SlideShare a Scribd company logo
1 of 13
Download to read offline
Microsoft Graph API and
OutSystems
Application Permissions
Access Microsoft Cloud Services via Graph API in
OutSystems
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
Fundamentals
 Introduction to Microsoft Graph API
 Understanding OAuth 2.0
 Access and OpenId Connect Tokens
 Microsoft Identity Provider
 Grant Types
 Microsoft Graph API Scopes and Permissions
Agenda
Implementation
 Prerequisites
 Register an application with Microsoft Identity Provider
(Entra ID)
 Akquire a server-to-server access token via Oauth 2.0 Client
Credentials flow
 Consume Graph API endpoints with OutSystems
 Securing Client Secrets
Introduction to Microsoft Graph
API
Microsoft Graph API is a RESTful web API that enables you to
access Microsoft Cloud service resources.
It provides a unified programmability model that you can use to
access the data in Microsoft 365, Windows 10, and Enterprise
Mobility + Security.
With Microsoft Graph, you can integrate various Microsoft
services like Outlook, Microsoft Teams, OneDrive, and more into
your applications.
Outlook
People
Sharepoint
Teams
Microsoft Graph API
Your Application
Understanding OAuth 2.0 – Access and OpenId Connect Tokens
Access Token
An OAuth 2.0 Access Token is a credential used to access
protected resources on behalf of a resource owner.
Issued by the authorization server, it represents the grant of
access given to a client application.
This token does not contain information about the user's
identity; instead, it is used to access APIs securely.
OpenId Connect Token
An OpenID Connect Token is an identity token provided by
the OpenID Connect protocol, which is built on top of the
OAuth 2.0 framework.
This token contains claims about the authentication of an end
user and provides an additional layer of identity validation.
It's typically a JSON Web Token (JWT) that includes
information such as the user's identity, the authentication
method used, and the token's validity period.
Understanding OAuth 2.0
Microsoft Identity Provider
Microsoft Identity Platform is a set of identity and access
management tools, which facilitates secure sign-in and
authorization for applications.
It integrates advanced identity capabilities, such as single sign-on
(SSO), multi-factor authentication (MFA), and conditional
access policies, across a wide range of Microsoft and third-party
cloud applications.
The platform is built on top of industry-standard protocols like
OAuth 2.0 and OpenID Connect.
Microsofts Identity Platform Entra is the
Identity Provider that protects all resources
and APIs in your tenant, including Graph API.
Microsoft Entra
Understanding OAuth 2.0 – Grant Types
Client Credentials Flow
The OAuth 2.0 Client Credentials
flow is a way for applications to
access a service API using their own
credentials, rather than
impersonating a user.
This flow is typically used for server-
to-server interactions that must run
in the background, without
immediate interaction with a user.
It involves directly requesting an
access token from the identity
provider using the application's client
ID and secret.
Device Code Flow
The OAuth 2.0 Device Code flow is
designed for devices that either do
not have a browser or have limited
input capabilities.
In this flow, the device displays a
code and asks the user to enter this
code on a second device (like a
smartphone) which has a browser.
Once the user enters the code and
authenticates, the device can obtain
an access token
Authorization Code Flow
The OAuth 2.0 Authorization Code
flow is designed for applications to
access a service API on-behalf of a
user.
This flow requires the user to be
redirected to the identity provider to
authenticate, after which they are
redirected back to the application
with an authorization code. This code
is then exchanged for an access
token by the application backend
using a client secret.
Authorization Code Flow with Proof
Key Exchange (PKCE) is designed for
applications that cannot securely
store a client secret.
Microsoft Graph API
Scopes and Permissions
Microsoft Graph API scopes, or permissions, define the
level of access that an application has to Microsoft Graph
data. They can be categorized into two types:
 Application Permissions
 User Permissions (Delegated Permissions)
The choice between these permissions depends on the
type of application, the data it needs to access, and
whether it operates in the context of a signed-in user or
not.
Acting as Application
Acting as Application
On behalf of a User
Implementation
Prerequisites
 Access to your Azure Tenant using the Azure Portal
 Cloud Application Administrator role assigned to your user
account to register an application in your tenant.
Walkthrough
Best Practices
 Register an application per OutSystems application. Do not
create “super”-credentials.
 Do not store your client secret in plain text anywhere. Either
encrypt it or use an external credential store like AWS
Secrets Manager or HashiCorp Vault.
 Build a central OutSystems Access Token Retrieval Service.
 Do not use the hardcoded client credentials built in
support. Client Secrets should rotate over time, and you
would have to redeploy every time your client secret
changes.
 Master OAuth 2.0 Website
 Microsoft Developer Program
 Azure Portal
 Use the Microsoft Graph API documentation
 Microsoft Graph Permission Reference
 Microsoft Graph Explorer
 OAuth Token Exchange Forge component
 CryptoAPI Forge component
Additional Links
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
https://www.tbs.tech
https://www.linkedin.com/in/stefanweber1/
https://lcnc.blog

More Related Content

Similar to Microsoft Graph API Webinar Application Permissions

Microsoft Graph API with OutSystems Event Subscriptions
Microsoft Graph API with OutSystems Event SubscriptionsMicrosoft Graph API with OutSystems Event Subscriptions
Microsoft Graph API with OutSystems Event SubscriptionsStefan Weber
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...Nuno Árias Silva
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
MS365 Dev Bootcamp Montreal 2019 - Microsoft graph introduction
MS365 Dev Bootcamp Montreal 2019 - Microsoft graph introductionMS365 Dev Bootcamp Montreal 2019 - Microsoft graph introduction
MS365 Dev Bootcamp Montreal 2019 - Microsoft graph introductionVincent Biret
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...Nuno Árias Silva
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New BlackWSO2
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringVMware Tanzu
 

Similar to Microsoft Graph API Webinar Application Permissions (20)

Microsoft Graph API with OutSystems Event Subscriptions
Microsoft Graph API with OutSystems Event SubscriptionsMicrosoft Graph API with OutSystems Event Subscriptions
Microsoft Graph API with OutSystems Event Subscriptions
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.io
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
MS365 Dev Bootcamp Montreal 2019 - Microsoft graph introduction
MS365 Dev Bootcamp Montreal 2019 - Microsoft graph introductionMS365 Dev Bootcamp Montreal 2019 - Microsoft graph introduction
MS365 Dev Bootcamp Montreal 2019 - Microsoft graph introduction
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
TugaIT 2017 Office 365 Multi-factor authentication with Microsoft Azure Activ...
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platform
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 

Recently uploaded

UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 

Recently uploaded (20)

UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 

Microsoft Graph API Webinar Application Permissions

  • 1. Microsoft Graph API and OutSystems Application Permissions Access Microsoft Cloud Services via Graph API in OutSystems Stefan Weber Senior Director Software Development Telelink Business Services Germany GmbH OutSystems MVP – AWS Community Builder
  • 2. Fundamentals  Introduction to Microsoft Graph API  Understanding OAuth 2.0  Access and OpenId Connect Tokens  Microsoft Identity Provider  Grant Types  Microsoft Graph API Scopes and Permissions Agenda Implementation  Prerequisites  Register an application with Microsoft Identity Provider (Entra ID)  Akquire a server-to-server access token via Oauth 2.0 Client Credentials flow  Consume Graph API endpoints with OutSystems  Securing Client Secrets
  • 3. Introduction to Microsoft Graph API Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. It provides a unified programmability model that you can use to access the data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. With Microsoft Graph, you can integrate various Microsoft services like Outlook, Microsoft Teams, OneDrive, and more into your applications. Outlook People Sharepoint Teams Microsoft Graph API Your Application
  • 4. Understanding OAuth 2.0 – Access and OpenId Connect Tokens Access Token An OAuth 2.0 Access Token is a credential used to access protected resources on behalf of a resource owner. Issued by the authorization server, it represents the grant of access given to a client application. This token does not contain information about the user's identity; instead, it is used to access APIs securely. OpenId Connect Token An OpenID Connect Token is an identity token provided by the OpenID Connect protocol, which is built on top of the OAuth 2.0 framework. This token contains claims about the authentication of an end user and provides an additional layer of identity validation. It's typically a JSON Web Token (JWT) that includes information such as the user's identity, the authentication method used, and the token's validity period.
  • 5. Understanding OAuth 2.0 Microsoft Identity Provider Microsoft Identity Platform is a set of identity and access management tools, which facilitates secure sign-in and authorization for applications. It integrates advanced identity capabilities, such as single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies, across a wide range of Microsoft and third-party cloud applications. The platform is built on top of industry-standard protocols like OAuth 2.0 and OpenID Connect. Microsofts Identity Platform Entra is the Identity Provider that protects all resources and APIs in your tenant, including Graph API. Microsoft Entra
  • 6. Understanding OAuth 2.0 – Grant Types Client Credentials Flow The OAuth 2.0 Client Credentials flow is a way for applications to access a service API using their own credentials, rather than impersonating a user. This flow is typically used for server- to-server interactions that must run in the background, without immediate interaction with a user. It involves directly requesting an access token from the identity provider using the application's client ID and secret. Device Code Flow The OAuth 2.0 Device Code flow is designed for devices that either do not have a browser or have limited input capabilities. In this flow, the device displays a code and asks the user to enter this code on a second device (like a smartphone) which has a browser. Once the user enters the code and authenticates, the device can obtain an access token Authorization Code Flow The OAuth 2.0 Authorization Code flow is designed for applications to access a service API on-behalf of a user. This flow requires the user to be redirected to the identity provider to authenticate, after which they are redirected back to the application with an authorization code. This code is then exchanged for an access token by the application backend using a client secret. Authorization Code Flow with Proof Key Exchange (PKCE) is designed for applications that cannot securely store a client secret.
  • 7. Microsoft Graph API Scopes and Permissions Microsoft Graph API scopes, or permissions, define the level of access that an application has to Microsoft Graph data. They can be categorized into two types:  Application Permissions  User Permissions (Delegated Permissions) The choice between these permissions depends on the type of application, the data it needs to access, and whether it operates in the context of a signed-in user or not. Acting as Application Acting as Application On behalf of a User
  • 9. Prerequisites  Access to your Azure Tenant using the Azure Portal  Cloud Application Administrator role assigned to your user account to register an application in your tenant.
  • 11. Best Practices  Register an application per OutSystems application. Do not create “super”-credentials.  Do not store your client secret in plain text anywhere. Either encrypt it or use an external credential store like AWS Secrets Manager or HashiCorp Vault.  Build a central OutSystems Access Token Retrieval Service.  Do not use the hardcoded client credentials built in support. Client Secrets should rotate over time, and you would have to redeploy every time your client secret changes.
  • 12.  Master OAuth 2.0 Website  Microsoft Developer Program  Azure Portal  Use the Microsoft Graph API documentation  Microsoft Graph Permission Reference  Microsoft Graph Explorer  OAuth Token Exchange Forge component  CryptoAPI Forge component Additional Links
  • 13. Stefan Weber Senior Director Software Development Telelink Business Services Germany GmbH OutSystems MVP – AWS Community Builder https://www.tbs.tech https://www.linkedin.com/in/stefanweber1/ https://lcnc.blog