OAuth 2 Microsoft service: Difference between revisions

From MoodleDocs
(see also)
 
(12 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{OAuth2}}
{{OAuth2}}
=== Setup App In Microsoft ===
== Setup App In Microsoft ==


To setup  an OAuth 2 client with Microsoft, first we need to login to the [https://apps.dev.microsoft.com/#/appList Microsoft Application Console] and create a new app.
To set up an OAuth 2.0 client with Microsoft, you must first register a new application by using App registrations in the [https://portal.azure.com Azure Portal].  


[[Image:microsoft-1-create-new.png|none|frame|Create new project]]
1. From Azure Portal home, under 'Azure services', select 'Azure Active Directory'


Note: If you have previously registered Applications with an older API your Application Console may look different. In this case you should create a new "Converged Application".
2. From the left hand menu, select 'App registrations'


[[File:microsoft-1-1-alternate-app-page.png|none|frame|Create new project with older APIs enabled]]
3. Select 'New registration'


Choose a good name as this is what is shown to users when they are asked to approve the permissions.  
[[Image:ms_oauth2_2a.png|none|frame|Register new application]]


[[File:microsoft-2-name-it.png|none|frame|Name it]]
4. Choose a good name as this is what is shown to users when they are asked to approve the permissions.  


Next you have to add a platform to your application.  
5. Under supported account types select either:
        5A. 'Accounts in this organizational directory only (<em>your organization's name</em> - Single tenant)'.
    **Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant. For single tenancy to work properly complete the additional steps outlined below under '[[OAuth 2 Microsoft service#Additional Single Tenancy Configuration|Additional Single Tenancy Configuration]]'.
        5B. 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'.
    **Multi-tenant apps are available to users in both their home tenant and other tenants (meaning anyone with an Office 365 account will have access, unless domains are added to the 'Login domains' field (Step 19) which will restrict logins to specific domains.)
       
6. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at <nowiki>https://lemon.edu/</nowiki> the callback URL would be <nowiki>https://lemon.edu/admin/oauth2callback.php</nowiki>. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.


[[File:microsoft-3-add-platform.png|none|frame|Add platform]]
7. Click 'Register'.


Choose "Web platform"
[[File:ms_oauth2_5.png|none|frame|Application settings]]


[[File:microsoft-3.1-web-platform.png|none|frame|Web platform]]
8. Copy the 'Application (client) ID' to a safe place for later use.


Uncheck the "Allow Implicit Flow" checkbox and set the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.
[[File:ms_oauth2_6b.png|none|frame|Application (client) ID]]


[[File:microsoft-4-platform-settings.png|none|frame|Platform settings]]
9. Select 'Authentication' from side-bar menu.


Make sure the "Microsoft Graph Permissions" section contains the "User.Read" permission.
[[File:ms_oauth2_12.png|none|frame|Authentication]]


[[File:microsoft-5-permissions.png|none|frame|Permissions]]
10. Ensure implicit grant flow is disabled.


Set the options for the consent screen.
[[File:ms_oauth2_13.png|none|frame|Disable Implicit Grant Flow]]


[[File:microsoft-6-consent.png|none|frame|Consent]]
11. Select 'API permissions' from side-bar menu.
[[File:ms_oauth2_6.png|none|frame|API permissions]]


Save all the details and then generate a new password.
12. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.


[[File:microsoft-7-new-password.png|none|frame|Generate a new password]]
[[File:ms_oauth2_7.png|none|frame|Microsoft Graph]]


Enter the password in Moodle as the "Client secret" and the Application ID as the "Client id".
13. Select 'Certificates & secrets' from side-bar menu.


[[File:microsoft-8-got-it.png|none|frame|Got it]]
[[File:ms_oauth2_8.png|none|frame|Certificates & secrets]]
 
14. Click 'New client secret' to create password/client secret.
 
[[File:ms_oauth2_9.png|none|frame|New client secret]]
 
15. Add a description and select when the password/secret will expire.
 
[[File:ms_oauth2_10.png|none|frame|Add a client secret]]
 
16. Copy the secret string value to a safe place for later use.
 
[[File:ms_oauth2_11.png|none|frame|Secret string value]]
 
17. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.
 
[[File:ms_oauth2_16.png|none|frame|Create new Microsoft service]]
 
18. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".
 
[[File:ms_oauth2_14.png|none|frame|Add client ID and secret]]
 
19. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.
 
[[File:ms_oauth2_15.png|none|frame|Additional settings]]
 
===Additional Single Tenancy Configuration===
1. Once the above steps have been completed, click "Overview" if not already selected and choose "Endpoints".
 
[[File:ms_oauth2_17.png|none|frame|End Points]]
 
2. From the list of endpoints copy the OpenID Connect metadata document endpoint URL. It is only necessary to copy the portion up to and including "v2.0". In the example below, the copied URL would be, "https://login.microsoftonline.com/96e0421d-d572-4839-9c32-b8bc00cf250b/v2.0/". '''Note that it is important to include the trailing slash.'''
 
[[File:ms_oauth2_18.png|none|frame|End Points]]
 
3. Now return to Moodle and in the newly created OAuth2 Microsoft service, paste the endpoint in the 'Service base URL' field.
 
[[File:ms_oauth2_19.png|none|frame|Service base URL]]
 
4. Save your changes.
 
Don't forget to make sure that the issuer's endpoints are defined correctly in '''Site administration > Server > Server > OAuth 2 services''' and then '''Configure endpoints''' in the '''Edit''' column of Microsoft services (when using Single Tenancy Configuration you will have to change the "''common''" part of the URL with the app ID of the '''authorization_endpoint''' and '''token_endpoint''').
 
== Additional User Fields ==
By default the User.read scope will return a limited set of fields from the user profile. In order to pull in other fields you will need to alter the userinfo_endpoint.
 
# Click to configure the user endpoints.
# Either edit or create an endpoint called 'userinfo_endpoint'.
# Enter the following url: <nowiki>https://graph.microsoft.com/v1.0/me/?$select=department,displayName,givenName,jobTitle,userPrincipalName,surname,mail</nowiki>
# The comma separated list after the $select parameter will need to include each of the fields that you wish to return - using this method will override the existing fields. Make sure to include userPrincipalName and mail as a minimum.
 
You will now be able to map these fields as required.


==See also==
==See also==


* [[OneDrive repository]]
* [[OneDrive repository]]
* [[OAuth 2 authentication]] for enabling users to log in to Moodle with their Microsoft account


[[es:Servicio OAuth 2 Microsoft]]
[[es:Servicio OAuth 2 Microsoft]]
[[de:OAuth2 Microsoft Service]]

Latest revision as of 11:19, 3 December 2024

Setup App In Microsoft

To set up an OAuth 2.0 client with Microsoft, you must first register a new application by using App registrations in the Azure Portal.

1. From Azure Portal home, under 'Azure services', select 'Azure Active Directory'

2. From the left hand menu, select 'App registrations'

3. Select 'New registration'

Register new application

4. Choose a good name as this is what is shown to users when they are asked to approve the permissions.

5. Under supported account types select either:

       5A. 'Accounts in this organizational directory only (your organization's name - Single tenant)'. 

**Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant. For single tenancy to work properly complete the additional steps outlined below under 'Additional Single Tenancy Configuration'.

       5B. 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)'. 

**Multi-tenant apps are available to users in both their home tenant and other tenants (meaning anyone with an Office 365 account will have access, unless domains are added to the 'Login domains' field (Step 19) which will restrict logins to specific domains.)

6. Choose 'Web' for redirect URI and add the callback URL. The callback URL should point to "your Moodle site URL + /admin/oauth2callback.php". If your Moodle site was available at https://lemon.edu/ the callback URL would be https://lemon.edu/admin/oauth2callback.php. It is important that your Moodle site uses https and not http. Microsoft will not allow the callback url if it is not using https.

7. Click 'Register'.

Application settings

8. Copy the 'Application (client) ID' to a safe place for later use.

Application (client) ID

9. Select 'Authentication' from side-bar menu.

Authentication

10. Ensure implicit grant flow is disabled.

Disable Implicit Grant Flow

11. Select 'API permissions' from side-bar menu.

API permissions

12. Make sure the "Microsoft Graph (1)" permissions section contains the "User.Read" permission.

Microsoft Graph

13. Select 'Certificates & secrets' from side-bar menu.

Certificates & secrets

14. Click 'New client secret' to create password/client secret.

New client secret

15. Add a description and select when the password/secret will expire.

Add a client secret

16. Copy the secret string value to a safe place for later use.

Secret string value

17. In Moodle go to OAuth2 services (Site administration > Server > OAuth2 services) and create a new Microsoft service.

Create new Microsoft service

18. Update the name if desired and enter the password/secret as the "Client secret" and the Application ID as the "Client ID".

Add client ID and secret

19. Make any additional configuration changes such as limiting login domains, whether a login button will show on the login page, and if email verification is required.

Additional settings

Additional Single Tenancy Configuration

1. Once the above steps have been completed, click "Overview" if not already selected and choose "Endpoints".

End Points

2. From the list of endpoints copy the OpenID Connect metadata document endpoint URL. It is only necessary to copy the portion up to and including "v2.0". In the example below, the copied URL would be, "https://login.microsoftonline.com/96e0421d-d572-4839-9c32-b8bc00cf250b/v2.0/". Note that it is important to include the trailing slash.

End Points

3. Now return to Moodle and in the newly created OAuth2 Microsoft service, paste the endpoint in the 'Service base URL' field.

Service base URL

4. Save your changes.

Don't forget to make sure that the issuer's endpoints are defined correctly in Site administration > Server > Server > OAuth 2 services and then Configure endpoints in the Edit column of Microsoft services (when using Single Tenancy Configuration you will have to change the "common" part of the URL with the app ID of the authorization_endpoint and token_endpoint).

Additional User Fields

By default the User.read scope will return a limited set of fields from the user profile. In order to pull in other fields you will need to alter the userinfo_endpoint.

  1. Click to configure the user endpoints.
  2. Either edit or create an endpoint called 'userinfo_endpoint'.
  3. Enter the following url: https://graph.microsoft.com/v1.0/me/?$select=department,displayName,givenName,jobTitle,userPrincipalName,surname,mail
  4. The comma separated list after the $select parameter will need to include each of the fields that you wish to return - using this method will override the existing fields. Make sure to include userPrincipalName and mail as a minimum.

You will now be able to map these fields as required.

See also