OAuth 2 Microsoft service: Difference between revisions

Latest revision as of 06:42, 27 November 2019

Setup App In Microsoft

To setup an OAuth 2 client with Microsoft, first we need to login to the Microsoft Application Console and register a new application. Note that the application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal.

Register new application

1. Choose a good name as this is what is shown to users when they are asked to approve the permissions. 2. For supported account types select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. 3. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.

4. Click 'Register'.

Application settings

5. Copy the 'Application (client) ID' to a safe place for later use.

Application (client) ID

6. Select 'Authentication' from side-bar menu.

Authentication

7. Ensure implicit grant flow is disabled.

Disable Implict Grant Flow

8. Select 'API permissions' from side-bar menu.

API permissions

9. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.

Microsoft Graph

10. Select 'Certificates & secrets' from side-bar menu.

Certificates & secrets

11. Click 'New client secret' to create password/client secret.

New client secret

12. Add a description and select when the password/secret will expire.

Add a client secret

13. Copy the secret string value to a safe place for later use.

Secret string value

14. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.

Create new Microsoft service

15. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".

Add client ID and secret

16. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.

Addtional settings

@@ Line 2: / Line 2: @@
 === Setup App In Microsoft ===
-To setup  an OAuth 2 client with Microsoft, first we need to login to the [https://apps.dev.microsoft.com/#/appList Microsoft Application Console] and create a new app.
+To setup  an OAuth 2 client with Microsoft, first we need to login to the [https://apps.dev.microsoft.com/#/appList Microsoft Application Console] and register a new application. Note that the application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal.
-[[Image:microsoft-1-create-new.png|none|frame|Create new project]]
+[[Image:ms_oauth2_2a.png|none|frame|Register new application]]
-Note: If you have previously registered Applications with an older API your Application Console may look different. In this case you should create a new "Converged Application".
+. Choose a good name as this is what is shown to users when they are asked to approve the permissions.
+. For supported account types select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'.
+. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at <nowiki>https://lemon.edu/</nowiki> the callback URL would be <nowiki>https://lemon.edu/admin/oauth2callback.php</nowiki>. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
-[[File:microsoft-1-1-alternate-app-page.png|none|frame|Create new project with older APIs enabled]]
+. Click 'Register'.
-Choose a good name as this is what is shown to users when they are asked to approve the permissions.
+[[File:ms_oauth2_5.png|none|frame|Application settings]]
-[[File:microsoft-2-name-it.png|none|frame|Name it]]
+. Copy the 'Application (client) ID' to a safe place for later use.
-Next you have to add a platform to your application.
+[[File:ms_oauth2_6b.png|none|frame|Application (client) ID]]
-[[File:microsoft-3-add-platform.png|none|frame|Add platform]]
+. Select 'Authentication' from side-bar menu.
-Choose "Web platform"
+[[File:ms_oauth2_12.png|none|frame|Authentication]]
-[[File:microsoft-3.1-web-platform.png|none|frame|Web platform]]
+. Ensure implicit grant flow is disabled.
-Uncheck the "Allow Implicit Flow" checkbox and set the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
+[[File:ms_oauth2_13.png|none|frame|Disable Implict Grant Flow]]
-[[File:microsoft-4-platform-settings.png|none|frame|Platform settings]]
+. Select 'API permissions' from side-bar menu.
+[[File:ms_oauth2_6.png|none|frame|API permissions]]
-Make sure the "Microsoft Graph Permissions" section contains the "User.Read" permission.
+. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.
-[[File:microsoft-5-permissions.png|none|frame|Permissions]]
+[[File:ms_oauth2_7.png|none|frame|Microsoft Graph]]
-Set the options for the consent screen.
+. Select 'Certificates & secrets' from side-bar menu.
-[[File:microsoft-6-consent.png|none|frame|Consent]]
+[[File:ms_oauth2_8.png|none|frame|Certificates & secrets]]
-Save all the details and then generate a new password.
+. Click 'New client secret' to create password/client secret.
-[[File:microsoft-7-new-password.png|none|frame|Generate a new password]]
+[[File:ms_oauth2_9.png|none|frame|New client secret]]
-Enter the password in Moodle as the "Client secret" and the Application ID as the "Client id".
+. Add a description and select when the password/secret will expire.
-[[File:microsoft-8-got-it.png|none|frame|Got it]]
+[[File:ms_oauth2_10.png|none|frame|Add a client secret]]
+. Copy the secret string value to a safe place for later use.
+[[File:ms_oauth2_11.png|none|frame|Secret string value]]
+. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.
+[[File:ms_oauth2_16.png|none|frame|Create new Microsoft service]]
+. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".
+[[File:ms_oauth2_14.png|none|frame|Add client ID and secret]]
+. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.
+[[File:ms_oauth2_15.png|none|frame|Addtional settings]]
 ==See also==
 * [[OneDrive repository]]
+* [[OAuth 2 authentication]] for enabling users to log in to Moodle with their Microsoft account
 [[es:Servicio OAuth 2 Microsoft]]
+[[de:OAuth2 Microsoft Service]]

Documentation

OAuth 2 Microsoft service: Difference between revisions

Latest revision as of 06:42, 27 November 2019

Setup App In Microsoft

See also