How to get data returned by RESTlet from Netsuite accounts that have installed my Bundle (SuiteApp)? - bundle

I could create bundle (SuiteApp) using RESTlet file. My uploaded bundle from the repository can be installed by another account. But I don't know how to access the data (such as customers, contacts, etc.) returned by RESTlet from whoever installed my bundle.

I don't think so, that is a correct approach. Without the consent of target account users you cannot pull their records/data.
You can bundle application tokens, but, user tokens needs to be configured manually in each of the target account, once, you get the user tokens from target account, you can use your RESTlet logic to fetch the record details you want.

Related

How to programatically register an Azure AD application without tenant ID?

I read these threads but am not really satisfied with the answers:
How to add application to Azure AD programmatically?
How to add application to Azure AD programmatically without having any initial clientId registered?
Adding Applications programmatically in Azure AD using Client Credentials Flow
I think I have a scenario that currently is not supported.
We are building an application that consolidates info about a customer's on-premise infrastructure and cloud environment in a database. It should also gather info about e.g. Office 365 users and subscriptions. Here's the customer scenario:
Download and install the app on-premise.
Configure data sources (similarly to the Inventory and Assessment Wizard in MapToolkit). Also point the app to Office 365 subscription(s) at this point.
Run the app to gather asset info into your database.
They need to register the app in Azure AD and provide it access to Microsoft Graph for step 2 to work. If they're techie enough to find their tenant id, register the app through the Azure portal or with PowerShell, and copy ID's into the app's configuration file, that is not a problem. But I cannot streamline the configuration process for the less tech-savvy user.
Basically I want to do something in compiled C# that today is already possible with PowerShell: login as a directory administrator and register an application. So I don't see a security concern here.
We have a similar scenario running that does work, where we set up the app as a multitenant application in our Azure AD, and customers provide consent to access their Office 365 subscription on a web page. But that's not the idea. It's their data, there's no reason to run it through our tenant.
Maybe I'm missing the point completely and there is an easy way to implement this. But I've been sifting for weeks through AzureAD doc and samples now and I don't see it. Any help or info to support this scenario is appreciated.
Here as an answer:
You can register a multi-tenant app in your tenant.
That app can be granted access to create a new app in the customer's tenant. Then you have a new single-tenant in your customer's AAD.
That app should be granted access to the resources your solution needs access to. That is what we ended up with for our solution.
The customer can revoke access to the multi-tenant app that has write access to AAD as soon as the new app in their own tenant has been created.
All objects in Azure Active Directory live within a Tenant, including Application Objects. When referencing any object in the directory, you must first establish tenant context, and then you are allowed to query the data within that tenant. There is nothing we provide (that I know of) that exists above the top level Tenant structure.
When you say "It's their data, there's no reason to run it through our tenant." I feel like there is a slight misunderstanding of how data flows from the directory to your application.
All OAuth 2 client applications need to be registered somewhere. All different service providers offer some sort of client registration process. Azure Active Directory simply takes advantage of the existing Tenant structure to register applications. This also allows for a number of other features like admin controls, user assignment to apps, conditional access policies, etc...
Now when you register a multi-tenant application in your tenant, you are really just establishing a home for where your client's registration is stored. No data actually makes it's way into your tenant, or is stored in your tenant. We simply reference the Application Object in your tenant to understand what the current configuration of the application is.
We do ask the users who use your application to provide consent for your app to get that data. When users sign up to use AAD, Microsoft makes a promise to those users to keep their personal and private data safe. (I am sure we use much more legal terms than that, but you get the idea.) We cannot simply hand over things like user's phone numbers, email addresses, etc without first knowing that the user is OK to hand that data over to you. There is nothing you can do to bypass consent, and there really shouldn't be a way to do this.
However, these concepts are slowly changing with the future of our application model. In App Model V2, we allow AAD Users or people with Personal Accounts to register applications that allow both AAD and Personal Accounts to sign in. This means that you, without an AAD account, could create and register apps for the scenario you described above.
Learn more about that here:
Sign-in Microsoft Account & Azure AD users in a single app

How to get user's exchange/outlook/office365 photo?

Our company is on Office 365. So when users sign in to my asp.net mvc website, I'd like to display their photo, like Outlook does.
Where does outlook get the user's photo? And how I can get to it programmatically?
I've tried hitting up the ActiveDirectory and fetching the thumbnailPhoto, but it's blank for most users. Thus Outlook must be getting it elsewhere. Where and how?
I've also seen some examples where Microsoft.Office.Interop.Outlook assembly is used (assuming it requires Outlook installed to function). However, this website runs on a server that doesn't have Outlook installed.
I've tried hitting up the ActiveDirectory and fetching the
thumbnailPhoto, but it's blank for most users. Thus Outlook must be
getting it elsewhere. Where and how?
The user photo is not available in your ADon-premise, because your users most likely haven't stored it there in the first place unless you have provided them with an app which writes it to the AD.
The user photo is available in your ADAzure, because your users most likely are applying their photos in Outlook (or online).
I am assuming that your on-premise AD is being synced with Azure AD via Dirsync or ADConnect utilities. If yes, then actually the photo or thumbnailphoto attributes are synced only one-way (from on-premise to Azure) and are not written back. Reference here for DirSync and here for ADConnect.
This is why you are not able to get it out of your AD.
How to get user's exchange/outlook/office365 photo?
There are quite a few ways to get the photo from Azure AD:
Exchange Web Services (EWS): by using the GetUserPhoto operation. Basically sending a SOAP envelope with the email address and size. the XML response will get you the base64-encoded photo contained in the PictureData element
Exchange Web Services (EWS Managed API and/or REST API): Basically using the AutoDiscover service to the URL https://outlook.office365.com/ews/exchange.asmx and then connect via EWS.Service.ConnectToService method on the Microsoft.Exchange.WebServices.Data namespace for which you need a reference to the library (a DLL that you can download from here). The method remains the same GetUserPhoto and the image is contained in the response in binary.
Outlook REST API: Basically sending a GET request to the Outlook API (with the bearer access token) at the URL https://outlook.office.com/api/{version}/me/photo for your own, and at the URL https://outlook.office.com/api/{version}/users/email#example.com/photo. You get the photo stream in binary format as the response. Don't forget to append $value to get the blob otherwise you'll get the metadata. More details referenced here.
Office 365 Unified API (aka Graph): Basically nearly the same as the older API. Send a GET request (with bearer token) to the URL https://graph.microsoft.com/{version}/me/photo/ for your own photo and https://graph.microsoft.com/{version}/users/UPN/photo for another user. More or less the same. More details referenced here. There is also a sandbox here for you to explore the samples and API references. You can also try it out yourself online interactively here (Don't forget to sign-in before firing your get requests)
Hope that helps.
Some more references: here, here and here.
Try this method,It works for me
It will fetch the user profile picture from account
https://outlook.office365.com/owa/service.svc/s/GetPersonaPhoto?email=plambhure#sanjeevgroup.com&UA=0&size=HR64x64&sc=1468233338850

How to get metadata of an unshared file from another user with google drive api?

I'm currently working on a C# asp.net mvc web app using the Google Reports API from Admin SDK to receive notifications when something happens on my Google Drive.
Then, I need to use in addition the Drive REST API GET Request to build the file Path (and more) by using the the doc_id given by the Reports API.
Everything is working fine, except when the Report API notifies me with another user unshared file. The Drive REST API is trying to find the file with no success.
Here is the Error 404 returned:
Google.Apis.Requests.RequestError
File not found: 0B48ytfDI5h8qY2k4VzdjMkZRNXM [404]
Errors [
Message[File not found: 0B48ytfDI5h8qY2k4VzdjMkZRNXM] Location[file - other] Reason[notFound] Domain[global]
]
I'm using this scope : DriveService.Scope.Drive
The file owner is able to see metadata of his file by using this form, and I still have the Error 404.
I'm the drive administrator and on my Google Apps Admin Settings, I've tried different configs with no success, even with the Default Shared Link on Everyone from the domain.
So my question is: Is that possible to get file meta data when you are not the file owner and the file isn't shared ?
PS: I'm using a Google Apps for work unlimited in relation with my work domain, so I thought I could at least get metadata files as an admin even if the file is not shared.
To my knowledge, the only way to access the user's file in Drive API is through setting up a Service Account for your web application. You can read more about this in the Drive API documentation under Domain-Wide Delegation.
To give a brief summary:
Service Account is an account that belongs to your application instead of to an individual end user. This allows your application to have authority to make API calls as users in your domain (also to "impersonate" users).
To get started, the following tasks have to be performed:
Create or select a project in the Google Developers console and enable the API (e.g. Drive API).
Go to Credentials, add new credentials and select Service Account. More details here.
This will create three items (client ID, private key file, and email address), which is required in authorizing your application in the Google Apps domain's Admin Console.
Now, the service account that you have created needs to be granted access to the Google Apps domain's user data that you want access. This will require the administrator to authorize the service account in the Admin console. Since it's already provided in the documentation, you can access the appropriate steps in the document.
Now, your application can instantiate an authorized Drive service Object (i.e. metadata) on behalf of your Google Apps domain's users. Hope this helps and Good luck!

package domain, role and user on sitecore

I am new to sitecore.
I have a question regarding packaging Domain and Roles on sitecore (we are using sitecore 6.3.1).
I am packaging content from our dev box to stage and I would like to transfer the Domain, Roles and user created on dev to stage.
The package designer shows a button called 'Security Accounts'. I added the specific user \ who belong to the specific domain and role.
On installing the package to stage site, it throws an error 'blah domain not found, cannot create user'.
So the question is, do i have to create a domain manually on the stage server before I install the user? or is there a way where I can copy the domain and roles to create the user?
Help much appreciated.
If your target solution doesn't have the domain the user lives in, you'll have to create it manually. However, the roles can be transferred via package the same way as users. If the user A is in role B, and you don't add role B to the package, there should not be any error - simply the user A won't be a member of the role B on target environment.
I have discovered that the domains are stored in /App_Config/Security/Domains.config and you can migrate between installations simply by copying or editing this file.
Or you can create the domains manually via the Security Domain tool.
Either way the domain must exist before you can install a package with users or roles.
I would think the answer Yan comes with would work with domains.
But you might need to have the Domain(s) in a package which you install first, or have it as the first "part" of your package, so it gets installed first.

Admin access to user Google Drive files from installed application with Oauth2

I'm writing a set of Powershell Cmdlets that allow a user to run admin functions on their domain. Using gData I have been able to do provisioning calls to create new users, list groups and other things of that nature. When trying to list another user's documents (as admin) I hit a roadblock with the DocsList api, so I turned to the Google Drive api instead.
I've since been able to get the Drive API working and have a Cmdlet running based on their QuickStart for DotNet and File List Example. However, I can't seem to figure out how to make it list docs for another user. Everything I've found so far seems to point to the use of Service Accounts for delegation or using the old DocList api instead which is depreciated in favor of the Drive API anyways.
My problem is the Service Accounts seem to be an alternative to the Installed Application, not something I can use at the same time. Or, if I were able to get it working I would have to have each user create their own project and service account, if I'm understanding things.
How can I do this without inconveniencing the users? They've already authenticated themselves as admins, I don't understand why they have to create an API project and service account to achieve the same thing. Would I create a single service account for my API Project? If so, how do I handle the public key it generates and needs access to? That doesn't seem very safe if I'm throwing around the key file.
You can impersonate a user only with service accounts. Once you configure your service account for domain-wide authority, you can make requests with your administrator account as you mention. But, I'm not sure Google Apps allow multiple administrator accounts or not. If they do, all you need is setup a single project and a single service account.

Resources