I want to get an access to Calendar rest API. I've created azure multi-tenant app, and configured it.
I'm trying to get an access token to resource "https://outlook.office365.com/", but I get an error
'AADSTS50001: Resource 'https://outlook.office365.com/' is disabled.'
Note: I couldn't find "Office 365 Exchange Online" inside "Permissions to other applications" section inside azure account.
Your help please.
You won't see Exchange in your Azure account unless you have an Office 365 subscription that includes Exchange. It sounds like you're registering in https://manage.windowsazure.com? You might want to try registering your app in https://apps.dev.microsoft.com and using the v2 Azure auth flow. Big benefit is you can register apps with just a Microsoft account (like outlook.com, etc) See https://dev.outlook.com/RestGettingStarted for walkthroughs.
Related
I'm trying to setup authentication against Azure DevOps using MSAL. I've followed Microsoft's sample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:
This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.
In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
What am I doing wrong or missing?
When configuring the application to use your app registration, you need also find the key ado:OrganizationUrl and replace the existing value to the URL of your Azure DevOps organization. Please note: This must use HTTPS. As it mentioned in Configure the application to use your app registration.
If you already replaced the ado:OrganizationUrl, you may have a try to change the Supported account types back to "Accounts in this organizational directory only" to see if it works for troubleshooting.
I spent a little bit time to get the samples working and the key steps required to accomplish this are:
the Microsoft personal account need to be added to an Azure active directory tenant. As MSAL uses Azure AD as a fundamental infrastructure.
https://learn.microsoft.com/en-us/answers/questions/228067/invite-or-add-personal-ms-account-to-azure-ad.html
Link the Azure Ad tenant (with the Microsoft personal account) to the Azure DevOps service Instance.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
To complete the sample, I used my MS personal account to sign up a free Azure account (so that I can test the Azure AD stuff), and used the same account to request a free Azure devops service account.
Thanks
In your question you mention:
"I'm trying to setup authentication against Azure DevOps using MSAL. "
So, the goal is to let Microsoft Account users logon to some part of Azure DevOps using MSAL? I'm curious what the exact use case is, but let's assume I understand you correctly.
The first thing that comes in mind is, are those users already invited to the AzDo organization? Please read here how to do this.
Doing this will add them to the Active Directory as a guest like this:
Alternatively if you just want to invite these users to Azure, please use the invite from: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
This site suggests this error occurs when the user doesn't have multi-factor authentication setup. You may need to have your Microsoft account setup with MFA.
I can't find a way to bring the data of "Restrict member users default permissions" -> "Users can register application" (https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions) in Azure API Rest or Graph.
I use "Get-MsolCompanyInformation" from powershell. I wanted to do this without logging in with an azure interactive account, but using an account and application using .NETFramework
How get the values programmatically?
Thanks in advance.
You can only manage these settings under user settings in Azure AD portal or using Azure AD MSOL module Get-MsolCompanyInformation and no API way to control as of today.
If you use msol module (Get-MsolCompanyInformation) which leverage Azure AD connect provisioning endpoint https://provisioningapi.microsoftonline.com/provisioningwebservice.svc (SOAP request based) to retrieve UserSettings which can't be used out of box like Graph API way.
I am setting up a WebAPI that needs to collect events from a calendar, located in sharepoint. The WebAPI is registered i Azure Portal and does not support user login. Can i restrict the application to only that one calendar, or only have access to a specific users calendars?
This is what i currently have.
A WebAPI ( .Net Core 2.1 )
Azure AD with a bunch of users
Registered in Azure Portal, with Application "Calendars.Read" permissions
Using TenantID/ClientID/ClientSecret when authentication the app, and have not user login for the webserver, and would prefer not to have user login if possible.
As of now, i can pull the events with Microsoft graph by using something like:
https://graph.microsoft.com/v1.0/sites/root/lists/4bddc7ee-xyz-xyz-83cc-/blablabla
The problem is that i have access to all users calendars, and i need to restrict the app to only have access to that specific calendar.
I have seen several similar questions like this, the answer is No, Microsoft Graph does not support that currently.
I am learning about Azure AD and Office 365 and I am wondering if the following is possible and if so, how to go about doing it since I am confused on a few aspects with documentation:
Say a company, CompanyA, has Office 365 for users of their org. These users use Exchange/Outlook and Office to sign in (Office desktop) using their Office 365 creds.
CompanyA has Active Directory hosted internally but they are planning to use Azure AD Connect Sync to sync all objects in AD into the Azure AD so things like password changes are synced (and user objects) between the cloud and internal network.
Is there a way to use their Office 365 creds to log into their network systems and sync to AD or perhaps link the Azure AD to their Office 365 accounts so they can log into the computers using their Office 365 creds?
Question 2 is below (the real question I had!):
Now, there will be a custom app hosted both internally but also externally (possibly in the Azure cloud). The app could be a desktop app or a web app or some service.
Is there a way for the apps to authenticate against Azure AD/Office 365 to ensure that the user logging in (using their Office 365 creds) is successful? Is there an automated way without a popup dialog so everything is done programmatically via the API's using C#/.NET Framework?
Thanks!
When you reference Office 365 credentials you are already talking about Azure AD. Every Office 365 tenant has an Azure AD instance backing that is the store for user accounts and credentials. Please sees the following article for a detailed description:
https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
You are currently the model referred to as Cloud identity. It sounds like you want move to Synchronized identity or Federated identity.
If you configure your Azure AD Connect installation to synchronize to your Office 365 tenant (by giving it a Global Admin from the tenant during setup) then you will effectively have the setup you want with premise ADDS credentials synchronized with your Office 365 (Azure AD) credentials.
However, since there is an existing tenant with accounts that you want to match with on-premse accounts, you will need to communicate this with your users in advance and also read up on how the soft matching works when synchronizing to an Azure AD with existing accounts.
This KB article should get your started: https://support.microsoft.com/en-us/kb/2641663
If done properly, the end result will be as follows:
User accounts and password changes are managed from your on-premise AD.
Password changes happen on premise and are synchronized with your Azure AD accounts that are matched to premise accounts
You will not be able change passwords from Office 365 and have those changes reflected on-premise unless you enable Password Write-back which requires a an Azure AD Premium subscription.
Users will login to domain resources using their AD credentials, which match their Office 365 credentials in Azure AD
At this point you will have moved to Synchronized identity. This is required to take the next step to Federated identity so you will want to get to this stage either way. I would not take the next step to federated until you fully understand the implications of that model.
Regarding part 2 of your question, there are multiple libraries that can add authentication to Azure AD to your custom applications. This page has a list of libraries by language:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-libraries
I have to get list of video channels and videos details from office 365.
I referred to this link
But, What I want to achieve is, that a user will login to the site using windows authentication.
var onlineCredentials = new SharePointOnlineCredentials(username,password);
ClientContext context_new =
new ClientContext("https://xxx.sharepoint.com//portals/hub/_api/VideoService/Channels");
context_new.Credentials = onlineCredentials;`
The above code I have used to get a list from SharePoint.
Is it possible to use above method to authenticate office 365, to get details about Video Channels and Videos.
Or
Should I use an accesstoken?
Video portal is only available with Office 365 and in office 365 authentication can be done only with Azure AD. I assume you will have your organization AD getting Synched with Azure AD of Office 365.
If i understand your requirement correct, you want to have a stand alone Web App which needs to get the details from Office 365 Video Portal. For this probably you'll have to register your app to Azure AD to get access of the Video Portal REST APIs. Following is the link.
https://msdn.microsoft.com/en-us/office/office365/howto/add-common-consent-manually
However, for the above approach, users will have to login with Azure AD only. If you want to use windows credentials, probably what you can do is you can use a middle layer of WebAPI which is registered with Azure AD. Again Web Api would also have to get Application Delegation Permissions so that any user can get access of video portal(doesn't sound like a great approach but is possible).