topic RE: Graph API - Setup in Digital Exchange

Graph API - Setup

JohanSörman — Wed, 26 Oct 2022 09:23:00 GMT

Hi,

I have access to Azure portal and have an application created. After setting up client key and secret, is that enough to use the actions in BP or do you have to manually configure Web API like any normal REST API?

Another question, in a previous version we had to create an app inside of the Sharepoint for the site we wanted to interact with to get the client secret. With Graph, is this still required or is it enough for the account being a member/admin of the site (for protected sites or whatever they're called)?

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Wed, 26 Oct 2022 17:11:00 GMT

Hello @Johan Sörman,

To use the Graph API you must also apply the appropriate permissions to the specific application registration you create in the Azure portal. As an example, if you've create an application registration, and credentials, for working with Sharepoint, you'll want to apply the necessary Site permissions as depicted in the example below:

There are lots of Graph permissions available depending on what you're trying to do (ex. Mail/Outlook, Excel, Users, etc).

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Thu, 27 Oct 2022 07:26:00 GMT

Hi @ewilson,
So, going to each site to reg an app is no longer needed, correct?

https://domain.sharepoint.com/sites/SiteName/_layouts/15/appinv.aspx

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

JohanSörman — Fri, 28 Oct 2022 09:36:00 GMT

Hi @ewilson,
Is Application Permission required for this to work? I.e Delegated doesn't? I tried the Autentication and believe everything should be setup correcly but keep getting errors about users (tried on myself) isn't in this tenant directory.

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Fri, 28 Oct 2022 14:50:00 GMT

Hello @Johan Sörman,

Based on the documentation for the Graph API, both Application and Delegated access are supported for SharePoint sites. You can see the specific permissions required for each endpoint (aka Action) here.

I don't think we've tried Delegated on our test SharePoint sandbox, but we'll give it a go and see what happens.

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Mon, 31 Oct 2022 08:16:00 GMT

Hi @ewilson ,
I was unable to get any tokens from either delegated or application access. I'm guessing this has to do with we have enabled MFA in AD and no permissions been approved yet for application access by our Azure Admins.

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Mon, 31 Oct 2022 12:31:00 GMT

Hello @Johan Sörman,

Ah, yes. MFA does present problems with trying to retrieve a token for Graph. I haven't specifically tested an MFA-based workflow with the Graph API, but I have worked with MFA for digital workers that are automating applications via the browser. There are actually two connectors on the DX that support MFA/OTP (One Time Passwords) that may help you along.

You can find them here.

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Mon, 31 Oct 2022 12:33:00 GMT

I'm not an expert on the MFA area but we used to have issues with it but now robot accounts are treated like an internal user so MFA is passed but I would assume the Get Token is failing because we have MFA.

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Mon, 31 Oct 2022 13:08:00 GMT

@Johan Sörman,

Very strange indeed. An Application Access token is essentially a backend service-to-service type token. There's no actual user account, per se, associated with it, so I'm not sure how MFA would come into play for it. Do you receive an error response when you request the token? Maybe an HTTP 403 or something?

Here's a link to the Microsoft Graph documentation pertaining to authentication and authorization. I don't actually see anything related to MFA in it, but I may have missed it.

https://learn.microsoft.com/en-us/graph/auth/

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Mon, 31 Oct 2022 13:18:00 GMT

@Eric Wilson,
From what I recall when I ran tests last week I saw several errors, no status codes though.
When trying to get a delegated token I got error along the lines of "user not found in AD" which I assumed was MFA based error.
If I tried to get "normal" token, I got client error message

When I tried the MSAL VBO from DX, I just got "Multiple error" message so can't say what was incorrect.

I would assume I can't get a token if there no permission granted to the app in Azure Portal?

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Mon, 31 Oct 2022 16:01:00 GMT

@Johan Sörman,

You are correct for the most part. If there are no permissions granted on the application registration in the Azure Portal then you won't be able to get a token. However, when a new registration is created there is a default permission that is added which is the Delegated Access permission User.Read.

Regarding the multiple errors on the MSAL VBO, we can adjust the code of the action to give us more details. I assume you're using the Get Auth Token - Client Secret action, correct? If so, open the Code stage on that action in the VBO. It should look like this:

Let's try adding this additional catch block:

catch (AggregateException ae) 
{
	StringBuilder exceptionMessages = new StringBuilder();
	foreach (var e in ae.Flatten().InnerExceptions) 
	{
		exceptionMessages.Append(e.Message);
		exceptionMessages.Append("\n");
	}
	Exception = exceptionMessages.ToString();
}

So the final code will look like this:

Can you try that and see if you get additional exception details when using an Application Access token?

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Tue, 01 Nov 2022 13:25:00 GMT

@ewilson,
Thank you for the additional code. I've added it to the action and will report back when we've tested it.

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Sat, 10 Dec 2022 00:02:00 GMT

Hello @Johan Sörman,

Have you been able to try out that new code?

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Mon, 12 Dec 2022 09:23:00 GMT

Hi @ewilson,
Unfortunately our IT department declined our request for application permissions so I haven't been able to verify the addtional code.

It seems like the Graph API gives access to all site on the domain which they did not like. So seems like a roadblock for our use until the API gets more dynamic/flexible for Sites.

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------

RE: Graph API - Setup

ewilson — Mon, 12 Dec 2022 12:21:00 GMT

Hi @Johan Sörman,

There are a couple ways to address this, which it sounds like your IT team have not looked into.

1) Instead of getting an Application Access token you could requested a Delegated Access token. This is essentially that case of a Digital Worker running under a specific Active Directory account (i.e. as a user). If your IT team is willing to create a user with the approved permissions on whatever SharePoint sites you should be good to go.

2) Alternatively, there is a Graph permission known as Sites.Selected. I haven't looked into this to much myself, but it seems it would be a way for Application Access tokens to be limited to specific sites. You can read more about it here.

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: Graph API - Setup

JohanSörman — Mon, 12 Dec 2022 12:33:00 GMT

As for suggestion 1 it doesn't seem practical for our use case, due to the fact we would had needed to interact with 200+ sites with each site having different owners/members.

By the sounds of it, suggestion 2 sounds a lot like similar configuration you had to do with the old sharepoint skill you offered but I haven't had the chance to look into that.

------------------------------
Johan Sörman
DevOps Engineer, Senior RPA Developer
Telia Company
Sweden
------------------------------