{"id":3421,"date":"2018-09-27T08:44:46","date_gmt":"2018-09-27T13:44:46","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=3421"},"modified":"2018-09-27T08:48:43","modified_gmt":"2018-09-27T13:48:43","slug":"using-microsoft-graph","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=3421","title":{"rendered":"Using Microsoft Graph"},"content":{"rendered":"

Single Sign-On: Microsoft Graph<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
End Result:<\/strong><\/td>\nThis will allow in-domain computers to automatically log in to web sites and applications. Computers not currently logged into the company domain will, when they do not have an active authenticated session, be presented with Microsoft\u2019s authentication page.<\/td>\n<\/tr>\n
Requirements:<\/strong><\/td>\nThe application must be registered on Microsoft Graph.<\/p>\n

Beyond that, requirements are language specific \u2013 I will be demonstrating a pre-built Python example here because it is simple and straight-forward. There are examples for a plethora of other languages available at https:\/\/github.com\/microsoftgraph<\/a><\/td>\n<\/tr>\n

Process \u2013 Application Development:<\/strong><\/td>\n<\/tr>\n
Application Registration<\/em><\/p>\n

To register your application, go to the Application Registration Portal (https:\/\/apps.dev.microsoft.com\/<\/a>). Elect to sign in with your company credentials.<\/p>\n

\"\"<\/a><\/p>\n

You will be redirected to the company’s authentication page<\/p>\n

\"\"<\/a><\/p>\n

If ADSF finds a valid token for you, you will be directed to the application registration portal. Otherwise you\u2019ll get the same logon page you see for many other MS cloud-hosted apps. Once you have authenticated, click \u201cAdd an app\u201d in the upper right-hand corner of the page.<\/p>\n

\"\"<\/a><\/p>\n

Provide a descriptive name for the application and click \u201cCreate\u201d<\/p>\n

\"\"<\/a><\/p>\n

Click \u201cGenerate New Password\u201d to generate a new application secret. Copy it into a temporary document. Copy the \u201cApplication Id\u201d into the same temporary document.<\/p>\n

\"\"<\/a><\/p>\n

Click \u201cAdd Platform\u201d and select \u201cWeb\u201d<\/p>\n

\"\"<\/a><\/p>\n

Enter the appropriate redirect\/logout URLs (this will be application specific \u2013 in the pre-built examples, the post-authentication redirect URL is http:\/\/localhost:5000\/login\/authorized<\/p>\n

\"\"<\/a><\/p>\n

Delegated permissions impersonate the signed in user, application permissions use the application\u2019s credentials to perform actions. I use delegated permissions, although there are use cases where application permissions would be appropriate (batch jobs, for instance).<\/p>\n

Add any permissions your app requires \u2013 for simple authentication, the default delegated permission \u201cUser.Read\u201d is sufficient. If you want to perform additional actions \u2013 write files, send mail, etc \u2013 then you will need to click \u201cAdd\u201d and select the extra permissions.<\/p>\n

\"\"<\/a><\/p>\n

Profile information does not need to be entered, but I have entered the \u201cHome page URL\u201d for all of my applications so I am confident that I know which registered app corresponds with which deployed application (i.e. eighteen months from now, I can still figure out site is using the registered \u201cADSF Graph Sample\u201d app and don\u2019t accidentally delete it when it is still in use).<\/p>\n

\"\"<\/a><\/p>\n

Click Save. You can return to your \u201cMy Applications\u201d listing to verify the app was created successfully.<\/p>\n

\"\"<\/a><\/p>\n

Application Implementation:<\/em><\/p>\n

To use an example app from Microsoft\u2019s repository, clone it.<\/p>\n

git clone https:\/\/github.com\/microsoftgraph\/python-sample-auth.git<\/a><\/p>\n

Edit the config.py file and update the \u201cCLIENT_ID\u201d variable with your Application Id and update the \u201cCLIENT_SECRET\u201d variable with your Application Secret password. (As they note, in a production implementation you would hash this out and store it somewhere else, not just drop it in clear text in your code \u2026 also if you publish a screen shot of your app ID & secret somewhere, generate a new password or delete the app registration and create a new one. Which is to say, do not retype the info in my example, I\u2019ve already deleted the registration used herein.)<\/p>\n

\"\"<\/a><\/p>\n

Install the prerequisites using \u201cpip install -r requirements.txt\u201d<\/p>\n

\"\"<\/a><\/p>\n

Then run the application \u2013 in the authentication example, there are multiple web applications that use different interfaces. I am running \u201cpython sample_flask.py\u201d<\/p>\n

\"\"<\/a><\/p>\n

Once it is running, access your site at http:\/\/localhost:5000<\/a><\/p>\n

\"\"<\/a><\/p>\n

The initial page will load; click on \u201cConnect\u201d<\/p>\n

\"\"<\/a><\/p>\n

Enter your company user ID and click \u201cNext\u201d<\/p>\n

\"\"<\/a><\/p>\n

This will redirect to the company\u2019s sign-on page. For in-domain computers or computers that have already authenticated to ADSF, you won\u2019t have to enter credentials. Otherwise, you\u2019ll be asked to logon (and possibly perform the two-factor authentication verification).<\/p>\n

Voila, the user is authenticated and you\u2019ve got access to some basic directory info about the individual.<\/p>\n

\"\"<\/a><\/td>\n<\/tr>\n

Process \u2013 Tenant Owner:<\/strong><\/td>\n<\/tr>\n
None! Any valid user within the tenant is able to register applications.<\/td>\n<\/tr>\n
Implementation Recommendations:<\/strong><\/td>\n<\/tr>\n
There is currently no way to backup\/restore applications. If an application is accidentally or maliciously deleted, a new application will need to be registered. The application’s code will need to be updated with a new ID and secret. Documenting the options selected when registering the application will ensure the application can be re-registered quickly and without guessing values such as the callback URL.<\/p>\n

There is currently no way to assign ownership of orphaned applications. If the owner’s account is terminated, no one can manage the application. The application continues to function, so it may be some time before anyone realizes<\/em> the application is orphaned. For some period of time after the account is disabled, it may remain in the directory — which means a directory administrator could re-enable the account and set the password to a known value. Someone could then log into the Microsoft App Registration Portal under that ID and add new owners. Even if the ID has been deleted from the directory, it exists as a tombstone and can be restored for some period of time. Eventually, though, the account ceases to exist — at which time the only option would be to register a new app under someone else’s ID and change the code to use the new ID and secret. Ensure multiple individuals are listed as the application owner helps avoid orphaned applications.<\/p>\n

Edit the application and click the \u201cAdd Owner\u201d button.<\/p>\n

\"\"<\/a><\/p>\n

You can enter the person\u2019s logon ID or their name in \u201clast, first\u201d format. You can<\/em> enter their first name \u2013 with a unique first name, that may work. Enter \u201cRobert\u201d and you\u2019re in for a lot of scrolling! Once you find the person, click \u201cAdd\u201d to set them up as an owner of the application. Click \u201cSave\u201d at the bottom of the page to commit this change.<\/p>\n

\"\"<\/a><\/p>\n

I have submitted a feature request to Microsoft both for reassigning orphaned applications within your tenant and for a mechanism to restore deleted applications<\/a> — apparently their feature requests have a voting process, so it would be helpful if people would up-vote my feature request.<\/td>\n<\/tr>\n

Ongoing Maintenance:<\/strong><\/td>\n<\/tr>\n
There is little ongoing maintenance \u2013 once the application is registered, it\u2019s done.<\/p>\n

Updating The Secret:<\/em><\/p>\n

You can<\/em> change the application secret via the web portal \u2013 this would be a good step to take when an individual has left the team, and can be done as a proactive security step as a routine. Within the application, select \u201cGenerate New Password\u201d and create a new secret. Update your code with the new secret, verify it works (roll-back is to restore the old secret to the config \u2013 it\u2019s still in the web portal and works). Once the application is verified to work with the new secret, click \u201cDelete\u201d next to the old one. Both the create time and first three characters of the secret are displayed on the site to ensure the proper one is removed.<\/p>\n

\"\"<\/a><\/p>\n

Maintaining Application Owners:<\/em><\/p>\n

Any application owner can remove<\/em> other owners \u2013 were I to move to a different team, the owners I delegated could revoke my access. Just click the \u201cX\u201d to the far right of the owner you wish to remove.<\/p>\n

\"\"<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Single Sign-On: Microsoft Graph End Result: This will allow in-domain computers to automatically log in to web sites and applications. Computers not currently logged into the company domain will, when they do not have an active authenticated session, be presented with Microsoft\u2019s authentication page. Requirements: The application must be registered on Microsoft Graph. Beyond that, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,29],"tags":[663,661,662],"class_list":["post-3421","post","type-post","status-publish","format-standard","hentry","category-coding","category-technology","tag-azure-ad","tag-graph","tag-graph-api"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3421"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3421\/revisions"}],"predecessor-version":[{"id":3444,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3421\/revisions\/3444"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}