cancel
Showing results for 
Search instead for 
Did you mean: 

How to set up Microsoft Graph API with only Delegated Permissions?

AP.Philippa
Level 5

Dear BP community,

Lately we have been testing with the use of the Microsoft Graph API in Blue Prism. For our tests we have made use of the preconfigured Excel Graph API object, which we have downloaded from the Digital Exchange.

Following the prerequisites steps, we have created an App Registration on our Azure AD test tenant. As the authentication uses only a client ID and secret, we for now have had to provide the App with solely Read/Write Application permissions. With this setup, we were successful in using the Excel API actions in our test environment.

However, unfortunately our organization has a strict policy regarding the use of application permissions in Azure AD Apps. We therefore are looking for a way of using the Microsoft Graph API with only Delegated permissions enabled. For example, we ideally would like to restrict the Graph API in such a way that a robot is only able to edit a file/folder on a SharePoint site, when that account explicitly has been granted access to that particular site with its account (Windows AD).

Could anyone therefore advise us on how we can configure our Microsoft Graph webservices object in such a way that we can make use of a delegated permissions setup?

Many thanks in advance!



------------------------------
Arthur Philippa
RPA Developer
Port of Rotterdam
Europe/Amsterdam
------------------------------
5 REPLIES 5

ewilson
Staff
Staff
Hi @AP.Philippa,

I haven't tested this scenario yet, but I have been giving it a little thought. What you're describing is essentially an OAuth Authorization Code Flow. The general process is that a human is presented with a login or authorization screen, in the browser, where they click approve or whatever and at that point permission is granted to the application to continue.

Keep in mind that a human will have to be logged into the Runtime Resource to be able to provide the authorization unless you're going to build a VBO to do it?

Check out this page on the Microsoft Graph site:

https://docs.microsoft.com/en-us/graph/auth-v2-user

It discusses how the scopes and a few other things would need to change in your app configuration on AD as well as the "Common Authentication" section of the Web API service definition in Blue Prism.

Hopefully this helps.

Cheers,
Eric


------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

AllanRo
Level 4
Hello Arthur

Hope that you are doing well?

We have a similar challenge to solve using Graph API and Blueprism where we are trying to access O365 Mailboxes and manage emails via Blueprism rather than using outlook VBO and incurring the O365 licensing cost.

Did you manage to find a solution to your question you posted?  I'm keen to understand if you have been able to solve this challenge how you managed to do this. We in discussions with our organizations security team regarding the exact topic.

Your feedback will be appreciated

Allan​

------------------------------
Allan Ross
Digital Technologist
Nedbank
Europe/London
------------------------------

Hello Allen,

Currently we are still testing the delegated premission setup with our Security Team, but we have seen some promising test results!
For example, using the delegated setup, the robot is only able to access the documents on SharePoint sites to which it has been added as a member.

To make use of a delegated setup, we have created an additional custom API reference in Blue Prism to request a Bearer Access token using the OAuth 2.0 resource Password Grant type reference (see url: Aanmelden met wachtwoord referenties voor de resource-eigenaar - Microsoft identity platform | Microsoft Docs). For obtaining a delegated access token, you will need to pass the TenantID, ClientID, ClientSecret, UserName and Password as input parameters (note the body has to be in XML).

Attached you will find some screen cature regarding the setup.

Hopes this helps you with you query!

------------------------------
Arthur Philippa
RPA Developer
Port of Rotterdam
Europe/Amsterdam
------------------------------

Hi everyone!

I can see the VBO to retrieve the Delegated Access Token is included in the MS Teams Graph VBO which was recently released. It is named "Microsoft Graph - Teams Authentication". 

Am I right that I can use that VBO to get an Access Token for all the MS Graph VBOs which were yet released in the DX? If so then the name "Teams Authentication" might be a bit misleading in the release.

Best regards
Til

------------------------------
Til Minet
RPA Developer
EWE AG Germany
Europe/Berlin
------------------------------

Hello Arthur

Thanks for sharing this.  This really helps guide us in the right direction.

regards
Allan

------------------------------
Allan Ross
Digital Technologist
Nedbank
Europe/London
------------------------------