Note: You are currently viewing documentation for Moodle 3.9. Up-to-date documentation for the latest stable version of Moodle may be available here: OAuth 2 Microsoft service.

OAuth 2 Microsoft service: Difference between revisions

From MoodleDocs
m (Formatting fix to put numbered list items on new lines; 3 consecutive numbers were previously run into one line.)
 
Line 2: Line 2:
=== Setup App In Microsoft ===
=== Setup App In Microsoft ===


To setup  an OAuth 2 client with Microsoft, first we need to login to the [https://apps.dev.microsoft.com/#/appList Microsoft Application Console] and register a new application. Note that the application registrations portal has been deprecated for registering and managing converged applications since May 2019 and this functionality will be removed starting September 2019. We recommend that you manage your existing applications and register new applications by using the App registrations (now Generally Available) experience in the Azure portal.
To set up an OAuth 2.0 client with Microsoft, you must first register a new application by using App registrations in the [https://portal.azure.com Azure Portal].  
 
1. From Azure Portal home, under 'Azure services', select 'Azure Active Directory'
 
2. From the left hand menu, select 'App registrations'
 
3. Select 'New registration'


[[Image:ms_oauth2_2a.png|none|frame|Register new application]]
[[Image:ms_oauth2_2a.png|none|frame|Register new application]]


1. Choose a good name as this is what is shown to users when they are asked to approve the permissions.  
4. Choose a good name as this is what is shown to users when they are asked to approve the permissions.  


2. For supported account types select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'.
5. For supported account types select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'.


3. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at <nowiki>https://lemon.edu/</nowiki> the callback URL would be <nowiki>https://lemon.edu/admin/oauth2callback.php</nowiki>. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
6. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at <nowiki>https://lemon.edu/</nowiki> the callback URL would be <nowiki>https://lemon.edu/admin/oauth2callback.php</nowiki>. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.


4. Click 'Register'.
7. Click 'Register'.


[[File:ms_oauth2_5.png|none|frame|Application settings]]
[[File:ms_oauth2_5.png|none|frame|Application settings]]


5. Copy the 'Application (client) ID' to a safe place for later use.
8. Copy the 'Application (client) ID' to a safe place for later use.


[[File:ms_oauth2_6b.png|none|frame|Application (client) ID]]
[[File:ms_oauth2_6b.png|none|frame|Application (client) ID]]


6. Select 'Authentication' from side-bar menu.
9. Select 'Authentication' from side-bar menu.


[[File:ms_oauth2_12.png|none|frame|Authentication]]
[[File:ms_oauth2_12.png|none|frame|Authentication]]


7. Ensure implicit grant flow is disabled.
10. Ensure implicit grant flow is disabled.


[[File:ms_oauth2_13.png|none|frame|Disable Implict Grant Flow]]
[[File:ms_oauth2_13.png|none|frame|Disable Implict Grant Flow]]


8. Select 'API permissions' from side-bar menu.
11. Select 'API permissions' from side-bar menu.
   
   
[[File:ms_oauth2_6.png|none|frame|API permissions]]
[[File:ms_oauth2_6.png|none|frame|API permissions]]


9. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.
12. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.


[[File:ms_oauth2_7.png|none|frame|Microsoft Graph]]
[[File:ms_oauth2_7.png|none|frame|Microsoft Graph]]


10. Select 'Certificates & secrets' from side-bar menu.
13. Select 'Certificates & secrets' from side-bar menu.


[[File:ms_oauth2_8.png|none|frame|Certificates & secrets]]
[[File:ms_oauth2_8.png|none|frame|Certificates & secrets]]


11. Click 'New client secret' to create password/client secret.
14. Click 'New client secret' to create password/client secret.


[[File:ms_oauth2_9.png|none|frame|New client secret]]
[[File:ms_oauth2_9.png|none|frame|New client secret]]


12. Add a description and select when the password/secret will expire.
15. Add a description and select when the password/secret will expire.


[[File:ms_oauth2_10.png|none|frame|Add a client secret]]
[[File:ms_oauth2_10.png|none|frame|Add a client secret]]


13. Copy the secret string value to a safe place for later use.
16. Copy the secret string value to a safe place for later use.


[[File:ms_oauth2_11.png|none|frame|Secret string value]]
[[File:ms_oauth2_11.png|none|frame|Secret string value]]


14. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.
17. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.


[[File:ms_oauth2_16.png|none|frame|Create new Microsoft service]]
[[File:ms_oauth2_16.png|none|frame|Create new Microsoft service]]


15. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".
18. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".


[[File:ms_oauth2_14.png|none|frame|Add client ID and secret]]
[[File:ms_oauth2_14.png|none|frame|Add client ID and secret]]


16. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.
19. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.


[[File:ms_oauth2_15.png|none|frame|Addtional settings]]
[[File:ms_oauth2_15.png|none|frame|Addtional settings]]

Latest revision as of 06:15, 15 October 2020

Setup App In Microsoft

To set up an OAuth 2.0 client with Microsoft, you must first register a new application by using App registrations in the Azure Portal.

1. From Azure Portal home, under 'Azure services', select 'Azure Active Directory'

2. From the left hand menu, select 'App registrations'

3. Select 'New registration'

Register new application

4. Choose a good name as this is what is shown to users when they are asked to approve the permissions.

5. For supported account types select 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'.

6. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.

7. Click 'Register'.

Application settings

8. Copy the 'Application (client) ID' to a safe place for later use.

Application (client) ID

9. Select 'Authentication' from side-bar menu.

Authentication

10. Ensure implicit grant flow is disabled.

Disable Implict Grant Flow

11. Select 'API permissions' from side-bar menu.

API permissions

12. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.

Microsoft Graph

13. Select 'Certificates & secrets' from side-bar menu.

Certificates & secrets

14. Click 'New client secret' to create password/client secret.

New client secret

15. Add a description and select when the password/secret will expire.

Add a client secret

16. Copy the secret string value to a safe place for later use.

Secret string value

17. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.

Create new Microsoft service

18. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".

Add client ID and secret

19. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.

Addtional settings

See also