Share via


Office 365 Identity (Part 1)

Office 365 is a SAAS offering from Microsoft, which provides an online(cloud) version of MS Office Suite (Microsoft Word, Microsoft Excel and Microsoft PowerPoint ) along with SharePoint Server(for social networking and collaboration), Exchange Server and Lync Server and many more.

 

Office 365 uses Azure Active Directory to authenticate users. It validates user account and application. User accounts with username and password are also called as organization accounts and Applications will have client id and client secret

 

Azure Active Directory is a identity and access management cloud solution that provides a robust set of capabilities to manage users and groups.Applications in Azure AD using office 365 API resources will leverage the identity after getting authenticated 

against the azure active directory and hence users do not have to provide the username and password.

Azure AD uses the OAuth Protocol for authorizing access from your web application to Office 365 resources.

OAuth 2.0 : Application will have identities and will be identified using the clientid and clientsecret. It allows an application do perform operation without providing credentials with the flow as shown below.

  

  • End User access web application in Azure Web Site
  • User Directed to Azure AD
  • User login and consent dialog displayed
  • User will grant access using consent dialog
  • Authorization code is returned to user
  • User is redirected to azure website with the Authorization code
  • Azure web site pass on the Authorization code along with clientid and clientsecret
  • Access token and refresh token is passed to Azure web site
  • Azure website call the SharePoint passing the access token
  • Response is returned from SharePoint to Azure web site and page is rendered to user

Detail Flow Scenario

  • Office 365 application calls Azure AD Authorization Endpoint to get the authorization code by sign-in via browser to Azure AD and provide the user consent to the application.
  • Application pass the Authorization code to Azure AD Token Endpoint to get various token like id, access and refresh tokens
  • For fetching the user details .id token is sufficient
  • When we need to call office 365 API, we need to pass the access token in the header request and in return get the HTTP Response

  

Register your app

To allow application access to the Office 365 APIs, we need to register it with Azure AD. This will establish an identity for your app and specify what resources it needs to access.

 

If you're using the Office 365 APIs Tools for Visual Studio, register your app automatically by using the connected services in your project which does the following

 

  1. Creates a Azure AD Application
  2. Adds office 365 API permissions selected to Azure AD Application
  3. Update web.config with Azure AD application
  4. Adds necessary Azure AD & Office 365 API NuGet Packages

https://msdn.microsoft.com/office/office365/HowTo/adding-service-to-your-Visual-Studio-project

 

In case visual studio is not available, we can manually register your app in Azure AD using Azure management portal

https://msdn.microsoft.com/en-us/office/office365/howto/add-common-consent-manually

Verify Authentication and Authorization using Azure End Points

Authorization Code Endpoint : This returns the Authorization code

https://login.microsoftonline.com/5b532de2-3c90-4e6b-bf85-db0ed9cf5b48/oauth2/authorize

?response_type=code

&client_id=152bda97-f553-4d1f-a8d3-fb9b831960ab

&redirect_uri=https://manage.windowsazure.com

Note : We will use the Get request in fiddler passing the client_id and redirect_uri configured while creating the app

Token End Point

 

https://login.microsoftonline.com/5b532de2-3c90-4e6b-bf85-db0ed9cf5b48/oauth2/token?

grant_type=authorization_code

&client_id=152bda97-f553-4d1f-a8d3-fb9b831960ab

&code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTL_O9Y1bmmx5oqxyLkL4lypCAjnu4bXYAIvvfuR-NI4bivqi0PkcfYHeYBdDtPXIpwEmZwrn7YCjpV2l2e-GoTvw2oF5c2qA8ihDQHO5PGIJ5fo7v6yJihVUvZ1FruCMiIlVh6eFg5N4b989XvrMSrHmn6wm1HgULT-7taYL317mvzEYo55ma1356ESHxWZqKtH9mog2v5KDD8mEJSyWN9sBWqdjfRBBBzwi9uguNouVKdZUwggK59mwR-a1I_QW5ohUb1XnpW4MRxkV5Bs7Qcbea5CsWA7hMQV4zsWHcJgmKDMZcMjaPgYBxqrQmawUrmyJHukhGXOKmK3nhg90Z5kJBBA55tz3Utw3qww7j2jhzz4hp4klx-Lf8sC94OMwCdr2M-DtZ2foGh8KmnVYAEVJY7JcGgqFYC7q3kLT2BIo8FcZztNcoF1XUErKKBBsmDUCwxgIC1xosJElRhyvTMpMQ4MIpWN6IrCZTytwlcHzd-Ju6UoDs06zoNw2oz61cplxujjvgOyKHS12ZcvHK8gAA

&redirect_uri=https://manage.windowsazure.com

&resource=https://outlook.office365.com

&client_secret=HhuXqTZUZyZXVSEMrP2sfPOnxrYjEKju9QaCsgh%2BtQw%3D

Note: resource will specify the endpoint that need to be accessed. In our case ,we are accessing the outlook endpoint.

Note : We will use the Post request in fiddler passing the client_id ,redirect_uri,client_secret and also the code got from the previous step

Note : The response has a field "id_token" which is called Open ID connect token also called as JWT (json web token) 

Decoding the JWT will provide the details of the tenant and user details