I was wondering if the Office365 API supports service level accounts yet. By service level, I mean that a single "service user" (an application for example), can authenticate itself over OAuth2 against our O365 account and access all of our users mail, calendars and files on their behalf.
We're aware that you can do this using EWS (which we have been doing), but we really want to get using O365 REST.
Thanks
Not yet, but we're working on it. Follow me on Twitter (#JasonJohMSFT) or watch our blog (http://blogs.msdn.com/b/exchangedev/) for the announcement.
Related
I'm using EWS in a Windows Service to access different users calenders. Since office 365 basic authentication is deprecated I need to add support for OAuth. I followed the steps in this link Authenticate an EWS application by using OAuth and it works fine. However, my application is used by many customers and what I don't understand is what my customers are supposed to do. Do they also have to add my application in their 365 account? I was under the impression that a customer could find my app in a global directory or something, but I can't find any information about it.
I am creating a web application that will authenticate users based on their azure ad / office 365 accounts. To log into their computers they use their ad / office 365 account and they will have access to the web app without signing in based on their AD access.
I have tried to follow tutorials to set up this type of authentication using spring and angular:
https://learn.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable
Almost all of these guides or docs require setting up the app on the azure ad site, which produces a client id, key, and tenant id for the web application, which can be used with spring security to authenticate users.
I do not have access / permission to create a app registration, but I still need to get the ad userId of the user attempting to access my web application.
There is an existing web application created using asp.net core and angular which accomplishes what I am trying to achieve in java spring. I have tried to understand how it authenticates users but I am still stumped.
In the .net core project a controller makes a call to HttpContextAccessor.HttpContext.Request.Header to grab the userId of the user logged into their office 365 / ad account. This call is made in a controller class.
I cannot post more of the c# code so it will probably be hard to help me understand how it works in asp.net, but if there is any way to achieve what I described above in Java Spring I would love to know.
There is no way to achieve this without registering your application in these users AAD tenant. That's part of establishing trust between your app and the authority (AAD) which does the work of authenticating users. By registering your app id and reply url(s) you tell AAD that it's OK for it to send you user's info.
I am very new to the single sign-on options available to me. I currently have a requirement to secure multiple application sets within the same product family and have no idea where to start.
Some of the base requirements would be
User should be able to authenticate once, and based on the credentials user would be redirected to the required application
A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required
Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.
This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record
Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.
The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services
I have no idea where to start, I have done a quick read through of something like ADFS https://msdn.microsoft.com/en-us/library/bb897402.aspx, but NO IDEA if this would meet all the listed requirements above.
Any help of pointing me in the right direction would be greatly appreciated!!
You are confusing two seperate concepts viz:
Authentication
Provisioning
ADFS only does the former. You need an Identity Manager (IM) to do the latter.
So:
User should be able to authenticate once, and based on the credentials user would be redirected to the required application
I'll concentrate on the Microsoft world. ADFS and Azure AD can both do this. User --> application --> IDP - authenticates --> back to application
A central management console should be available for administrators to simplify role assignments as well as grant access to the various applications as required
IM functionality. AAD could do the group assignment but doesn't really have workflows. You can use "Active Directory Users Control" in Windows Server to manually edit AD attributes for use by ADFS.
Users can register for certain applications but certain sensitive applications require administrator approval before the user can successfully log in.
IM - needs workflows
This SSO should also secure an API with some sort of permission logic e.g. only supervisor roles can delete a record
This is both. ADFS 4.0 (Server 2016) can protect web API as can AAD. Deleting roles is IM as above.
Users should be able to register with OAuth providers such as Facebook, Twitter, Google & Windows live.
Microsoft has limited social interaction. You can add some social providers using AAD. I use Auth0 and federate as it has tons of social providers. Azure B2C may be of use here.
The SSO provider should be simple to implement into multitude of platforms such as Windows Apps, Web Apps, Mobile & services
For web apps, you can use SAML, WS-Fed, OpenID Connect & OAuth.
For Windows Apps, you can use OpenID Connect & OAuth.
For Mobile & services, you can use OpenID Connect & OAuth. (Note there are four flows to cater for different scenarios).
ADFS 4.0 (Server 2016) and AAD can support all the above.
I am trialling Azure B2C Customer Preview and have configured a new application, set up policies e.t.c and I now want to write some integration tests that use a non-interactive flow to connect and interact with my protected WebApi services.
However, I have just read the following quote:
Daemons/Server Side Apps
Apps that contain long running processes or that operate without the
presence of a user also need a way to access secured resources, such
as Web APIs. These apps can authenticate and get tokens using the
app's identity (rather than a user's delegated identity) using the
OAuth 2.0 client credentials flow.
This flow is not currently supported by Azure AD B2C - which is to say
that apps can only get tokens after an interactive user flow has
occurred. The client credentials flow will be added in the near
future.
from this link which suggests that what I am trying to do is not yet possible. Can anyone from the Azure team tell me whether this information is up to date, and better yet a rough timescale for delivery on this feature?
I'm in the process of designing a HTTP REST Web API for online services such as matchmaking, chat, user profiles, etc. These services will form a backbone for future games that are going to be developed at my company.
As these services are going to be accessed over the internet, the user accessing them needs to be authenticated and then authorized to access the said services.
From what I've read, googled, asked, etc, separating the security stuff out of the business code is a "good thing". Many blogs suggested handling these kind of problems via a Secure Token Service (STS), and as I do have a trial subscription with Windows Azure, I was just wondering if all of this would be possible with Azure Active Directory?
Is is possible to let users register new accounts via AAD, and log in from a native desktop application via AAD?
If this is not possible, do you guys propose any solutions?