Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

huangapple go评论68阅读模式
英文:

Microsoft App Registration - how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

问题

我目前在Azure门户中注册了一个应用程序。这个应用程序已经设置了一个客户端密钥,并且还设置了一些API权限。这些权限是为Microsoft Graph配置的,并且也是委派的。看起来是这样的,
Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

现在,我还为会议设置了一个应用程序角色,看起来是这样的,

Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

有了这个背景,您可以看到我已经从“我的API”部分添加了一个应用程序权限,它指向我的应用程序注册并包括“OnlineMeetings.ReadWrite.All”的权限。我的目标是获取一个访问令牌,以便我的客户端应用程序在运行以下POST时创建一个会议,

POST /users/{userId}/onlineMeetings/createOrGet

我的问题是尝试了解在尝试获取访问令牌时授权范围应该是什么,以及授权类型应该是什么。我尝试将授权范围设置为“offline_access https://graph.microsoft.com/.default”,并将授权类型设置为“client_credentials”,但没有成功。我希望我的客户端应用程序能够代表租户中的任何用户创建会议,而无需用户同意或需要在PowerShell中设置任何应用程序访问策略。这是否可能?

英文:

I currently have an app registration in Azure portal. This app has a client secret set up on it and a number of API Permissions as well. These are permissions for the Microsoft Graph and are delegated as well. This is how it looks like,
Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

Now I have also set up an App role for meetings as well, which looks like this,

Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

With this context in mind, you can see I have added an application permission from the "My APIs" section, which points to my app registration and the permission for "OnlineMeetings.ReadWrite.All". My objective is to obtain an access token in order for my client app to create a meeting whilst running the following POST,

POST /users/{userId}/onlineMeetings/createOrGet

My question is to try and gain and understanding of what the authorization scope should be and the grant type as well when trying to obtain an access token. I have tried setting the authorization scope to be "offline_access https://graph.microsoft.com/.default" and the grant type to be "client_credentials" but to no avail. I want my client app to be able to create a meeting on behalf of any user from my tenant without the need for user consent or any application access policies being needed to be set up in Powershell. Is this possible to do?

答案1

得分: 1

不需要翻译的代码部分已被排除,以下是已翻译的内容:

Instead of setting up new App role, you need to add existing Microsoft Graph permission named OnlineMeetings.ReadWrite.All of Application type and grant consent to it.

I registered one Azure AD application and granted API permission as below:

> Note that, you need to create application access policy and grant it access to Global to authorize the app configured in the policy to create online meetings on behalf of any user.

I used below PowerShell commands to install MicrosoftTeams module and create application access policy:

Response:

Now, I generated access token using client credentials flow via Postman with below parameters:

Response:

When I used this token to make below POST request, online meeting created successfully like this:

Reference:
onlineMeeting: createOrGet - Microsoft Graph v1.0 | Microsoft

英文:

Instead of setting up new App role, you need to add existing Microsoft Graph permission named OnlineMeetings.ReadWrite.All of Application type and grant consent to it.

I registered one Azure AD application and granted API permission as below:

Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

> Note that, you need to create application access policy and grant it access to Global to authorize the app configured in the policy to create online meetings on behalf of any user.

I used below PowerShell commands to install MicrosoftTeams module and create application access policy:

Install-Module -Name MicrosoftTeams -Force -AllowClobber

Import-Module MicrosoftTeams
Connect-MicrosoftTeams

New-CsApplicationAccessPolicy -Identity Sri-Test-policy -AppIds "xxxxxxxxxx" -Description "Allow access to Teams App"

Grant-CsApplicationAccessPolicy -PolicyName Sri-Test-policy -Global

Response:

Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

Now, I generated access token using client credentials flow via Postman with below parameters:

POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:client_credentials
client_id: appID
client_secret: secret 
scope: https://graph.microsoft.com/.default

Response:

Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

When I used this token to make below POST request, online meeting created successfully like this:

POST https://graph.microsoft.com/v1.0/users/{userId}/onlineMeetings/createOrGet
Content-Type: application/json

{
  "startDateTime":"2023-07-29T14:30:34.2444915-07:00",
  "endDateTime":"2023-07-29T15:00:34.2464912-07:00",
  "subject":"Sri Demo Online Meeting",
  "externalId": "xxxxxxxxxx",
  "participants": {
        "attendees": [
            {
                "identity": {
                    "user": {
                        "id": "xxxxxxxxxxxxx"
                    }
                },
                "upn": "demouser@xxxxxxx.onmicrosoft.com"
            }
        ]
    }
}

Response:

Microsoft App Registration – how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?

Reference:
onlineMeeting: createOrGet - Microsoft Graph v1.0 | Microsoft

huangapple
  • 本文由 发表于 2023年7月27日 22:31:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/76780769.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定