Retrieving an access token with admin consent : ho

2019-09-09 16:18发布

In my third-party web application of Office 365, I want to have access to the contacts, events and emails of all the users from the organizations who installed my app. The thing is I don't want that all these users have to grant me access, I just want one admin of the org to grant access for my app and then be able to retrieve the data I need for all the users.

To test for one organization, I logged in as the admin and proceed to the Oauth2 authentication to retrieve the access token and in the first request (the GET one to retrieve an authorization code) i add the parameter prompt=admin_consent.

With this access token, I can access the data (emails, contact, event) of the admin

for instance for the contacts

uri: https://outlook.office365.com/ews/odata/Users(adminemail)/Contacts

but not the data of the other users of this org with this uri

uri: https://outlook.office365.com/ews/odata/Users(useremail)/Contacts

The only thing I can do is retrieve an access token for each user but it supposed that each user has to authorize the access to the app but it's very cumbersome. So, i don't see what enables the parameter prompt=admin_consent and how to use it. Does anybody know what it does?

And my question is: how can I do to access the data of all the users of one organization when the access has been granted by one admin?

Thank you!

1条回答
等我变得足够好
2楼-- · 2019-09-09 16:45

Thanks for your question! The scenario you are interested in (an app accessing data of all users of an organization once an admin grants access to the list) is not yet supported but is prioritized high on our list of features to add.

[UPDATE] Support for app accessing data of all users in a tenant is supported for Office 365 Mail, Calendar and Contact REST APIs. Please see Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow) for more info.

The scenario prompt=admin_consent is intended for, is different from your scenario. Admin consent simply means that the admin allows this app in the organization without the individual user to see the consent screen after signing on to the app. This special "I as the admin provide consent for this app on behalf of all my users" is triggered by the "prompt=admin_consent" parameter that is passed in during the authorize request. However, this doesn't allow the app to get AccessTokens for any user. Each user still has to get the app, sign in, and the app will hit the authorize endpoint and get a Refresh/AccessToken for the signed in user.

Please let me know if you have any questions or need more info.

Thanks,

Venkat

查看更多
登录 后发表回答