Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Graph- Permissions and Consent

Published byΦοίβη Βιτάλης Modified over 5 years ago

Similar presentations

Presentation on theme: "Microsoft Graph- Permissions and Consent"— Presentation transcript:

1 Microsoft Graph- Permissions and Consent
11/22/2018 1:59 PM Microsoft Graph- Permissions and Consent Jeff Sakowicz © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Microsoft Graph- Overview Permissions & Consent Best Practices
11/22/2018 1:59 PM Agenda Microsoft Graph- Overview Permissions & Consent Best Practices Troubleshooting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Microsoft Graph a unified REST API
Microsoft Build 2017 11/22/2018 1:59 PM Microsoft Graph a unified REST API and comprehensive developer experience for integrating the data and intelligence exposed by Microsoft services. Most of you came to this conference because you have real customers that have data in Microsoft Services. Microsoft Graph is the way to access that data. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Microsoft Graph Unified REST API for Microsoft 365:
11/22/2018 1:59 PM Microsoft Graph Unified REST API for Microsoft 365: Azure Active Directory Office 365 services: SharePoint, OneDrive, Outlook/Exchange, Microsoft Teams, OneNote, Planner, and Excel Enterprise Security and Mobility services: Identity Manager, Intune, Advanced Threat Analytics and Advanced Threat Protection. Windows 10 services: Activities and Devices Education © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Permissions and Consent- Overview
11/22/2018 1:59 PM Permissions and Consent- Overview © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Terminology Client- the application requesting access to data
Resource- the application/service (usually a web API) that exposes data Permission- the ability for a client application to perform some action on some data owned by a resource application e.g. read a user’s OneDrive files through Microsoft Graph Consent prompt- the process by which a user is asked to grant an application the permission(s) it has requested Consent grant- the result of saying “yes” to a consent prompt Admin(istrative) Consent- the process by which a company administrator grants an application one or more permissions that cannot be granted by a regular user. These permissions may: Allow the app to perform high privilege operations- admin-restricted permissions Apply to all users in the organization

7 Permissions Scenarios
Microsoft Build 2017 11/22/2018 1:59 PM Permissions Scenarios App type Permission type Who can consent Effective Permissions Get access on behalf of users Get access as a service Mobile, Web and Single page app Service and Daemon Delegated permission (user permission) Application permission Users can consent for their data Admin can consent for them or for all users Only admin can consent Admin restricted permissions Maybe good from a privacy aspect App permissions User permissions App permissions © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Microsoft Graph Permissions- Format
11/22/2018 1:59 PM Microsoft Graph Permissions- Format General format: Resource.Action.Scope Resource- target entity Action- Read, ReadWrite, etc. Scope- specific or inferred (optional) Examples User.Read- delegated Notes.ReadWrite- delegated Files.ReadWrite.All- application for documentation! © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 When is consent prompted for?
Most commonly The first time using a app that requires access to resources Or when App explicitly prompts for it Permissions required by the app have changed Consent was revoked after being granted initially Incremental consent Ultimately consent occurs when an application needs to access unauthorized resources.

10 Static, Dynamic, and Incremental Consent
Permissions pre-configured in registration portal UI and/or requiredResourceAccess Dynamic Permissions specified as a parameter of /authorize request (and usually in code) Special case- .default scope Incremental Subset of dynamic- request permissions one by one, as needed Great for apps with optional features or accruing functionality

11 Best Practices & Troubleshooting
11/22/2018 1:59 PM Best Practices & Troubleshooting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Developer Best Practices
Use least privilege! Only request permissions which are absolutely necessary, and only when you need them Be thoughtful when configuring your app! This will directly affect end user and admin experiences, along with app adoption and security When building a multi-tenant app, expect customers to have various application and consent controls in different states

13 Troubleshooting - Framing the Problem
Scenario What is the goal? What error are you seeing? Where is it coming from? Who is using the app? Are they logged in as an administrator? What consent and app access policies are applied in the organization? Client application What client library are you using? Are you using the V1 or V2 endpoint? What protocol flow is being used? Is it using dynamic/incremental consent, or static? Who developed and configured it? Target resource What is the target resource application? Are there multiple? What permissions does this resource expose? Which permission(s) is the client requesting?

14 Troubleshooting – Common Issues
Unexpected 403 unauthorized What permissions have been consented to? Who consented? Is this a delegated scenario? What permissions does the user have? What are the effective permissions? User not able to consent or use app Are you requesting admin-restricted permissions? Did tenant admin disable user consent? Admin has consented but user still blocked If using V2 endpoint- are static permissions configured to be a superset of permissions requested dynamically? Is user assignment required for the app?

15 Useful data to gather Scenario Error code and exception text Timestamp
AADSTS90093: ContosoWorkflows is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf Timestamp :55:51Z Correlation Id/Tracking Id 7231d b-4ffb-985b-ef21e87cf97f

16 Key Takeaways Abide by the principle of least privilege
11/22/2018 1:59 PM Key Takeaways Abide by the principle of least privilege Be thoughtful when requesting permissions and consent Be scenario driven- consider all personas and configurations What about data for Windows and EMS? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Get started today #MicrosoftGraph /MicrosoftGraph [MicrosoftGraph]
11/22/2018 1:59 PM Get started today Twitter #MicrosoftGraph GitHub /MicrosoftGraph StackOverflow [MicrosoftGraph] Office 365 and its 100M MAU create an incredible opportunity for developers to ring their innovations to the masses. Microsoft Graph is the API to millions of organizations, and the foundation for building intelligent business process. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 11/22/2018 1:59 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Graph- Permissions and Consent"

Similar presentations

11 | Managing User Info Jeremy Foster Michael Palermo

11 | Managing User Info Jeremy Foster Michael Palermo
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
Deployment Planning Services

Deployment Planning Services
4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
PowerApps & Flow Licensing Overview for Partners

PowerApps & Flow Licensing Overview for Partners
5/12/2018 3:54 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

5/12/2018 3:54 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
5/16/2018 7:12 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

5/16/2018 7:12 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
5/22/2018 3:04 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

5/22/2018 3:04 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Deployment Planning Services

Deployment Planning Services
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
Journey to Microsoft Secure Cloud

Journey to Microsoft Secure Cloud
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
9/11/2018 12:51 AM Cloud Roadshow © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO.

9/11/ :51 AM Cloud Roadshow © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO.
Deployment Planning Services

Deployment Planning Services
SaaS Application Deep Dive

SaaS Application Deep Dive
Microsoft Ignite 2016 6/17/2018 4:41 AM BRK4016

Microsoft Ignite /17/2018 4:41 AM BRK4016
Business Connectivity Services in SharePoint 2010 and Office 2010

Business Connectivity Services in SharePoint 2010 and Office 2010
9/4/2018 6:45 PM Secure your Office 365 environment with best practices recommended for political campaigns Ethan Chumley Campaign Technology Advisor Civic.

9/4/2018 6:45 PM Secure your Office 365 environment with best practices recommended for political campaigns Ethan Chumley Campaign Technology Advisor Civic.
Enhancing the Office 365 Multi-Factor Authentication and RM Online

Enhancing the Office 365 Multi-Factor Authentication and RM Online
9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.

9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.

Similar presentations

Ads by Google