I'm able to authenticate with live.com with my account on outlook.com at url
https://login.microsoftonline.com/common/v2.0
I receive an accessToken and id token.
My question is whether I can use this accessToken to retrieve exchange data about my emails through EWS API service using this token? ExchangeService.
_exchangeService = new ExchangeService(ExchangeVersion.Exchange2007_SP1) { ConnectionGroupName = Guid.NewGuid().ToString() };
_exchangeService.Credentials = new WebCredentials("xxxxxxx", "xxxxxxxx", "outlook.com");
// _credentials = new OAuthCredentials(user.PasswordToken);
// Set the URL.
_exchangeService.TraceEnabled = true;
_exchangeService.AutodiscoverUrl("xxxxx")
Authenticate to Outlook 365 through the ExchangeService.asmx in the following URL for exchange service as done in the following sample.
> https://outlook.office365.com/EWS/Exchange.asmx
My question is whether I can retrieve email data from exchange service ASMX with the idToken/accessToken supplied from live.com for outlook.com accounts?
It seems like the retrieving of data with EWS Managed API is not supported with outlook.com accounts.
you can read (in the yellow section) about it here and also here.
Basically, there are 2 portals today that apps can be created with:
Application Registration portal
Azure management portal
It states that for these reasons outlook.com accounts are not supported:
New app registrations should be created and managed in the new Application Registration Portal to be compatible with Outlook.com. This means that if you have an app that was created thru Azure Management Portal it will not be supported with outlook.com and the token will not work with outlook.com accounts.
Existing app registrations that were created in the the Azure Management Portal will continue to work for Office 365 only
Also if you created your app with Application Registration Portal The REST API is currently enabled on all Office 365 accounts that have Exchange Online and only some Outlook.com accounts. this means it is not guaranteed to all outlook.com accounts because they haven't migrated all of them (yet).
Microsoft accounts with Outlook.com mailboxes (including Outlook.com, Hotmail.com, Live.com, MSN.com, and Passport.com) are in the process of being upgraded to enable the REST APIs. During this process, making API calls to mailboxes that are not yet upgraded will return a MailboxNotEnabledForRESTAPI or MailboxNotSupportedForRESTAPI error code.
I believe EWS still works for Outlook.com accounts with BASIC(username,password) auth. We used to use it before migrating to Graph API. You'd need to ask your Outlook users to generate a special App Password though.
To simplify your Exchange/Outlook integrations check out Aurinko API
Related
I have a server-side application that needs to access every user's gmail data in a google workspace organization. I want to publish a public listing on the google workspace marketplace that is installable domain-wide by the super admin user and gives the server-side application the permissions to access the gmail data of the user's in that domain.
From my current understanding, we need a service account with impersonation to access each user's data. On top of that the service account needs to be delegated domain-wide authority, so that user's do not need to give individual OAuth consent or their passwords.
When publishing the app using the marketplace SDK I see that there is a field for service account credentials:
I see that the current Marketplace SDK has a field that accepts service account credentials.
But when my app is published and I install it and go to check the app's data access. I can only see fields for the scopes and the Oauth clients.
My questions:
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app? Will the service account's have the same email and unique id for everyone who installs the public listed app?
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
If (1) is true, is it automatically granted access unlike the OAuth clients and scopes?
If (1) is true, Are the service accounts automatically delegated domain-wide on install or do we have to provide the person who installed the marketplace app with the service accounts unique ids so they can manually delegate the scopes domain-wide.
I reviewed some Google public documentations related to Service Account & here’s what I have found that may answer your questions:
Question 1
Are the service accounts created in the marketplace SDK usable to the organization that installs my marketplace app?
Answer
No
Note: The CREDENTIALS tab that you see on the Google Workspace Marketplace SDK page is only an overview of credentials you have created for the GCP Project & NOT necessarily only for that service/API.
Service Accounts are created within a specific GCP Project & that project is where you will enable the Google APIs/Services that your application needs. Google Workspace Marketplace SDK is being described as:
“A toolkit that lets you create and control your app listing on the Google Workspace Marketplace, or for Chat apps, in Google Chat.” (Source)
So, this Google Workspace Marketplace SDK doesn’t necessarily use a Service Account to authenticate & be called in your app. However, when you setup a Service Account for your app, you'll need to create a Google Workspace Marketplace OAuth Client & this OAuth Client is associated to that Service Account. This is needed to support Google Workspace Marketplace domain-wide installation.
Setting up the Google Workspace Marketplace OAuth Client from the GCP console:
Follow-up Question
Will the service account's have the same email and unique id for everyone who installs the public listed app?
Answer
Yes. In theory, it should be.
Question 2
If (1) is not true, then how is it possible for admins to create a service account for my marketplace app?
Answer
You have to review the official Google documentation for OAuth & Service account.
Based on the official documentation, this is the overview:
Create a service account for your project
Delegate domain-wide access to the service account
Your application prepares to make authorized API calls using the service account's credentials. (This is regardless of how many users install & use your app)
That API call will request an access token from the OAuth 2.0 auth server.
Your application will then be able to use the access token to call Google APIs (which in your case uses Gmail API).
I can access MS graph in a web api with AAD setting up an AAD application registration etcetera.
I can create an application on https://apps.dev.microsoft.com/ and access graph from the javascript front end
I can't log in both (I assume I have to create two different login workflows?)
Is it possible to log in and pass credentials (JWT or whatever) to a c# web api and access graph for AAD and accounts like outlook.com?
I can't log in both (I assume I have to create two different login
workflows?)
Is it possible to log in and pass credentials (JWT or whatever) to a
c# web api and access graph for AAD and accounts like outlook.com?
For the application created in AAD, you could not log in the application with the outlook.com, the AAD registered applications belong to v1.0 endpoint, you could only sign in with work and school accounts.
The application registered on https://apps.dev.microsoft.com/ belongs to v2.0 endpoint, it allows work and school accounts from Azure AD and personal accounts (MSA) (hotmail.com, outlook.com, msn.com) to sign in.
For the details, you could refer to here.
I am currently in the process of trying to get the data from Dynamics CRM (Office 365 - E5) using the Web API query method like api.crm.dynamics.com/api/data/v8.2/accounts?$select=accountid,name,new_gl_exp,new_autol_exp
I will include this api within the external application (Developed using HTML & Javascript) & hosted in on-premises IIS
I have done the basic setting in both CRM & Azure and got the token after logged it in login.microsoft.com
Questions
How can we get authenticate without enter the username & password in the login.microsoftonline.com
Is there way to bypass this login (like passing client,tenet, client secret id as parameter to login.microsoft.com) or any REST API?
We are using separate login for application so we will have to use two login
Application login
login.microsoft.com for Dynamics CRM
Web API authentication patterns
There are three different ways to manage authentication when using the Web API.
With JavaScript in web resources
When you use the Web API with JavaScript within HTML web resources, form scripts, or ribbon commands you don’t need to include any code for authentication. In each of these cases the user is already authenticated by the application and authentication is managed by the application.
With on-premises deployments
When you use the Web API for on-premises deployments you must include the user’s network credentials. The following example is a C# function that will return an HttpClient configured for a given user’s network credentials:
private HttpClient getNewHttpClient(string userName,string password,string domainName, string webAPIBaseAddress)
{
HttpClient client = new HttpClient(new HttpClientHandler() { Credentials = new NetworkCredential(userName, password, domainName) });
client.BaseAddress = new Uri(webAPIBaseAddress);
client.Timeout = new TimeSpan(0, 2, 0);
return client;
}
With Microsoft Dynamics 365 (online) or internet facing deployments
When you use the Web API for Dynamics 365 (online) or an on-premises Internet-facing deployment (IFD) you must use OAuth as described in Connect to Microsoft Dynamics 365 web services using OAuth.
If you’re creating a single page application (SPA) using JavaScript you can use the adal.js library as described in Use OAuth with Cross-Origin Resource Sharing to connect a Single Page Application to Microsoft Dynamics 365.
https://msdn.microsoft.com/en-us/library/mt595798.aspx
The documentation isn't clear on how to register your application to access the Office 365 outlook REST API. The documentation seems to say to go to the Microsoft Application Registration Portal, but logging in with 3 different accounts fails.
In order to use the Application Registration Portal, you need either an Office 365 work or school account, or a Microsoft account. If you don't have either of these, you have a number of options:
While you can use any Microsoft account to register applications, in order to access mail/calendar/contacts you need an upgraded Outlook.com account with the REST APIs enabled. To get an upgraded Outlook.com account, you could click here for solutions
obtain an Office 365 subscription ,also refer to above link for details.
If you register App in Microsoft Application Registration Portal, the app only support V2 authentication endpoints.
Another choice is to register your app with Azure AD ,so your application could use the OAuth2 Client Credentials Grant Flow, or need to access other Office 365 workloads besides Outlook (such as OneDrive for Business or SharePoint).
This article includes detail steps about manually register your app with Azure AD so it can access Office 365 APIs .
Whether OutlookSDK at dev.outlook.com could access Office365 user data (calendars, contacts, mail)?
How's about Microsoft Graph API, could them be able access live.com users? (calendars, contacts, tasks, mail)?
I'm curious at this point, want to know what SDK is best for accessing both live.com user data and Office365 user data.
I already try Microsoft Graph API iOS SDK to authenticate Live Id user, but couldn't success, only able to authenticate Office365 user
OutlookSDK as well, unable to authenticate Office365 user, only able to authenticate Live ID
Thanks.
Carefully take a look at the instructions here: https://dev.outlook.com/RestGettingStarted/Overview
To write an app against both Office 365 and outlook.com you will need to register your application in the new application registration portal here: https://apps.dev.microsoft.com/Disambiguation?ru=https%3a%2f%2fapps.dev.microsoft.com%2f
Additionally you will need to make sure that your Outlook.com account has been upgraded to the new service. If it has not, then you will need to follow the instructions to request an account in the preview service from: outlookdev#microsoft.com or create a new account which should automatically be provisioned in the new service.
Yes - You can use Outlook APIs to access mail, calendars, and contacts for Office 365 users and Outlook.com
Also, You can use the Microsoft Graph API to access fixed entities like users, groups, mail, messages, calendars, tasks, and notes coming from services like Outlook, OneDrive, Azure Active Directory, Planner, OneNote and others.
I suggest using O365 APIs to do Live id user authentication - https://msdn.microsoft.com/en-us/office/office365/api/
Check this link as well: http://dev.office.com/getting-started/office365apis