returns 403 access denied error)
I also found a possible solution by using EWS Managed API, but I was unsure of its compatibility with UWP and our current Office 365 setup.
Lastly, I looked into building daemon or service apps, but this method seemed really unnecessary and possibly impossible with the current configuration of Azure. It requires asymmetric key crypt. set up within the system, and re-configuring the app as a whole within Azure.
Any help is appreciated.
[EDIT]: FYI all of the calendars have been made public, and can be viewed in the web client of Outlook.
I found to what I think is the only solution with today's version of UWP and the Office365 REST Api.
First I started up a different application that was compatible with the EWS Managed API and made a query to the Microsoft Exchange server that my organization is using. I tracked this request using Fiddler, the http debugger, to view the actual request and response. This way, I could find the exact endpoint of my exchange server.
Then, I navigated to the exchange service's URL in my browser, and saved the service's WSDL file, and imported it as a service reference to my UWP solution.
Finally, I set up a Httpclient, and generated a request to match all of the properties of the request made from the successful EWS Managed API call that I tracked in Fiddler.
My question is simple: is it possible to list all subscriptions a user has access to, using an API?
My goal is to create an application where the user gets a list of his subscriptions and can select a subscription to view all his deployed applications.
Is this possible?
Thanks
Currently it is not possible to do so as no public API is available. What you could possibly do is ask your users to provide you with publish profile file (if they can do that). You could then parse the profile file, get the subscription ids and management certs and use them in Service Management REST API.
Actually it is available but not documented yet. If you carefully look at open source Powershell Cmdlets and the Management Library Clients (which are both under Azure account on GitHub) you will see that it is being used. :-)
I believe it only works with OAuth/AD authentication to the Azure REST API, not certificate based authentication (but I might be wrong).
The request looks like this:
GET https://management.core.windows.net/subscriptions
On authenticating to Azure with OAuth, check out my blog post:
https://ahmetalpbalkan.com/blog/azure-rest-api-with-oauth2/