Microsoft Graph- Permissions and Consent 11/22/2018 1:59 PM Microsoft Graph- Permissions and Consent Jeff Sakowicz © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Microsoft Graph- Overview Permissions & Consent Best Practices 11/22/2018 1:59 PM Agenda Microsoft Graph- Overview Permissions & Consent Best Practices Troubleshooting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Graph a unified REST API Microsoft Build 2017 11/22/2018 1:59 PM Microsoft Graph a unified REST API and comprehensive developer experience for integrating the data and intelligence exposed by Microsoft services. Most of you came to this conference because you have real customers that have data in Microsoft Services. Microsoft Graph is the way to access that data. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Graph Unified REST API for Microsoft 365: 11/22/2018 1:59 PM Microsoft Graph Unified REST API for Microsoft 365: Azure Active Directory Office 365 services: SharePoint, OneDrive, Outlook/Exchange, Microsoft Teams, OneNote, Planner, and Excel Enterprise Security and Mobility services: Identity Manager, Intune, Advanced Threat Analytics and Advanced Threat Protection. Windows 10 services: Activities and Devices Education © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Permissions and Consent- Overview 11/22/2018 1:59 PM Permissions and Consent- Overview © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Terminology Client- the application requesting access to data Resource- the application/service (usually a web API) that exposes data Permission- the ability for a client application to perform some action on some data owned by a resource application e.g. read a user’s OneDrive files through Microsoft Graph Consent prompt- the process by which a user is asked to grant an application the permission(s) it has requested Consent grant- the result of saying “yes” to a consent prompt Admin(istrative) Consent- the process by which a company administrator grants an application one or more permissions that cannot be granted by a regular user. These permissions may: Allow the app to perform high privilege operations- admin-restricted permissions Apply to all users in the organization
Permissions Scenarios Microsoft Build 2017 11/22/2018 1:59 PM Permissions Scenarios App type Permission type Who can consent Effective Permissions Get access on behalf of users Get access as a service Mobile, Web and Single page app Service and Daemon Delegated permission (user permission) Application permission Users can consent for their data Admin can consent for them or for all users Only admin can consent Admin restricted permissions Maybe good from a privacy aspect App permissions User permissions App permissions © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Graph Permissions- Format 11/22/2018 1:59 PM Microsoft Graph Permissions- Format General format: Resource.Action.Scope Resource- target entity Action- Read, ReadWrite, etc. Scope- specific or inferred (optional) Examples User.Read- delegated Notes.ReadWrite- delegated Files.ReadWrite.All- application https://graph.microsoft.com for documentation! © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
When is consent prompted for? Most commonly The first time using a app that requires access to resources Or when App explicitly prompts for it Permissions required by the app have changed Consent was revoked after being granted initially Incremental consent Ultimately consent occurs when an application needs to access unauthorized resources.
Static, Dynamic, and Incremental Consent Permissions pre-configured in registration portal UI and/or requiredResourceAccess Dynamic Permissions specified as a parameter of /authorize request (and usually in code) Special case- .default scope Incremental Subset of dynamic- request permissions one by one, as needed Great for apps with optional features or accruing functionality
Best Practices & Troubleshooting 11/22/2018 1:59 PM Best Practices & Troubleshooting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Developer Best Practices Use least privilege! Only request permissions which are absolutely necessary, and only when you need them Be thoughtful when configuring your app! This will directly affect end user and admin experiences, along with app adoption and security When building a multi-tenant app, expect customers to have various application and consent controls in different states
Troubleshooting - Framing the Problem Scenario What is the goal? What error are you seeing? Where is it coming from? Who is using the app? Are they logged in as an administrator? What consent and app access policies are applied in the organization? Client application What client library are you using? Are you using the V1 or V2 endpoint? What protocol flow is being used? Is it using dynamic/incremental consent, or static? Who developed and configured it? Target resource What is the target resource application? Are there multiple? What permissions does this resource expose? Which permission(s) is the client requesting?
Troubleshooting – Common Issues Unexpected 403 unauthorized What permissions have been consented to? Who consented? Is this a delegated scenario? What permissions does the user have? What are the effective permissions? User not able to consent or use app Are you requesting admin-restricted permissions? Did tenant admin disable user consent? Admin has consented but user still blocked If using V2 endpoint- are static permissions configured to be a superset of permissions requested dynamically? Is user assignment required for the app?
Useful data to gather Scenario Error code and exception text Timestamp AADSTS90093: ContosoWorkflows is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf Timestamp 2018-07-17- 18:55:51Z Correlation Id/Tracking Id 7231d857-124b-4ffb-985b-ef21e87cf97f
Key Takeaways Abide by the principle of least privilege 11/22/2018 1:59 PM Key Takeaways Abide by the principle of least privilege Be thoughtful when requesting permissions and consent Be scenario driven- consider all personas and configurations What about data for Windows and EMS? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Get started today #MicrosoftGraph /MicrosoftGraph [MicrosoftGraph] 11/22/2018 1:59 PM Get started today https://graph.microsoft.com Twitter #MicrosoftGraph GitHub /MicrosoftGraph StackOverflow [MicrosoftGraph] Office 365 and its 100M MAU create an incredible opportunity for developers to ring their innovations to the masses. Microsoft Graph is the API to millions of organizations, and the foundation for building intelligent business process. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11/22/2018 1:59 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.