0

I have an application which already use azure AD for authentication. And now, we need to integrate MS onedrive in it.

Now, for doing so, we don't want the user to go through login again. Is it possible that the Oauth token generated in application login can be used for graph APIs. Or any other way to skip that MS login for onedrive?

I've seen the question. But my problem is bit different that I'm already using Azure AD for authentication.

Thanks in advance.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
mohit sharma
  • 620
  • 8
  • 23

1 Answers1

2

When the user logs in, you can acquire multiple access tokens. You will need to acquire a token for MS Graph API. You can use the same authorization code twice to get two access tokens, or you can use the refresh token gotten with the first one to get another access token.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • 2
    One additional bit, you _will_ need to have them go through User Consent before any new scopes can be used. So while you may not need them to reauthenticate, you will need to ask their permission before you can use their OneDrive. – Marc LaFleur May 07 '18 at 14:45
  • Thanks @juunas for quick response, and this helped me solving the problem. In the meanwhile, I was looking at the [article](https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/ ), where they suggested to use graph.microsoft.com API over graph.windows.net, but I didn't find the support for search user functionality in AD. So, do we suppose to use windows.net API for searching and microsoft.com for onedrive or is there any such feature in graph.microsoft.com API to search user. Any link or resource would be helpful. Thanks – mohit sharma May 14 '18 at 11:11
  • 1
    Depends what you mean by search. Certain filters are a bit limited yes – juunas May 14 '18 at 11:12
  • @MarcLaFleur How to ask user for the permission I mean is there any resource page provided by microsoft for doing so or how to provide permissions to MS? – mohit sharma May 21 '18 at 06:21
  • I'm afraid I don't understand your comment/question. What permissions are you trying to provide _to_ Microsoft? – Marc LaFleur May 21 '18 at 14:53
  • @MarcLaFleur I apologise for that. I mean to ask is for user consent. When a user logins, it did't asked for the user consent automatically. hence I was not able to access APIs. – mohit sharma Jun 07 '18 at 09:09
  • You can specify `prompt=consent` on the authorization redirect URL to force consent. AAD does not ask for consent if some consent has been made previously. So if you add new permissions, you have to force consent again. With V2 this is handled a bit differently since you can specify what scopes you want in the redirect URL. – juunas Jun 07 '18 at 09:17
  • 1
    This might help with understanding how this works as well: https://massivescale.com/microsoft-v2-endpoint-user-vs-admin/ – Marc LaFleur Jun 08 '18 at 20:08