Reputation: 5053
What OAuth endpoint should be used to query user information from the Graph API
I'm writing a Word add-in. The add-in will be a paid add-in that can be purchased by an organization (Office 365 tenant) or an individual.
Licensing
Once purchased a user will have to authenticate. To ensure the user is licences to use the add-in I will validate either by
- If an individual purchaser: looking up id or email associated with user's Microsoft account
- If an organizational user: look up tenant id and reference number of licenses
I don't expect Microsoft to provide/store any licensing data. The licensing data (terms and ids) will be kept in my own database.
Authentication
Until SSO is out of Preview, I'm planning on using the Authenticator from office-js-helpers, to get the information of the user that has signed in to my add-in.
In the helper docs they list the following possible OAuth strategies:
var authenticator = new OfficeHelpers.Authenticator();
// register Microsoft (Azure AD 2.0 Converged auth) endpoint using
authenticator.endpoints.registerMicrosoftAuth('client id here');
// register Azure AD 1.0 endpoint using
authenticator.endpoints.registerAzureADAuth('client id here', 'tenant here');
// register Google endpoint using
authenticator.endpoints.registerGoogleAuth('client id here');
// register Facebook endpoint using
authenticator.endpoints.registerFacebookAuth('client id here');
// register any 3rd-Party OAuth Implicit Provider using
authenticator.endpoints.add('Name of provider', { /* Endpoint Configuration */ })
Graph API
I understand that once a user is authenticated I will receive an authentication token which I can use to query the Graph API for the user's information.
Question
My question is which OAuth strategy will respond with a token to the Graph API that will return information for:
- Individual users with a Microsoft account
- Organizational users associated to a tenant id
?
Is there any difference between the
Microsoft (Azure AD 2.0 Converged auth) endpoint
and the
Azure AD 1.0 endpoint
Upvotes: 1
Views: 338
Answers (1)
Reputation: 33094
Yes, there are quite a few differences. At a high-level, these are:
v1 endpoint:
- Only supports AAD accounts. It does not support MSA/Outlook.com/Live account types.
- Uses "Resources" instead of "Scopes"
- Requires pre-defining the permission scopes you want in the registration
- Supported by nearly all Microsoft REST API's (not just Microsoft Graph)
v2 endpoint:
- Supports both AAD and MSA accounts
- Uses "Scopes" instead of "Resources"
- Permission scopes can be dynamically requested at runtime or predefined (note that for service/daemon apps using Client Credentials, you must predefine them).
- Supported by a smaller set of APIs today (although to be fair, most APIs are heading to Graph over time).
Note: This is a super-high-level-skip-a-lot-of-detail list but it covers most of the core differences.
Upvotes: 3
Related Questions
- Microsoft Graph API in particular active directory OU
- Querying Azure AD using Graph API
- Microsoft graph api access
- Call Microsoft Graph API to get user in Azure AD B2C
- Accessing SharePoint using Microsoft Graph through Office Add-in (Word JS)
- Azure active directory graph api query user
- Microsoft graph and Azure Ad user authentication
- Office 365 Access via Graph API
- Azure AD authentication to call Office 365 and Graph API REST
- Azure Graph API - Query user information