So I have a few accounts that have documents on them, and having to switch between them all the time is quite frustrating, so I wanted to have them shared so that I can just have a link to view the file (no editing or anything).
Problem is, now with v3, I seemingly have to add the Drive API to every account that I want to view, which doesn't work for me. It's too much of a hassle to go through ALL of the accounts, when I have the username/password for them all already.
Is there a way to have a list of all my accounts username/passwords and somehow query to get a token to view only of the files? Or is this completely not possible anymore with v3.
I can get it working fine but instead of username/password, I have to enable drive API on the account, copy/paste the credential/secret instead of the username/password, and it works perfectly. I can search through all the files I have 'found' by accessing and reading the files and AlternateLink's accordingly... I just would like a non-intrusive way for my application to do this.
This is written in C#.
Unfortunately you can no longer use username/password via an API since the ClientLogin API was shutdown in 2015.
Using OAuth, each user can be prompted to grant permission to your application. They need do this only once.
Alternatively and if the user accounts are GSuite based Google accounts, then your C# program could use a single service account and impersonate any or all accounts on your domain (once given permission to do that by your domain administrator). This obviates the need for each user to grant permission to your application. You can read about how to do this in the Delegating domain-wide authority to the service account doco.
Another alternative may be to create a google group and make all 3 accounts members of that group. Then share a folder (view, comment or edit access) with that group and put all files and sub folders there into that folder.
Related
I'm currently using a SharePoint account as a Service account to get files and share them in an application I'm working on using CSOM. I filter the files according to the logged-in user to check if the user has no access to the file, then I hide it, to prevent him from trying to access it and get "Permission Denied" error.
So, I used ListItem.GetUserEffectivePermissions for this issue, but I need to grant the user only the permissions he needs to access and make that check.
I checked the official documentation of ListItem.GetUserEffectivePermissions here but unfortunately, I found no direct clue which permission does the job.
So to recap what this service account needs to do is :
1- Execute Search across all sharepoint files [SearchExecutor].
2- Get Login Name by Email using Utility.ResolvePrincipal (to be used in GetUserEffectivePermissions function).
3- Use GetUserEffectivePermissions to check if the logged-in User has permission to view the file.
I'd really appreciate your help as I'm kind of new to SharePoint and I searched a lot but found no clue about what I need.
I would recommend that you change your architectural approach. Instead of trying to manage what permissions a user has in SharePoint, let SharePoint take care of it like it already does. Instead, have your app use an OBO (On Behalf Of) token which will honor the logged on user's permissions in SharePoint and only return items that the user has access to. For a detailed overview of the OBO flow in MSAL, please refer to this article.
I'm implementing OneDrive as a cloud provider in an application using the authorization code flow, so I can get access token in behalf of a user, I'm using the Graph API SDK, one of the requirements that I have it should be able to get the list of the Drives for Document Libraries that the user has access using the Graph API, but I don't know how to do it without admin consent and considering that the user that is logged in can have only read-only access or maybe owner, but probably not administration rights.
I've read a lot of possible solutions, but all of them consider that I have access to the Site ID, or Group ID, and to use any of these solutions I need to ask for admin consent permissions, so the question is, can I get all the list of a drive for a user, drives that the user already has access, without admin consent and without knowing beforehand the Sites IDs or the Group IDs?
When I login with this user account in OneDrive, I can see the Drives from Document Libraries for every Site that the user has access without Admin Consent, I need to do the same with the API.
According to your description, I assume you want to list the Document Libraries.
If we use a administrator to login, We can use the following steps to get the drives from sites.
Step1, we can use the API: /sites/root to get all the sites in the root.
we can get the id for the every site in the root.
Step2, we can use this API: /sites/{siteId}/drives to get the drive in one site. The siteId parameter is the result in step1.
However, the user doesn't have access to the root site of the tenant. So it looks like that it is an legit response. Without accessing to root site, the user won't be able to query any information for that root site.
I'm trying to use the Microsoft Graph api to check if the signed in user is in a group (I would use claims based authentication, but the number of claims that were returned is limited to 150 items, which is not enough when my user is in a lot of groups). The problem is, I'm signing into Microsoft's Active Directory, so I am definitely not an administrator and cannot approve services like letting my user look at the entire Microsoft directory.
However, this link and this link combined seem to suggest that I'll need some permissions that can ONLY be granted by the administrator to achieve functionality (to see groups I can already see elsewhere). So, it seems like it's impossible for me, as a lowly code monkey, to access the url:
https://graph.microsoft.com/beta/me/memberOf
with the permissions I can grant. Am I understanding this correctly and is there another way to do what I'm trying to do?
You are right, you do need to log in as admin to grant those permissions when using the Microsoft Graph API.
I've just tried on the older Azure AD Graph API. There it works, but I don't know whether my org has granted the older Graph Explorer app any special privileges.
Try out https://graphexplorer.azurewebsites.net/ and GET https://graph.windows.net/tenant/me/memberOf
I have an Azure webapp that's managing it's users via Azure AD. I want the users to be able to register in my Azure AD directory to create an account (self-service), so I gave the app read-write access to the directory and setup a page using the Graph API to create the users.
Until here, everything is great. But the problem I have now is that I want to enable multi tenancy, so users of external AD directories can login to my app. This works, but I need to login as an administrator for the account because it also asks read-write access to their directory.
Is there a way to fix this? I only want read-write access to my directory to be able to create user accounts. I don't want to ask permission to touch their directory because, most probably, they wouldn't trust my app.
Thanks.
I found a quick and dirty solution: Add another app to the Active Directory. This app should be single tenant and have only permission to read and write the active directory. We can the use this app's credentials to access the Graph API and the other app's credentials to authenticate users.
I wait to see if someone has a better solution for this scenario...
sorry for the late response here. In general, an operation to create objects in a directory (like users) requires admin permissions. Also it looks like the web app you are creating uses app-only permissions, which definitely requires admin consent. In the multi-tenant case, the admin of the consenting tenant must be the one to consent to this type of app - only someone in this role really has the authority to grant consent for this level of access.
Hope the helps,
No need to use a secondary app in lieu of the authentication role - - there may be some peculiar side effects on the authenticating user anyway such as extraneous / incomplete logging, role inconsistencies, and missing system / internal references.
What are you using for login credentials for your app (TenantID etc.)?
AD is very strict in credential management, so I would go back to the app structure.
At the query level, you could make all tables entirely separate per tenant with no shared table data and include a multitenant identifier column so no one can sql inject if you were sure to include the multitenant identifier as an explicit variable.
Then in an entity model, you could inherit a multitenant interface for everyone which referred back to the tenant identifiers (as a part of EF).
This way the burden is isolated to OAuth or other libraries on top of that to take care of the third-party authentication.
Requirement:
I want to access the Google drive documents of a particular user programmatically(being someone#gmail.com is his email id).
Present Condition:
I am using Google drive SDK to achieve this. The sample provided by Google launches a browser process with an URL which asks me to login with that user account and then give an authorization code to actually perform my tasks.
Problem:
I want to automate the entire process. I don't want any manual interaction in this process.
Findings:
While hunting for the solution I got Use regular Google accounts as application-owned accounts which looked friendly to my solution.
Questions:
Please suggest me a way I can automate Google authentication.
Is there anything like google enterprise solution such that an admin account can look into any account in that organization?
You can perform Google Apps domain-wide delegation of authority to allow a Google Apps domain administrator to access data on behalf of one of the users in the domain. This only works on Google Apps domain and not for gmail.com accounts (for which there's no domain administrator role). You can learn more about this feature on https://developers.google.com/drive/delegation