Authentication to the various Office 365 APIs and access points requires some effort. First, we need to create our application. Then we need to assign access to the individual applications. Finally, we need to generate and install a certificate for authentication.
Creating the application
To create the application, we first need to make our way to the Azure Portal and into Active Directory. Then, click the Applications tab and choose Add an application:
Then, select “Add an application my organization is developing”:
Then, give it a name and click the right arrow:
Enter the URL of the target location of the website so that Azure AD knows how to route users for authentication and such. Also enter a unique App ID:
After a while, if all goes well, we’ll be presented with the Quick Start screen for the new app. Click the Configure tab at the top.
Assign Access to the Individual Applications
Now that we’ve created our app, we need to assign the necessary permissions. Scroll down to the bottom of the page and find the ‘permissions to other applications section’
In the ‘Windows Azure Active Directory’ application, select the Application Permissions drop down and check ‘Read directory data’
Then, click ‘Add application’. In the window that opens, click the plus sign next to ‘Microsoft Graph’ and ‘Office 365 SharePoint Online’ and then click the check mark in the bottom right hand corner.
This should add the three application permissions to our own application. Expand the ‘Application Permissions’ for Microsoft Graph and select ‘Read all users’ full profiles’, ‘Read directory data’, ‘Read all groups’, and ‘Read and write mail in all mailboxes’, like so:
Then expand ‘Application Permissions’ for Office 365 SharePoint Online and select ‘Read items in all site collections’:
Finally, click Save:
Generate and install a certificate
When authenticating to Azure Active Directory for the Microsoft Graph, a standard ClientId/ClientSecret seems to work just fine. However, when authenticating for Office 365 SharePoint Online, a certificate is apparently required. For the sake of this instruction, we’ll use a self-signed certificate. However, in a real world production environment, but sure to use an certificate from an actual trusted authority.
First, launch the Visual Studio Developer Command Prompt as an administrator. Navigate to the location that we’d like to store our certificate (we can always move it later, too). Then run the command ‘makecert –r –pe –n “CN=BusinessApps.HelpDesk” –ss My –len 2048 BusinessApps.HelpDesk.cer’
Next, copy the ClientId of your application from the Azure Active Directory page:
Then, launch PowerShell and run the following script, replacing “<cert path>” with the location of the certificate from above and <client ID> with the ClientId that we just copied:
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-MsolServicePrincipalCredential -AppPrincipalId “b5154e8f-e4cb-4124-8424-f5ec1981f518” -Type asymmetric -Value $credValue -Usage verify
Note: these steps were largely borrowed from http://blogs.msdn.com/b/microsoft_azure_simplified/archive/2015/03/23/getting-started-using-azure-active-directory-aad-for-authenticating-automated-clients-c.aspx
While we’re at it, we’ll also copy that ClientId into the AzureId app setting for the application in the web.config file (I like to use AzureId instead of ClientId since SharePoint clients can automatically pull ClientId values from the web.config).
Now that the certificate has been added to our Azure application, we need to install it in the Personal cert store. Start by navigating to the file location of the certificate above and double click it. In the window that opens, click Install Certificate…
Clicking ‘Install Certificate’ will launch the Certificate Import Wizard. Leave the ‘Current User’ location selected and then click ‘Next’ on the Certificate Import Wizard screen.
On the next screen, select ‘Place all certificates in the following store’ and click ‘Browse’:
In the window that opens, select ‘Personal’ and click ‘OK’
This will add ‘Personal’ to the ‘Certificate store’ box. Click Next:
Finally, click finish:
If all went well, the certificate will be imported successfully:
Now that the certificate has been imported, we also need to retrieve the thumbprint of the certificate so that our source code can find it. Going back to the certificate window, select the Details tab, then scroll down and find the Thumbprint field. Highlight the value in the field and Ctrl+C to copy the value:
Then, go into the web project and populate the value into the web.config CertThumbprint app settings for the application (be sure to remove the spaces, as well):
And there we have it! An application that has authority to read/write various bits of data against Azure Active Directory, SharePoint Online, and Microsoft Graph.
The Help Desk Demo
- The Help Desk demo, Part 1 – Creating the project
- The Help Desk demo, Part 2 – Azure Active Directory
- The Help Desk demo, Part 3 – Authentication
- The Help Desk demo, Part 4 – Microsoft Graph
- The Help Desk demo, Part 5 – SQL Azure
- The Help Desk demo, Part 6 – SharePoint
- The Help Desk demo, Part 7 – Wiring it all up
- The Help Desk demo, Part 8 – Deploying to Azure
The entire source code for the Help Desk demo can be found here https://github.com/OfficeDev/PnP/tree/dev/Solutions/BusinessApps.HelpDesk/, in the Office 365 Dev PnP GitHub repository.