I have created an application to use the Office 365 Exchange Online (Microsoft.Exchange) API. I set successfully set up permissions as described here MS Integrating Applications on an existing development Azure Account. See APIs available on original account.
However, now I want to set up a similar app in a new Azure account so I can have a different visible domain for the permission sign up process. However, on this new account the Exchange Online API is not visible to select as a required permission.
This account only exists as a place to register the App so it doesn't itself have any users or need any licenses but do I have to have a license associated with that account just to be allowed to add a particular API to the required permissions? The documentation doesn't mention anything about this that I can see.
do I have to have a license associated with that account just to be
allowed to add a particular API to the required permissions?
Yes, you're right. You have to have a Office 365 Exchange Online license for your Tenant.
Why:
These APIs are exsiting in the AAD as service principal (Enterprise Applications). If you don't buy Exchange Online license, it won't occurs in the Enterprise Applications in your tenant. Once you buy the license, it will be automatically added to the Enterprise applications, meanwhile you can use its API via AAD.
This makes sense because if you don't have the license, you cannot use the product and you cannot use its API neither.
The documentation doesn't mention anything about this that I can see.
Yeah, the documentation maynot mention this and it should be noticed in the documentation. You can sign in the documenation webiste via a github account and give a feeback to the documenation Team:
Hope this helps!
Related
As a company, is it possible to mandate SSO for everyone who works for me? i.e anyone who registers with an #companyname.com email has to go through my Google SSO regardless if they're logging into and pushing code to a repo not maintained by my organization?
If your users are Enterprise Managed Users, you now (Sept. 2022) have the option of:
Automatic Single Sign On for Enterprise Managed Users – Public Beta
Enterprise administrators can now choose to redirect signed-out Enterprise Managed Users to their company's single sign-on (SSO) page. This feature is available as a public beta.
By default, enterprises with Managed Users enabled are hidden, showing a 404 error page any time an enterprise resource is visited by a user that isn't already signed in to the enterprise.
If you enable this feature for your enterprise, visitors to resources in your enterprise, org, or user namespaces will immediately be presented with an SSO redirect if not already signed in to your enterprise.
This redirect helps users sign in to the correct account, rather than giving them the impression that the link they were given no longer works.
You can find this setting in the Authentication security section of your Enterprise Settings, below the single sign-on configuration sections.
Read more about this settings at "Automatic redirection for Enterprise Managed Users".
If you were to build an enterprise SaaS app today, what would be the preferred protocol/endpoint to obtain the list of users, emails and groups from an Azure AD deployment?
Historically this was done via LDAP connection to an Active Directory Domain Controller, and I see that Azure offers an LDAPS service (Azure AD DS).
ADFS, which is quite widespread, is just a SAML-compatible IdP, but it doesn't seem to provide an API for listing the directory of users.
The Microsoft Graph API seems to be able to provide at least some of this information, but it seems to be fairly new and very widespread. There's also something called SCIM that appears to have broader support, but it doesn't seem to be super popular on enterprise cloud apps either.
My research has shown that the apparent right answer for this problem is to implement SCIM 2.0 APIs on the product.
The main annoyance of the approach is that SCIM 2.0 is a protocol that is triggered by the directory provider (i.e. a SaaS app will receive an API call from Azure AD when a user needs to be created or updated, instead of the SaaS app contacting a directory endpoint to fetch the information when it is needed).
This creates a few annoyances such as potential race conditions when updating user information in the middle of application processes, or the fact that updates to the directory can't be triggered at convenient times (such as nightly, for example). Debugging/testing is also more problematic.
Google Drive API question,
I am writing an application that can view a users' Google Drive files and folders from their google account (can be individual or part of an enterprise).
So on my Google Drive enterprise, I have created an API application. So I have an API key and Secret key stored in my application.
Now I want to use OAuth to authenticate the user so that they can approve my application to read their files. The users will not be part of my enterprise. They can be individual Google accounts, or they can be a single user from an some other enterprise account.
Is this possible? Or are there technical/security reasons this is not allowed?
I just got off the phone with wonderful Google api support agent, and I have my answer:
Yes this is possible to do. however due to the recent phishing attack, Google has put in place new security features that affect the following APIs:
Google drive
Gmail
Contacts
Directory Admin SDK
Here are the new rules:
There is a new security form we will need to fill out and be approved before we will be able to be approved as a trusted app that is able to access these api's using OAuth2 authentication.
Google has provided a feature that many enterprises use that allows an enterprise to completely disable the ability to access these api's using oauth2. So even though we have been approved from step1, we may still get an error for some enterprises who have directly blocked this; however, they can white list us in order to allow it from our enterprise if admin's prefer, while still blocking general use for others.
See links:
https://support.google.com/a/answer/7281227
https://developers.google.com/drive/v3/web/about-auth
https://developers.google.com/identity/protocols/OAuth2
https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/
I'm just getting started porting my old code over to the new google apps json service but I'm not clear on the oauth.
I'm looking at:
https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites
It says:
"Set up a new project in the Google APIs Console and activate Admin SDK service for this project. See the Google APIs Console Help in the upper right corner of the Console page for more information about creating your API project. "
My product gets installed at each client location. Do I create the app using my key then distribute this to my customers or do I use their key in my app that runs at their site? Do I also need to enable the admin SDK in addition to enabling API access?
Do I create the app using my key then distribute this to my customers or do I use their key in my app that runs at their site?
Do they have access to the source code? If true then it will be known to them.
Whether it is your key (an API project owner by you) or theirs depends on the kind of software you offer (tailored or common service (webapp?)) and who will be responsible of the quotas, billing (if needed) and maintenance.
Do I also need to enable the admin SDK in addition to enabling API access?
Yes.
FYI:
API projects can hold up to 20 accounts
Users can own several projects (don't know how many)
Projects can be shared with other users or Groups
Do anybody know if there is any sort of API available for Cyber-Ark Privileged Identity Management to integrate it with an enterprise applications?
I think the answer might be 50% yes, 50% no. Definitely Cyber-Ark offers web services and an API for their Vault objects, so you should be able to retrieve passwords from the Vault from a trusted application. There is a paragraph of sales information on Cyber-Ark's website:
Cyber-Ark's comprehensive SDK provides an interface to the Vault objects that you can use to develop custom solutions that work with the Vault. Cyber-Ark provides a variety of SDK such as Command Line Interface, ActiveX API, .Net API and Web Services API
But beyond working with their Vault objects, I'm not entirely sure. I'm currently looking for more information on their Vault web services, and I think I need to register to be a Partner to get that information. I'll post a follow-up if I learn anymore.
You are suppose to purchase an API license per server to have read-only access to the vault for authorized applications.
They provide Java, C#, etc. libraries and you place authorization key material on the server to enable it access.
It is called CyberArk Application Identity Manager, an entire sub-product.
The only reference I could find:
http://lp.cyberark.com/rs/cyberarksoftware/images/ds-application-identity-manager-10-20-2014-en.pdf
CyberArk created Conjur. It is open source and free. It contains its own Vault and is intended for dynamic Application Access Management. In particular, Conjur and its upgrade Conjur Enterprise should secure the complete DevOps pipeline. The paid version can be integrated with the Vault solution (the PAS Core solution of CyberArk).
For static applications, CyberArk has the Credential Provider, Central Credential Provider and ASCP (I forgot the full name of it now). These solutions are agent based while Conjur is agentless. Because they are agent based, they are only intended for environments with comparatively slow changes as an agent needs to be installed on every server in order to provide the credentials from the Vault.
These solutions have REST API, CLI and SDK capabilities.