We are in the process of rolling out a major application to members of staff, it has been setup to use Azure AD/SSO and we currently have to manually set each user to have access to the application through Azure AD -> Applications -> Users. We have a small c# web application that we use to manage AD users are looking to use the new Microsoft Graph API to set users to allowed access when they are created but can't find the correct endpoint/api call to use.
We have tried the following but the documentation/errors returned are quite lacking.
https://graph.microsoft.com/beta/servicePrincipals
https://graph.microsoft.com/beta/groups/{id}/members
Which endpoint/api call should we use to accomplish this?
It looks like you are looking to try and set appRoleAssignments. This is currently only exposed on the Microsoft Graph /beta version. The /beta documentation needs a little love and attention as you've discovered. However this pretty much should work as it does in AAD Graph (so you could reference the AAD Graph API reference), but with the different root of https://graph.microsoft.com/beta. This blog post also has some examples https://blogs.msdn.microsoft.com/aadgraphteam/2014/12/12/announcing-the-new-version-of-graph-api-api-version1-5/.
Are there any specific challenges that you are facing? What operations and errors are you seeing?
Hope this helps,
Related
I am trying to remove dependence on adal.js and adal-angular.js from my project as the CMS I am using already provides support Azure authentication.
I did a bit of work to update the login provider to v2.0:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
This allowed me to leverage Graph API. While I can access OneNote notebooks:
https://graph.microsoft.com/beta/me/onenote/notebooks
I find myself lacking the ability to distinguish between personal, class and staff notebooks.
https://www.onenote.com/api/v1.0/me/notes/classnotebooks
https://www.onenote.com/api/v1.0/me/notes/staffnotebooks
I am also lacking the ability to see/manage members (teachers, students, leaders, members respectively).
Prior to the update, I used an angular code example to test OneNote API and integration. But the main issue was that I had to use adal to obtain an access token. In other words, the user was forced to log in a second time despite already being signed in in order to use OneNote component. And I was hoping to do away with this extra step.
As per title, I am looking for a way to use the access/refresh token(s) obtained from Azure v2.0 auth process to silently exchange/obtain OneNote access token.
Is it even possible? And if not is there a more user-friendly workaround?
Reference:
Link to Graph OneNote endpoin
Link to OneNote ClassNotebooks endpoint
Link to OneNote StaffNotebooks endpoint
I am looking at this and think to myself why was the OneNote API not working for me before I switched to Azure v2.0? I have the right scopes too Notes.Read and Notes.Create.
ps: If I had all the necessary endpoints in Graph OneNote API I would not bother with OneNote API.
pss: In case this is of importance the front end is implemented using AngularJS which in turn leverages Graph API using Web API framework.
psss: To get a better idea of what I am talking about here a link to Graph Explorer
Sorry but the OneNote ClassNotebooks and StaffNotebooks endpoints are not yet supported in Microsoft Graph. But it is in the plans, so we will let you know when it is ready
Also, currently it is not possible to use the Azure v2.0 token for OneNote API endpoints.
I'm taking a summer development course and have been working on writing an API that will allow the user to log in to a personal, work, or school Microsoft.com account and do basic CRUD operations on the events in their calendar. Things like querying for all events within a date range or events that have a specified Open Extension property, etc.
Having finished that, I'm now working on writing a front end for it using ASP.net Core 1.1 MVC. The basic goal here is to list the results of the user's query with a few details, then allow the user to select an event to view all its details, edit it, or delete it. There would be a separate view to allow creation of new events. However, the authentication method I was using prior to switching from a basic console application to ASP.net Core 1.1 MVC (from the Microsoft Graph UWP Snippets located here) does not seem to work with ASP.net Core 1.1. Specifically, line 58 from the link above (AcquireTokenSilentAsync()).
I've done a good bit of digging before deciding to come and ask a question here, but I honestly feel like I'm getting nowhere/have been wasting time that I need to be spending on development. For reasons related to the course the professor is very hands-off, so asking him for assistance isn't an option.
How would one go about setting up an ASP.net Core 1.1 MVC app to allow access to the logged-in user's calendar? I've honestly not been able to find much, and since my API is currently very dependent on the token returned from the above Authentication method (it is used with both the HttpClient and GraphServiceClient used in my API) I'm going to need to figure something out soon.
UPDATE: I found a tutorial for using OpenIdConnect to log a user in to their Microsoft.com account in Asp.net MVC 6, however I'm not sure if there is a way to get at the authentication token that I need to use the Graph Client/HttpClient. Additionally, I haven't been able to find a similar tutorial for ASP.net Core 1.1 MVC. I'll keep digging and post anything I find here.
UPDATE 2: Wasn't having luck with that, have switched to attempting to use the OAuth 2.0 Authorization Code Grant Flow. Currently having a bit of trouble understanding how to get the authorization code to get the access token. If I set responseMode=query, do I actually have to query my application's redirect url (in this case localhost:xxxx/) that was created when I registered my app, or is the response automatically returned after the user logs in/consents to letting my app access their data?
UPDATE 3: I'm getting closer to having a functioning authentication process by following the steps in the link in Update 2. At this point I guess I'm just curious if my original method of authentication (almost identical to what is contained in the link in my original post) could have worked, or if I was going to find myself in this position no matter what.
I managed to use most of this sample repository: Microsoft Graph Webhooks Sample for ASP.NET Core to connect to Microsoft Graph API. It demonstrates using webhooks and MS Graph subscriptions, but it's how it gets the access token that is useful for us.
The relevant code snippet:
AuthenticationResult authResult = await authContext.AcquireTokenAsync(GraphResourceId,
new ClientCredential(AppId, AppSecret)); // For sample purposes only. Production apps should use a client certificate.
return authResult.AccessToken;
I'm trying to find a full tutorial on creating your own extent authentication service. Similar to the ones you see that say "Login with Google" or Facebook or Twitter... How do I create my own version of those? Including allowing creation of "apps", creating their app key and secret.
Maybe I'm searching for the wrong terms when looking, I'm not sure.
Ive have a need for a central login service where applications will be able to login a user and receive their information if they have sufficient permissions.
I'm using c# and web api 2 if this helps.
Thanks
IdentityServer (3 or 4 depending on your .Net preference) would be a good place to start. It is an open source project that supports the OAuth2 / Open ID protocols and is very well documented to show you where to plug in your app into the pipeline. https://identityserver4.readthedocs.io/en/release/index.html
Does Azure offer full APIs to accomplish all tasks without opening azure portal.
I heard some REST APIs are available but not sure about their coverage.
My questions is can we replace Azure portal completely by our customized enterprise App which actually calls REST APIs provided by Azure.
here is Why I need this strange thing
We need this as our organization is developing a Internal Unified App to manage our resources on all three cloud Azure,AWS and Google Cloud from single point..
The answer to your question is yes. You can certainly do that. As Alex mentioned in his comments, take a look at Azure Service Management API to begin with.
However there are a few things I would like to point out:
As you know there are two portals right now (Live and Preview). Unfortunately both of these portals use different sets of API. Live one uses Service Management API and the Preview one uses Azure Resource Manager (ARM) API. So you have to make sure that you use both of these APIs in your application. Though Microsoft is pushing very hard to make all the APIs exposed through ARM API but there's still a lot of work that needs to be done.
Another thing I noticed is that at times documentation for REST API for certain services is missing though there are ways to find that information. Just keep that in mind if you're building support for these services and not able to find documentation.
I would suggest you start here: https://msdn.microsoft.com/en-us/library/azure/mt420159.aspx and then find out REST APIs for the services you're interested in supporting in your application.
So I'm trying to find a "Best" way to interact(create a interface) with Active Directory read/write mode. So I'm deciding between this two aproaches:
Try and use the ADWS.
C# Implementation.
Apparently for ADWS is not that easy even though there is a full WSDL I'v not been able to locate it, to try to do some test via SOAPui...
Now fort the C# Implementation there are few implementations
but still I'm not sure if its 100% doable to have full READ/WRITE to AD i.e. creating accounts users, query for users info, etc. from lets say REST WS.
So My questions are
Is there a way of getting a WSDL from the AD server so that I can use that as a starting point? ( I don't want to get me into PowerShell stuff or the like)
Are there any good articles for the latest versions C# ,libs, etc... to help me implement this?
Is there a better way of doing this?
As an example This is what we're trying to do:
Scenario 1:
Create a Web Service (INTERFACE) that expose AD information
The Web Service could be REST or SOAP
The WS should read/Query/Write the AD
Any Application inside the network can consume the WS
Scenario 2 (What we currently plan to do):
Sharepoint Reads AD Information
Job should copy AD to DB
Applications can read this data
There should exist some replication between the DB and AD
Any suggestions will be more than welcome
I'm Using server 2008R2 ,Sharepoint foundations 2010
I'm assuming this is related to your previous question which mentioned Exchange.
My personal suggestion is to host a WCF service in IIS. You can set this service up to do whatever you want to suite your needs for the apps accessing it. You can probably do most of what you need to do through the System.DirectoryServices.AccountManagement namespace when it comes to User and Groups.
System.DirectoryServices will give you more granular control at the cost of more work. However, it is a little easier and reading and writing from/to custom attributes here.
If you're going to interact with Exchange 2010 you'll need to mess with Powershell. And you could use Powershell to do core AD work as well.
And of course if you're going to write your own web service you could make it REST.
Here is a link to MSDN with info about System.DirectoryServices and the various namespaces. I personally find AD to be a lot of fun to work with. There are many ways to do the same thing in it so I don't think there's one right answer for you. Go with what you're comfortable with or challenge yourself to do something new!