Академический Документы
Профессиональный Документы
Культура Документы
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 1
Modes of Authentication and Authorisation with
SharePoint Online
Purvin Desai
Architect
@spsahmedabad #SPSAhmedabad
Footer Date
5th April
Month2017
2016 2
Authentication and Authorisation Models
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 3
Terminology
1
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 4
Types of SharePoint Online applications
SharePoint Add-ins
SharePoint Framework
SharePoint-Hosted Provider-Hosted
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 5
Types of SharePoint applications
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 6
SharePoint Add-In Models
2
Add-In Only
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 7
SharePoint Add-in Model
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 8
SharePoint Add-In Model
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 9
SharePoint Add-In Model
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 10
SharePoint Add-In Model: Add-In Only
Highlights:
• Operates as an Application only
• Does not require any interactive action by a user to authenticate.
• Trust is established via the application manifest, which is registered either via a .app package, or the
AppInv.aspx page, done by a user with appropriate permissions.
• Add-In can perform any operation that it has requested.
• When performing actions as an Application Only token retrieved by:
• string addinOnlyAccessToken = TokenHelper.GetAppOnlyAccessToken(contextToken.TargetPrincipalName,
sharepointUrl.Authority, contextToken.Realm).AccessToken;
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 11
SharePoint Add-in Model: Add-In Only
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 12
SharePoint Add-in Model: Add-In Only
/_layouts/appregnew.aspx /_layouts/appinv.aspx
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 13
SharePoint Add-in Model: User + Add-In
Highlights:
• This is the default model, and requires use of the App Catalog, a .app package, and appears as an “Apps from
your organization”
• Can operate either as a User + Application or Application Only, so it’s a superset of the Add-In Only model
• Trust is established at the point in time the Application is added to the site, the user performing the trust of the
Application must have at least the permissions requested by the Application in the manifest.
• When performing actions as the User + Application token retrieved by:
• string accessToken = TokenHelper.GetAccessToken(contextToken, sharepointUrl.Authority).AccessToken;
• When performing actions as an Application Only token retrieved by:
• string addinOnlyAccessToken = TokenHelper.GetAppOnlyAccessToken(contextToken.TargetPrincipalName,
sharepointUrl.Authority, contextToken.Realm).AccessToken;
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 14
SharePoint Add-in Model: User + Add-In
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 15
O365 API Models (Azure AD
3
Authentication)
Application Model (Certificate)
Delegate Model
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 16
Office 365 API
The Office 365 API services use Azure Active Directory (Azure AD) to provide secure authentication and
authorization to users' Office 365 data. Azure AD implements authorization flows according to the OAuth 2.0
protocol.
Therefore, enabling your app to authenticate in order to access Office 365 data consists of two basic steps:
• Register your app with Azure AD
• Implement code in your app that handles the appropriate authentication flow
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 17
Office 365 API: Application Permissions
• Highlights:
• Operates as an Application Only.
• Does not require any interactive action by a user.
• Requires tenant administrator consent.
• Not supported for use by native client applications.
• Once authorised, communication to API is achieved via the use of a certificate.
Note: Application Permissions are granted at the Tenant scope *only*. This means if ”Read” access is requested, the
application will be able to read all content, in all site collections in the Tenant.
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 18
Office 365 API: Delegated Permissions
• Highlights:
• Operates under the context of a user.
• Requires a user to log on interactively in order to perform actions on their behalf.
• Requires only user consent, and once given, has access to the permissions requested by the application
• Once authorised, communication to API is achieved via the use of a token.
• Azure AD Delegated Permissions is recommended if you are building an application that needs to talk to the
O365 Graph API, One Note API, and SharePoint sites.
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 19
Office 365 API
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 20
Cloud Service Account
4
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 21
Cloud Service Account
Highlights:
• Direct equivalent of Service Accounts.
• They can be used for third-party applications that cannot authenticate with SharePoint Online by any of the
previous methods described in this document.
• Password resets every 90 days.
• MFA will not work in this scenario.
• Standard best practices for storing usernames and passwords apply.
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 22
Notes
5
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 23
Applications that use User Context
• There is significant overlap between the SharePoint Add-in User + Add-in model and the O365 API Delegated
model. Things to consider:
• Use of O365 API’s require O365 API Delegated. (eg. Graph, Contacts, etc.)
• O365 API gives access to ALL a users resources eg. All Site Collections, SharePoint Add-In model only the
scope described in the manifest. Eg. Site Collection, Web, List.
• Device based solutions recommended to use O365 API.
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 24
Decision Chart
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 25
Questions and Answers
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Date Month 2016 26
References
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 27
THANK YOU !
@spsahmedabad #SPSAhmedabad
Company name appears here Footer Footer Date Month 2016 28