How user can add the app in MS Teams, without Admin approval?
So, my question is what policy needs to be added or removed to get rid of the below message:
I am the admin of the tenant and I want my users to install this app if they wish to do so.
If you're a global admin, you can review, and grant consent to apps that request permissions on behalf of all users in your organization.
To grant org-wide consent to an app, follow the steps which mentioned in following document:
https://learn.microsoft.com/en-us/microsoftteams/app-permissions-admin-center#grant-org-wide-admin-consent-to-an-app
Related
I am trying to understand the API's that #Microsoft provides. Its just so messy. My goal is to use the Exchange API to edit settings.
So, I have an APP, Access tokens and subscriptions.
When trying to login to https://outlook.office365.com/ I get the following error:
Your subscription is no longer active. Please contact your admin to activate your subscription.
X-ClientId: 05A0A74F610C432EA1AD48C77829580B
request-id 3088673c-f523-4e26-824f-1d0f7cb0a219
X-OWA-Error Microsoft.Exchange.Data.Storage.TenantAccessBlockedException
X-OWA-Version 15.20.2451.30
X-FEServer HE1PR05CA0360
X-BEServer HE1P190MB0508
Date:18/11/2019 09:11:34
But as you can see, I have a subscription:
What I understand is that I have to login to outlook.office365.com before using the API.
Update
Ok, so I can now login to https://outlook.office365.com/mail/inbox. It took a while............. But;
1) I can request: https://outlook.office365.com/api/beta/users/********************************/. It will return the specified user.
2) I can NOT https://outlook.office365.com/api/beta/users/********************************/mailfolders. I tells me 'access denied'. While my app has all Exchange, Office365 permissions. But delegate and application permissions.
The "Grant admin consent for your tenant" feature seems to have been updated yesterday.
However, something is wrong with the new "Grant admin consent for your tenant" feature based on my test.
If you use it to grant admin consent, it will probably not take effect on the back end although admin consent has been successfully completed on Azure Portal.
Currently you could grant admin consent through a URL request.
https://login.microsoftonline.com/{your tenant}/oauth2/authorize?client_id={app id of your Azure AD app}&response_type=code&redirect_uri={redirect uri of your Azure AD app}&nonce=1234&resource=https://outlook.office365.com/&prompt=admin_consent
Please note that you need to create a new Azure AD App currently because if you have used admin consent on Azure Portal, granting admin consent through a URL request will not take effect.
I'm making an application to read and respond to the reviews of google play account for my applications. When I enter my google play account, settings > api access, the following message appears to me: "Only the account owner can configure API access. Please contact him to update the API settings."
Is it possible that the owner of the account that has published the application gives me permissions to generate the token only to read the reviews? Or only the owner can generate a global token to read the reviews?.
Regards!
As you've said, API can only be configured by the owner of Google Play Developer account. As an account owner, you can add users to your Play Console account and manage permissions across all apps or for specific apps. From this page:
Sign in to your Play Console.
Click Settings Settings > User accounts & rights.
To add a new user, select Invite new user and follow the on-screen instructions.
To update permissions for an existing user, hover over their email address and select the pencil icon Pencil icon.
Use the "Role" drop-down to choose a pre-defined role or use the checkboxes for individual permissions.
Choose whether each permission applies to all apps in your developer account ("Global") or specific apps.
To add an app to the permissions table, use the "Add an app" drop-down Drop-down arrow.
To see details for each permission, review the permission definitions
table.
Click Send Invitation.
You can only generate a token once you're added as an owner.
Additional reference:
How to give access to Google Play Developer Console Game services page to other accounts?
The scenario:
installing google apps marketplace app
user grant access using oauth2 and some predefined scopes
user clicks on a link after installation
since the user already gave access to the same app he is not forced to grant access again (as we have authentication in the app itself), but only to login if the current session is expired
The problem:
even we set the same app settings + scopes, it's asking twice for the "grant access" - in marketplace + our app
Clues so far:
if we wait (3-4 minutes) between marketplace grant access and clicking the app link .. it's working and it's NOT forcing the user to grant access again, so all cool.. apart from waiting time
if we use only the marketplace auth, the app permission is NOT present here: https://security.google.com/settings/security/permissions So even granted, I cannot revoke it from here
if we use auth in our app (the second one) - it's now present in the above link and can be revoked
I can see something's wrong, but can't figure out what. Is there some "google apps specific login" apart from the standard Google Auth APIs? Or what about that waiting moment and then all works good? All suggestions are welcome! :)
We're trying to figure out how to submit to the marketplace, but are not sure what we need to do to alter our existing signup flow to accomodate the SSO requirement
Our app was not originally built to be a marketplace app so our signup flow is built for individual users. We are already following the OAuth2 flow as outlined on this documentation page. However, its not clear to me how this works for an entire org when installing from the context of a marketplace app.
Does the admin grant access to all the individual scopes we currently request for the entire org at once? Is there need for some sort of service account or something since we currently are requesting offline access? I'd like to understand what changes we need to make to our server's signup flow in or whether it is just a scope / manifest mismatch.
We currently request the following scopes from an individual user when signing up.
['email', 'profile' ,'https://mail.google.com/', 'https://www.googleapis.com/auth/calendar'],
Exact questions are...
What (if anything) do we need to do to alter our current individual-focused signup flow to accommodate a Google Apps Admin signing up their whole domain?
What scopes do we need to in our Google Apps Admin listing and how do they relate to the scopes we currently request from individuals?
There are not so many changes if you are already using three legged OAuth2.
The first change would be in you project in the developer console. There you need to enable the Marketplace SDK and make the necessary configurations. Here you will add the scopes that your app will request and those are the scopes that the admin will see when installing the app.
The admin will see the scopes your app is requesting, and he will decide if it's ok to install the application in the domain. If it is approved, then yes, the admin would grant access to the entire domain.
Offline access is part of the Oauth flow, after you receive the refresh token, you can continue refreshing the access token without having the user to grant access again.
It is not necessary to have a service account. The service account has two purposes:
To manage information related to the application. In this case the service account can have access to it's own drive to store and retrieve information that is related to the app functionality.
Impersonation of users. When using domain delegation of authority, you can use a service account to impersonate any user in a domain and act on it's behalf to make API calls.
To deploy your app, you also have to create a new project in the Chrome Web Store, with a manifest for Marketplace.
To answer your questions:
It's not necessary that you modify your current oauth flow. The admin will install the app in the domain, but when a user access to the app, the process for authentication is the same as individual.
The scopes in your Marketplace SDK configuration should match the scopes your app will use. This is mostly for security reasons, it wouldn't be safe if you install an app with some scopes and then the app uses different scopes.
You can try your app before actually deploying it by adding trusted testers in the chrome web store dashboard or in the Console API configuration. This way you can check if your flows and all the configurations were done correctly.
Hope this helps. Let me know if you have more questions.
I have attempted to publish an application to the Google Apps Marketplace that uses a service account to act on behalf of users within a domain. How does the installation flow differ based on whether the installing user is an administrator or a normal user since it requires the service account to be authorized in the Google Admin console?
I am getting push back during the application review asking why the app is requiring an admin to manually authorize the API scopes for the service account in the Google Admin Console. If a Google Apps Administrator installs the application for the domain and consents to all of the application access, does that authorization apply for all users in the domain? I do not want all users in a domain to be prompted with the OAuth 2 consent screen.