Dynamics Portal + Azure B2C Authentication - dynamics-crm

I am new to dynamics portals and want to implement authentication for external users using Azure B2C Authentication.
I followed the below link and was able to configure B2C.
https://learn.microsoft.com/en-us/power-apps/maker/portals/configure/configure-azure-ad-b2c-provider
Question -
How can I limit the user creation only for the organisation i am targetting.
Foreg - If i am creating this portal for XYZ Company and I only want users from this organization to signup on the portal. How can i achieve this?
So that i do not get unnecessary contacts in my portal

Related

I want to integrate Dynamics CRM with Postman without AAD registration

I want to integrate Dynamics CRM with Postman with the help of username and password and without Azure AD registration.
It is purely dependent on your environment. If it is CRM online or IFD then OAuth is the only choice. The documentation says “must”. Read more
When you use the Web API for Customer Engagement or an on-premises Internet-facing deployment (IFD) you must use OAuth as described in Use OAuth with Dataverse.
If it is on-premise then you have to use username/password. Read more
When you use the Web API for on-premises deployments you must include the user’s network credentials.
In case if you are having difficulty with AAD App registration - then you can use the example readymade client Id in documentation for development purpose. Read more

How to authenticate corporate users with Azure AD, and also external users in a single page application?

We have single page app (Angular front end and .NET Core Web API) using Azure AD for authentication. Both front end and and Web API are registered in the same tenant and WebUI has permissions to call the Web API. This Web API uses a few other internal Web API's as well.
We have a new requirement in the app to allow access to certain areas of the app to external users who need to register first. So now the app need to authenticate both existing AD Users plus external users.
My question is if this is possible in a single application? And if yes what is the recommended approach for authenticating both corporate and external users?
As you need to use register feature, you will need to use Azure AD B2C, and it supports multi providers for a valid user flow.
For example, if you want azure ad users and external users to use your application. You can choose OpenID Connect(Azure AD) and Local Account(or other social accounts). In the login page, users can choose to sign up or use Azure AD account to login directly.
Steps:
Just keep your Wep Apps and api apps in the existing tenant. You need to create a Azure AD B2C tenant, create a user sign up/in flow, configure the providers for the user flow.
Reference:
Create B2C tenant
Create user flow
Add identity providers
Configure your original Azure AD application to the identity provider

Azure AD B2C & Google APIs

I need help integrating Azure AD B2C and Google APIs. Briefly, I created a tenant on Azure AD B2C, policies and a Native App. Users can register to my app and sign in without any problems. Now I need to use Google APIs to access the logged-in account's information and manage some information (Google MyBusiness data). How can I achieve that. Is that possible ?
Furthermore, even if that is not connected to Azure AD B2C, how can I request to the user to accept that my app to view MyBusiness data?
UPDATE: I understand that I need to authorize my app to https://www.googleapis.com/auth/plus.business.manage Google scopes. Is it possible to request that scope during Google SignIn application authorization process?
Thanks everyone.
As part of the authentication exchange between Azure AD B2C and Google (as well as other identity providers), an access token is issued by Google for use by (and only by) Azure AD B2C, where this access token is used by Azure AD B2C to access the authorized information for the authenticated end-user.
Currently, Azure AD B2C does not pass this access token through to the relying party application (i.e. your native client application), therefore applications can't access the information for the end-user.
UPDATE on 20 June 2019
Using a custom policy, you can pass the access token from the external identity provider through Azure AD B2C to your relying party application.
From the official Azure AD B2C FAQ:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
Can I configure scopes to gather more information about consumers from various social identity providers?
No, but this feature is on our roadmap. The default scopes used for our supported set of social identity providers are:
Facebook: email
Google+: email
Microsoft account: openid email profile
Amazon: profile
LinkedIn: r_emailaddress, r_basicprofile

Connecting with EWS API service to outlook.com account with oAuth2 token

I'm able to authenticate with live.com with my account on outlook.com at url
https://login.microsoftonline.com/common/v2.0
I receive an accessToken and id token.
My question is whether I can use this accessToken to retrieve exchange data about my emails through EWS API service using this token? ExchangeService.
_exchangeService = new ExchangeService(ExchangeVersion.Exchange2007_SP1) { ConnectionGroupName = Guid.NewGuid().ToString() };
_exchangeService.Credentials = new WebCredentials("xxxxxxx", "xxxxxxxx", "outlook.com");
// _credentials = new OAuthCredentials(user.PasswordToken);
// Set the URL.
_exchangeService.TraceEnabled = true;
_exchangeService.AutodiscoverUrl("xxxxx")
Authenticate to Outlook 365 through the ExchangeService.asmx in the following URL for exchange service as done in the following sample.
> https://outlook.office365.com/EWS/Exchange.asmx
My question is whether I can retrieve email data from exchange service ASMX with the idToken/accessToken supplied from live.com for outlook.com accounts?
It seems like the retrieving of data with EWS Managed API is not supported with outlook.com accounts.
you can read (in the yellow section) about it here and also here.
Basically, there are 2 portals today that apps can be created with:
Application Registration portal
Azure management portal
It states that for these reasons outlook.com accounts are not supported:
New app registrations should be created and managed in the new Application Registration Portal to be compatible with Outlook.com. This means that if you have an app that was created thru Azure Management Portal it will not be supported with outlook.com and the token will not work with outlook.com accounts.
Existing app registrations that were created in the the Azure Management Portal will continue to work for Office 365 only
Also if you created your app with Application Registration Portal The REST API is currently enabled on all Office 365 accounts that have Exchange Online and only some Outlook.com accounts. this means it is not guaranteed to all outlook.com accounts because they haven't migrated all of them (yet).
Microsoft accounts with Outlook.com mailboxes (including Outlook.com, Hotmail.com, Live.com, MSN.com, and Passport.com) are in the process of being upgraded to enable the REST APIs. During this process, making API calls to mailboxes that are not yet upgraded will return a MailboxNotEnabledForRESTAPI or MailboxNotSupportedForRESTAPI error code.
I believe EWS still works for Outlook.com accounts with BASIC(username,password) auth. We used to use it before migrating to Graph API. You'd need to ask your Outlook users to generate a special App Password though.
To simplify your Exchange/Outlook integrations check out Aurinko API

How do you register your application to use the Office 365 Outlook REST API?

The documentation isn't clear on how to register your application to access the Office 365 outlook REST API. The documentation seems to say to go to the Microsoft Application Registration Portal, but logging in with 3 different accounts fails.
In order to use the Application Registration Portal, you need either an Office 365 work or school account, or a Microsoft account. If you don't have either of these, you have a number of options:
While you can use any Microsoft account to register applications, in order to access mail/calendar/contacts you need an upgraded Outlook.com account with the REST APIs enabled. To get an upgraded Outlook.com account, you could click here for solutions
obtain an Office 365 subscription ,also refer to above link for details.
If you register App in Microsoft Application Registration Portal, the app only support V2 authentication endpoints.
Another choice is to register your app with Azure AD ,so your application could use the OAuth2 Client Credentials Grant Flow, or need to access other Office 365 workloads besides Outlook (such as OneDrive for Business or SharePoint).
This article includes detail steps about manually register your app with Azure AD so it can access Office 365 APIs .

Resources