In this video, learn the difference between app permissions and delegated permissions, and registering the app and granting permissions.
- [Instructor] Let's start writing a web application that we'll call Microsoft Graph, with application only identity. So the first thing I'll say here, is that the application, the web application, is going to be logged in via azure ad. And this is something we've already seen. So I'm going to actually start with the code that we ended with in the chapter where I talked about an azure ad protective web application.
So go ahead, grab that code and let's go ahead and start with that. Now this web application is already registered in your azure ad. If it is not, please go ahead and register one just like the instructions I showed in the previous chapter, and ensure that the web dot config has these entries as matching your registration. Now, let's discuss about what I intend to do in this application.
Now so far all the calls I've been making to azure ad through the java script single page application or through the native client app was reading my profile. Reading my profile doesn't need any special permissions. But now we'll start coloring a little bit outside the lines. So I'm going to go to developer.microsoft.com/en-us/graph. And here, let's go to documentation.
And look for users. And what I'm going to do now is that the permission that I'm entrusted in this time around is user dot read dot all. So basically, the user that I'm entrusted in, or the list of users that I want to query. I want to query for all users in this site. So, I'm going to instead of query for slash me. I'm going to query for slash users.
Now you can read this page and look at what else is possible here. But this is the url I'll be making a get request to. In order for me to make this request, I need to grant my web application a certain permission. So let's log into Office 365 and grant myself that permission. As before, access the admin area, and go to your azure ad.
Look for application registrations and find the web application that you had already registered. Again, this is something I've covered in a previous module. Now here, we're going to change some permissions. Click on add. I'm going to select an API. So you see, there are lot's of these API's that are available, more than just Microsoft Graph. Go and select Microsoft Graph.
And here you see there are some permissions that are application permissions, and then there are some that are delegated permissions. So see the delegated permissions are the ones where you need to forward the users identity. And the application permissions are the ones that work with just the application identity. And the specific permission that I'm interested in here is this one here, read all users profiles. So go ahead and grant your application this permission.
And click on select. Click on done. And remember to click this grant permissions button at the end of it. Now your application has the permission. But the application needs to identify itself. And to do that, we will use a client credential. Part of it is a key that we will generate here. So go to the keys area. And choose to generate a key.
Give it a duration. And hit save. And this value is shown only once, so make sure that you copy it and let's go ahead and put this key in our web dot config. This completes the set-up of my application in azure ad and granting the permissions, and now I can start writing some code.
- What is Microsoft Graph?
- Registering a web application in Azure AD
- Adding authentication logic and authentication UI
- Native applications calling Graph
- Reviewing scenarios where web apps involving Graph are useful
- Web applications with application identity and delegated identity calling Graph
- Daemons calling Graph