Azure AD App Only Authentication

In a simple way, App Only authentication is the ideal method if you want to execute  a task by daemon. This allows you to execute some code without the permissions of a user or without an auth token of a user.

As part of a series of articles, idea of this 1st post is to give you an basic  fundamental understanding on creating an Azure AD App and grant permissions for this App to communicate with SPO.

let’s get this started. Simply head on to your Office365 home page and switch to Admin Centers. From the left pane, click on “Azure Active Directory”. From Azure AD, search for “App Registrations” and click “Add new application registration” link.

A new application interface will pop-up for you. Enter a name, Application type and Sign-on URL and click “Create”. Sign-in URL can be any and it also can be amended later to reflect a different one. A future post will discuss this again on what sort of URLs are used here.

image 

Once the app creation done, you will be given with the app ID and other details related to it.

image

Next- Select Settings –> Required permissions and Add

clip_image001

clip_image002

In this case the API going to be SPO. You can choose the right API based on the requirement.

image

Next, hit “Grant Permission” button on the required permissions tab to provide none-tenant admin user access the application.

A self-signed or public (commercial) certificate must be provided now and then update the Azure AD manifest accordingly.

Following PS can be used to provision the certificate but ensure you have installed OfficeDev PnP PowerShell.

$certroot = 'C:\Site Creator'
$certname = "IntelAi-Cert-1"
$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
$startdate = Get-Date
$enddate = $startdate.AddYears(4)
makecert.exe -r -pe -n "CN=$certname" -b ($startdate.ToString("MM/dd/yyyy")) -e ($enddate.ToString("MM/dd/yyyy")) -ss my -len 2048
$cert = Get-ChildItem Cert:\CurrentUser\My | ? {$_.Subject -eq "CN=$certname"}
Export-Certificate -Type CERT -FilePath "$certroot\$certname.cer" -Cert $cert -Force
Export-PfxCertificate -FilePath "$certroot\$certname.pfx" -Cert $cert -Password $password -Force

Following line will copy a string to your clipboard

Get-PnPAzureADManifestKeyCredentials -CertPath 'C:\Site Creator\IntelAi-Cert-1.cer' | clip

Following is how the copied string would look like. It has to be added to the manifest file of the Azure AD application.

"keyCredentials": [
 {
  "customKeyIdentifier": "5lca+kziogw7T6MB4kUrxseK5m8=",
  "keyId": "84153f1a-90b7-4802-b99a-bb75d4f9a35b",
  "type": "AsymmetricX509Cert",
  "usage": "Verify",
  "value": "MIIDAjCCAe6gAwIBAgIQkawCJU0cWYxH8RamKNuqqTAJBgUrDgMCHQUAMBkx
 }
],

Select your application under app registrations in Azure AD. Replace the “KeyCredentials”:[], section, as shown below.

image

Now this can be tested whether the application has required permissions to connect to the SharePoint Online site. For the ClientID, you need to provide application ID of the app you have created.

$password = ConvertTo-SecureString "P@$$w0rd" -AsPlainText -Force
Connect-PnPOnline -Url https://site.sharepoint.com/ -ClientId 0c01f61e-ba27-4ae7-ab19-174884a949fc -CertificatePath 'C:\Site Creator\Site-Cert-1.pfx' -CertificatePassword $password -Tenant intelai.onmicrosoft.com
$myWeb = Get-PnPWeb
$myWeb.Title

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

Azure AD Conditional Access for Office 365 (Exchange and SharePoint Online) Preview Release

Yesterday Microsoft announced one of the most awaited feature for Office 365, “Azure AD Conditional Access Preview” for SharePoint Online and Exchange.

What is Conditional Access and What it is for ?

Security has been one of the key elements in systems for decades but for the present time it needs to be much more comprehensive than ever before with the evolvement of the cloud and mobile era. With the rise of devices used by a person and the ability to access corporate resources from anywhere in the world, there is a massive demand of securing corporate resources. Ultimately the latest strategies of securing corporate resources are defined by the new ways which users are used to accessed them.

Microsoft has taken another big leap of security capabilities with this release today. Azure Active Directory Conditional Access Features Allows you to secure and manage your corporate resources in simple ways in cloud or even on premise. If you want to ensure an stolen user credential or unmanaged device will not harm your corporate resources, Azure AD Conditional Access if made for you.

clip_image001

How is the access Enforced

Generally when a user signs in to a service, Azure Active Directory checks whether the security inputs of this user meets the access requirements you defined. and if the requirements are met, user will be authorized to access the service or application.

The enforcement can be done in two ways. You can define policies to configure the access either way, for users or devices.

  • User based Access (Control who you want to allow access)

User Attributes – User Attributes level can be used to define policies of which users can access organization’s resources.

Group Membership of a User – or either based on the Group/Groups of user which he/she represents in.

Multifactor Authentication (MFA) – Multifactor Authentication can be configured to ensure better security. User has to provide more than one factor (Password) which could be either a PIN or Phone Number. That ensures extra level of security for your organization’s resources.

Sign-in and User Risk – This capability known as “Conditional Access Risk Policies” comes with Azure AD Identity protection. This will allow you to track unusual sign in activities and risk events based on the access trends and implement advance protection. Global and Multi-region companies will benefit a lot with the capability.

  • Device Based Access (Control what you want to allow access)

Enrolled Devices – Using Microsoft Intune, you can use Device Level Access to control only MDM (Mobile Device Management) Enrolled devices are allowed to access resources. Intune is capable to validate if the device is enrolled with MDM. Also device level access will ensure that only the matched devices with the policies (such as force file encryption on a granted device) you have configured are allowed to access. Even you can flush out the content of a device remotely which was stolen or misused using MDM solutions.

The best part is, It’s not just limited to the cloud, you can also use device based access policies to control your on premise resources or even cloud based SaaS or line of business applications.

What does this Preview Brings you?

This release is a much awaited capability for most of the organizations and a huge step on the Access Policy framework. Conditional Access for CRM and Yammer been already there but Specially for SharePoint and exchange, the call has been ringing there for quite long time.

These three conditions are released for SharePoint and Exchange online as preview. Microsoft Recommends to enable these policies alongside risk based conditional access policy available with Azure Identity Protection.

  • Always require MFA
  • Require MFA when not at work
  • Block access when not at work

Conditional Access Policies are supported in Browser based access to Exchange Online, SharePoint Sites and OneDrive and even for Desktop Applications that uses modern authentication mechanisms.

Across the mobile devices, these are the tested desktop and mobile applications connects to Exchange and SharePoint so far by Microsoft.

  • For Windows 10, Windows10 Mobile, Windows 8.1, Windows 7 and Mac
  • Outlook, Word, Excel and PowerPoint in Office 2016
  • Outlook, Word, Excel and PowerPoint in Office 2013 (with modern authentication enabled)
  • OneDrive Sync Client (with modern authentication)

For IOS

  • Outlook Mobile App

Resources:

Detailed Explanation of Azure Ad Conditional Access

Conditional Access Policy Support for Mobile Devices

Original Announcement