{"id":8195,"date":"2017-04-21T17:02:00","date_gmt":"2017-04-21T17:02:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/premier_developer\/?p=8195"},"modified":"2019-03-05T15:09:20","modified_gmt":"2019-03-05T22:09:20","slug":"authentication-options-for-custom-application-when-accessing-data-from-o365","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/authentication-options-for-custom-application-when-accessing-data-from-o365\/","title":{"rendered":"Authentication options for custom application when accessing data from O365"},"content":{"rendered":"<h5>In this post, Senior Application Development Manager<span style=\"font-weight: bold;\">, <\/span><a href=\"https:\/\/www.linkedin.com\/in\/anant-dimri-b05b517\/\"><span style=\"font-weight: bold;\">Anant Dimri<\/span><\/a> explains authentication options available to application developers who wish to interact with data in O365.<\/h5>\n<hr \/>\n<p>A developer writing applications that interact with SharePoint (SP) data (Lists\/Events\/Documents, etc.) will be faced with several options to setup authentication.\u00a0 While there are numerous blog and support articles that cover authentication and API methods, they are spread out over multiple product areas and no one solution is right for every scenario.\u00a0\u00a0 This article attempts to consolidate and list out the options to help a developer\/architect choose what works best for them.<\/p>\n<h2><b>O365 Architecture concepts<\/b><\/h2>\n<p>Before we begin to look at the possible options. A quick refresher on how O365 and Azure is structured. An identity in O365 can be created in one of the three possible ways:<\/p>\n<ol>\n<li>Cloud Identity : Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it&#8217;s all done in the cloud<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-35797\" src=\"http:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o1.jpg\" alt=\"\" width=\"644\" height=\"258\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o1.jpg 644w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o1-300x120.jpg 300w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><\/p>\n<ol start=\"2\">\n<li>Synchronized Identity : Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-35798\" src=\"http:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o2.jpg\" alt=\"\" width=\"644\" height=\"441\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o2.jpg 644w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o2-300x205.jpg 300w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><\/p>\n<ol start=\"3\">\n<li>Federated Identity : Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.<\/li>\n<\/ol>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-35800\" src=\"http:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o3.jpg\" alt=\"\" width=\"580\" height=\"484\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o3.jpg 580w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/04\/o3-300x250.jpg 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/p>\n<p>See this for more detailed setup and reference: <a href=\"https:\/\/support.office.com\/en-us\/article\/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9\">https:\/\/support.office.com\/en-us\/article\/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9<\/a><\/p>\n<h2><b>O365 Application options<\/b><\/h2>\n<p>Now lets look at way different style of applications can access the data from O365.<\/p>\n<ul>\n<li>.NET\/PowerShell\u00a0 application (Console\/Windows\/Service) : .NET applications that are not registered with SP and use REST and other API to interact with SP<\/li>\n<li>Non .NET applications on non windows machines: These could be jscripts\/java\/Scripting and other coding techniques.<\/li>\n<\/ul>\n<h2><b>O365 Authentication options<\/b><\/h2>\n<p>&nbsp;<\/p>\n<ul>\n<li>O365 Integrated Applications : SP hosted\/Provider hosted applications are native to SP and have access to SP APIs to access data directly using SPContext and no additional authentication is needed most times.<\/li>\n<\/ul>\n<ul>\n<li>.NET\/PowerShell applications: These are the applications that are not registered with O365 but leverage direct API to access. They have 2 ways to access O365 data:<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>With Username\/Password :\n<ul>\n<li>SharepointOnlineCredentials Class: This is the easiest way for .NET capable applications to load the Microsoft.Sharepoint.Client.dll and pass in the User credentials and all authentication is managed by the API for you.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre>context.Credentials = new SharePointOnlineCredentials(userName,password);\r\ncontext.Load(context.Web, w =&gt; w.Title);\r\ncontext.ExecuteQuery();\r\n<\/pre>\n<blockquote><p><strong>Dependency<\/strong>: SharePointOnlineCredentials is a wrapper class that is available in Microsoft.SharePoint.Client.Runtime.dll. There is no relevant one for other languages like Java, Python etc.<\/p><\/blockquote>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>With an Application Identity :\n<ul>\n<li>Sharepoint Application Identity\nYou may want the application to access data on O365 as an application and not a user. This would mean the application needs to be registered as an application and the application identity has to be given permission access. To complicate this further, there are 2 different ways to create application identity.Sharepoint Addin &#8211; ACS application: This is when an application is registered in the O365 \u2013 Sharepoint application. This provides the application a SP ID and ACS acts as a middle man negotiating the authentication and token on application\u2019s behalf.Here are the step by step to setup an application in Sharepoint app in O365\n<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/office\/jj687469(v=office.15).aspx?tduid=(8a2485fa516454dcf30b06bb9cf43361)(256380)(2459594)(TnL5HPStwNw-IESeJoD3O1aleALEKp497Q)()\">https:\/\/msdn.microsoft.com\/en-us\/library\/office\/jj687469(v=office.15).aspx?tduid=(8a2485fa516454dcf30b06bb9cf43361)(256380)(2459594)(TnL5HPStwNw-IESeJoD3O1aleALEKp497Q)()<\/a><\/p>\n<p>Navigate to <em>http:\/\/&lt;SharePointWebsite&gt;\/_layouts\/15\/AppRegNew.aspx<\/em> on the tenancy or farm.\nAppRegNew page form\n<a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/clip_image0081.gif\"><img decoding=\"async\" style=\"padding-top: 0px; padding-left: 0px; padding-right: 0px; border: 0px;\" title=\"clip_image008\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/clip_image008_thumb1.gif\" alt=\"clip_image008\" width=\"611\" height=\"484\" border=\"0\" \/><\/a><\/p>\n<p>Here is a sample on how to use the Sharepoint Addin technique to be called from client application. The demonstrated way is using Powershell but this can be used by any client using Java\/Python\/jscript etc:\n<a href=\"https:\/\/blog.vgrem.com\/2015\/01\/27\/consuming-the-sharepoint-online-rest-api-from-powershell-part-2\/\">https:\/\/blog.vgrem.com\/2015\/01\/27\/consuming-the-sharepoint-online-rest-api-from-powershell-part-2\/<\/a><\/p>\n<p>Caveat: Since ACS manages the authentication, any AzureAD specific rules or processes maybe bypassed. For e.g. if your organization has restricted IP policy for O365 access in AzureAD that maybe be bypassed by this kind of application as it leverages ACS as a mediator.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>O365\/Azure AD Application Identity:\n<ul>\n<li>This is when an application is registered as an O365 application with AzureAD and leverages AzureAD for authentication. These apps then leverage O365 APIs to access Sharepoint data. This provides an advantage of integrating with O365 and can access data across multiple services. However the tradeoff is O365 APIs do not have the depth of the SP APIs and can be limited in the actions that can be performed. Also the security permissions are then set at the AzureAD level for this application. The permission levels are for the tenancy, so a read permissions will provide read level access to the Application. Granular level permissions can be enforced by making the application as either App only or App+User authentication. See below for details:Setting up permissions on AzureAD:\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-integrating-applications\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-integrating-applications<\/a>\nOn your web client application\u2019s configuration page in the Azure portal, set the permissions your application requires by using the menus in the Required Permissions section. <a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/clip_image0101.gif\">\n<img decoding=\"async\" style=\"padding-top: 0px; padding-left: 0px; padding-right: 0px; border: 0px;\" title=\"clip_image010\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/clip_image010_thumb1.gif\" alt=\"clip_image010\" width=\"644\" height=\"277\" border=\"0\" \/><\/a>\nThis provides 2 further control options:\n1.\u00a0 App Only: This provides access to the O365 App(AzureAD app) access to O365-Sharepoint data based on the application credentials only. The user and\/or Admin may still need to consent based on the permissions settings specified in AzureAD Permissions for the app. This kind of applications access is great for applications that need to access data across users\/web\/farm. However in my opinion this access needs to be governed strictly by the SP admins to ensure that only approved and certified apps are registered this way to ensure accidental business and data integrity leaks.\n2.\u00a0 App + User: This option provides an application access to data only with a combination of a user credential in combination with application identity.These are best explained with code samples here:\n<a href=\"https:\/\/developer.microsoft.com\/en-us\/graph\/docs\/authorization\/auth_overview\">https:\/\/developer.microsoft.com\/en-us\/graph\/docs\/authorization\/auth_overview<\/a><\/p>\n<p>Here is also a great blog on O365 API access options:<b><\/b>\n<a href=\"http:\/\/chakkaradeep.com\/index.php\/office-365-api-client-libraries-authenticating-your-client-to-office-365\/\">http:\/\/chakkaradeep.com\/index.php\/office-365-api-client-libraries-authenticating-your-client-to-office-365\/<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>A few other points for consideration<\/h2>\n<p><b>App + User ACS(Sharepoint App\/addin):<\/b><\/p>\n<ul>\n<li>Designed for web-based apps and not native clients (Console, Win Forms, Services, etc.)<\/li>\n<li>Supports refresh_token and authorization_code grant types<\/li>\n<li>The user browser session needs to authenticated with SharePoint, if it\u2019s not, then the web app has to redirect to the SharePoint OAuth endpoint for user authentication (username\/password)<\/li>\n<li>This model is demonstrated by a provider-hosted SPO app created in Visual Studio<\/li>\n<\/ul>\n<p><b>App + User AAD(O365\/AzureAD app):<\/b><\/p>\n<ul>\n<li>Designed for native clients and typically not web-based clients. With web-based clients, it\u2019s possible to use this on the back-end for elevated-type behavior.<\/li>\n<li>The user\u2019s security context is used to access resources (webs, lists, items, etc.), so the authorization is not limited to what the app is configured with as in app-only.<\/li>\n<\/ul>\n<p>Hope this helps making your design choices in accessing SharePoint data in O365 easier .<\/p>\n<hr align=\"center\" size=\"3\" width=\"100%\" \/>\n<p><a href=\"https:\/\/blogs.msdn.com\/b\/premier_developer\/archive\/2014\/09\/15\/welcome.aspx\"><strong>Premier Support for Developers<\/strong><\/a> provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality.\u00a0 Contact your Application Development Manager (ADM) or <a href=\"https:\/\/blogs.msdn.microsoft.com\/premier_developer\/contact-us\/\"><b>email us<\/b><\/a> to learn more about what we can do for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post, Senior Application Development Manager, Anant Dimri explains authentication options available to application developers who wish to interact with data in O365. A developer writing applications that interact with SharePoint (SP) data (Lists\/Events\/Documents, etc.) will be faced with several options to setup authentication.\u00a0 While there are numerous blog and support articles that cover [&hellip;]<\/p>\n","protected":false},"author":582,"featured_media":37840,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[149,335,3],"class_list":["post-8195","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-permierdev","tag-authentication","tag-sharepoint","tag-team"],"acf":[],"blog_post_summary":"<p>In this post, Senior Application Development Manager, Anant Dimri explains authentication options available to application developers who wish to interact with data in O365. A developer writing applications that interact with SharePoint (SP) data (Lists\/Events\/Documents, etc.) will be faced with several options to setup authentication.\u00a0 While there are numerous blog and support articles that cover [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/8195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=8195"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/8195\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/37840"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=8195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=8195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=8195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}