Category Archives: Microsoft Graph

Microsoft Ignite 2018 – Office Developer Announcements

As the dust settles on Microsoft Ignite for another year I’m left going back over my notes and recalling discussions I had for all those key announcements, advice and snippets of gold that will have a real impact for Office developers.

If you are looking for a high level list of announcements made at the conference, the Ignite Book of News is a good place to start although it doesn’t cover many of the announcements that were made in the Office Developer area – this book covers a lot of the Azure announcements, which most Office developers will have a mild interest in (we have to host our code somewhere!)

Here’s some of my favourite announcements:

Do more with new upcoming SharePoint development capabilities announced at Ignite 2018

  • Call Microsoft Graph and Web APIs and deploy Extensions across your SharePoint sites
  • Deploy your web parts and application pages to Microsoft Teams
  • Connect across components with dynamic data capabilities
  • Deliver complete applications with application pages
  • Harness more of SharePoint with new Microsoft Graph APIs

Microsoft Graph @ Ignite 2018

  • Managed access to Microsoft Graph (data connect to bulk export to Azure subscription)
  • Notifications API
  • Dynamics is now in Microsoft Graph
  • New PowerApps templates
  • Security API
  • Microsoft Teams, Messages, Calendars, Files, and Folders

Microsoft Authentication Library (MSAL)

  • In preview but suitable for production use
  • Capable of reaching both v1 and v2 services
  • MSAL JavaScript library for serverless implicit flow scenarios

I thought this years conference was very well run and the volume of people moving about the conference centre wasn’t overwhelming. I had a lot of fun meeting new people and reconnecting with old friends. It’s great to have such knowledgeable Microsoft staff accessible on the expo hall floor (both from a Marketing and Engineering side) to discuss particular scenarios, technologies, ad bounce ideas off.

 

Allowing different Azure AD app registration permission sets for a single app (user and elevated admin consent) using the v1 auth model

With Azure Active Directory Application Registrations there are two versions of authentication model available.

v1 – all the permission scopes that your app may require must be consented to by the user up front.

v2 – permission scopes can be asked for dynamically as your app is running, if the user hasn’t already consented to the required permission scope then they will be challenged for consent at that time

v2 is a far more flexible model as it allows users try out and/or start using your app without having to consent to everything your app could ever want to get access to. After getting comfortable using the app, as the users explore and use more specific and advanced features in your app, you can ask for further permissions. Even more advantageous, certain API calls require a tenant administrator to consent to the permission on behalf all users. With v2 auth model end users can use features of the app that they have authority to consent access to, and then if a admin consents to some of the admin only permissions then even more features could be lit up in your app.

Here’s a good rundown on the state of app registration and auth in a recent episode of the Microsoft Cloud Show and you can read about the difference between v1 and v2 auth in the official Microsoft docs.

The Problem

Not all backend service APIs support the v2 auth model, and you can’t mix and match v1 and v2 auth model. If one or more of the backend service APIs you require only supports v1, then your entire app (and access to all service APIs) will be done using v1. At the time of writing the Microsoft Graph supports v2 auth, but SharePoint only support v1 auth. There is a technique for taking an refresh token acquired using v2 auth and exchanging it for a SharePoint access token but this technique can only be used from a custom Web API, and not from a Single Page Application (SPA) as it’s not safe to expose a long lived refresh token in client side code (i.e. JavaScript running in the browser).

This means there’s situation where you are stuck with v1 auth for now. Under v1 auth if your app has at least one permission that requires admin consent, then ordinary users are not going to be able to simply start using your app on there own, we are back to the days of having to “go through IT” to have an admin approve the app before it can be used.

The Solution

Well, it’s not a silver bullet solution that is going to fix any scenario, but the technique I’ll discuss here allows you to define two sets of permissions for your app. One set of permissions that contains just the minimal set of permissions to get users started using your app (you wouldn’t want any permission that require admin consent here) – We’ll call this the User Permission Set, then a second set of permissions (that contains those tougher to get approval for permissions that require admin consent) – We’ll call this the Elevated Permission Set.

What we are aiming for is the app to run with just the restricted User Permission Set (so that anyone can quickly start using your app) but maybe not with all the features enabled, and then allow an administrator to optionally provide consent on behalf of all users which then allows the app to use the Elevated Permission set (for all users).

I’ll assume you have already been able to create an app that successfully authenticates and consents a user against a single permission set (here’s a good starting point with Azure authentication concepts if you aren’t to this stage yet)

Step 1 – Create an Application Registration per permission set

Create an application registration for both the User Permission set and the Elevated Permission set (this will be a superset of the User Permission set). These registrations should almost be identical (e.g. same Reply URLs), but they will have different Application IDs, and obviously different permissions to represent the different permission sets. We will call these the User App Reg and the Elevated App Reg.

Step 2 – Change the normal auth flow to try to acquire tokens using the Elevated App Reg first

Your normal auth flow would be to try to acquire an access token for the service endpoint specifying the App Reg Id. Now we have two possible App Reg Ids, so what we do is that we try to acquire the access token first using the Elevated App Reg Id. If you are able to get the token then you are away just like the normal app flow (in this case consent must have been granted by an admin previously). But here’s the trick, if you fail to get the token (and the reason returned is that you need to prompt for consent) then proceed with your standard flow to acquire the token this time using the User App Reg Id and prompting for user consent if required. This way the user is able to start using your app as they will have authority to consent to the User App Reg.

Step 3 – Track which App Reg Id is in use

Once this auth flow is complete, track in the state of your app which App Reg Id you successfully acquired the token for, as that token will only work with the App Reg Id used to acquire it. Example: if the call to acquire the token using the Elevated App Reg Id worked then all future calls should specify the Elevated App Reg Id.

Step 4 – Conditionally protect features that require the Elevated App Reg

Now you are tracking which App Reg is in use you will know when your app only has the restricted User Permission Set. You can use this to hide features or prevent them from being used.

Step 5 – Expose a way for administrators to provide admin consent

Somewhere in your app you can provide the ability (e.g. a button) for a an administrator to provide admin consent. This will just launch the prompt for admin consent login URL and (always use the Elevated App Reg Id for this). Now when a user tries to use the app (see step 1) the attempt to acquire the token using the Elevated App Reg Id should work since an administrator has provided the consent.

If you are feeling really awesome you could (in the same session of your app) go through your auth logic again without restarting the app the discard the tokens you will have acquired against the User App Reg and get new tokens now against the Elevated App Reg and light up those new feature of your app immediately.

Video example of an Outlook Add-in utilizing this technique to provide user and elevated permission sets within a single add-in and allowing an admin to dynamically provide consent enabling additional features.

 

 

 

Wonder what a Microsoft 1:1 hackathon looks like? OnePlace Solutions Teams/Graph Engagement Experience

microsoft-teams-logo.jpg

I was fortunate enough to be involved in a 1:1 hack engagement with Microsoft recently where OnePlace Solutions hosted some eager Microsoft engineers for a week long engagement. The intention was to see how we could harness some of Microsoft’s new Teams extensibility options and the Graph API, and for Microsoft to identify limitations or areas for improvement.

The format of the event:

  • brainstorming possible ideas ahead of the event itself
  • discussion and selection of a few possible ideas
  • splitting up into teams and scoping what were would try to achieve within the scope of the hack
  • working in a compressed scrum process (daily stand-ups, task refinement and retros)
  • present to a wider audience on the last day of the hack to show what had been achieved and the business benefit

It was amazing to see how quickly the Microsoft engineers were absorbed into our development team, brought up to speed with our existing code-base, and starting to deliver functionality.

The real takeaway and reason for writing this article it just to let everyone know what an awesome opportunity these engagements are from Microsoft, a bit of what you can expect and that I highly recommend getting involved if the opportunity arises.

What did I see as the biggest benefits to our business of doing this hack with Microsoft?

The tips, tricks and work pattern knowledge sharing that occurred only comes when you truly try to work together on a project and aren’t just academically sharing knowledge. We all work in different ways and by running the hack almost as a true project (in a condensed form) there is a lot more than just the coding that is being discussed. VSTS, scoping, work item tracking, design white-boarding sessions, daily stand ups, retros, git source control, review of pull requests. All this is outside of the actual coding and using the technology being hacked on, but it is also a critical piece of developing in an efficient, scalable and measurable way.

Accelerated and focused learning on new technologies. The speed of getting across where a technology like Teams extensibility is up to, what’s possible when applying to problems we are trying to solve, and that hard first mile of understanding the frameworks, dependencies, and tooling to get the first hello world skeleton running.

Outside of the technology it’s a great opportunity to meet and build relationships with people who share a similar passion and spend a lot of their time working to solve similar problems. At OnePlace Solutions we are a passionate bunch of technologists that enjoy working in a social and supportive environment – from what I’ve experienced the hack is a perfect match for the way we work, with Microsoft bringing the same mindset, energy and support to the hack. We spent as much time laughing and discussing topics outside of technology as we did on it. At the end of the day we are social creatures and I found the hack was a perfect environment that bought people together with a desire to want to work together on a common goal, to challenge and push each other to do more in a fun and supportive way, and have a good laugh at the same time. Having access to global Microsoft resources to get definitive answers quickly, removed the amount of wasted time and frustration which allowed productivity, enthusiasm and energy levels to remain high.

We dedicate an amount of time each sprint to R&D, which usually involves educating ourselves in what is possible with new technologies and APIs and often going as far as prototyping code to see what’s possible and where the limitations are. It’s hard to imagine a better return on investment than spending this R&D time with Microsoft in the format of a 1:1 hack.

So a huge thank you to the Microsoft engineers, we had a great time and my advice to anyone thinking of getting involved with these engagements is that they can have great value to your team.

Primer for Modern Office Development – start your journey here

Lets start with a little bit of history, the year was 2008, Windows PCs and Microsoft Office had been entrenched throughout organizations around the globe. We saved all our files on a network drive (if we were smart), or SharePoint if we were really smart and had a dedicated engineer that could keep up with patching it. Sales of Apple Mac had been increasing since the turn of the century and Microsoft had built a version of Office specifically for the Mac and had it running there since 1998. The development story for Microsoft Office had almost exclusively been a Windows only experience, it was quite a rich experience with Visual Studio Extensions for Office allowing Office add-ins to be written in managed code. But I see 2008 as a pivotal year, the landscape of IT usage was about to change in a very disruptive way… Apple had just launched the first version of the iPhone.

In the decade since this moment we have seen a shift towards an always connected, productive on any device world. Microsoft Office was changing dramatically to keep pace with the demands of this changing world. Office was already on the Mac, but fast forward to today (2018) and we have:

  • Office for Windows – the original and still a powerhouse with all the bells and whistles
  • Office for Mac – a very mature product suite that doesn’t lag far behind the Windows offering
  • Office Online – any device with a web browser can not only read but also have a rich editing experience
  • Office for iOS – native applications for iPhone and iPad
  • Office for Android – native applications for Android devices

As you can see in those 10 years a lot had changed, and we don’t even know where our files are physically stored anymore, they are just up there, somewhere, in the Office 365 cloud.

That lead to 2 radical shifts for Office development:

  1. The development technology for extending Office needs to run everywhere that Office does. The one run-time technology that is consistent across all of these devices is the web browser. This meant the shift to web technologies and developing web application (HTML5, JavaScript, CSS). Sure each web browser has it’s own idiosyncrasies but the web development world had been working on ways around this for many years and we now have mature frameworks for building web based applications.
  2. We have an opportunity we never had before – users data stored in the Office 365 cloud (with a shiny new API to get to it – the Microsoft Graph API)

So when we talk about Office Development we talk about 2 distinct types of development:

  1. Extending the user experience within the Office applications (i.e. an add-in)
  2. A standalone application that accesses user data stored in the Office 365 cloud.

 

Where to from here?

The best starting place within the Microsoft documentation for developing Office add-ins is

https://docs.microsoft.com/en-us/office/dev/add-ins/

and for accessing user data via the Microsoft Graph

https://developer.microsoft.com/en-us/graph/docs/concepts/overview

 

Further reading

Office Dev Center

https://developer.microsoft.com/en-us/office

History of Microsoft Office

https://en.wikipedia.org/wiki/History_of_Microsoft_Office

History of Visual Studio Tools for Office

https://en.wikipedia.org/wiki/Visual_Studio_Tools_for_Office

History of Office Online

https://en.wikipedia.org/wiki/Office_Online

 

 

Microsoft Insider Dev Tour – Sydney 2018

The Insider Dev Tour is such a great event for Microsoft developers, you get the key announcements and latest news that came out of the Build Conference, delivered locally in a more intimate and interactive environment. Best of all it’s a free event put on by Microsoft.

I was very grateful for the opportunity to present two sessions at the Insider Dev Tour in Sydney last week.

  • Create Productive Apps with Office 365
  • Drive User Engagement Across all your Devices with Microsoft Graph

If you attended I hope you enjoyed the experience as much as I did. The following are links to the resources mentioned during the presentations.

Microsoft Graph Explorer

Adaptive Cards Visualizer

Insider Dev Tour Labs

Github repo of demos from the Create Productive Apps with Office 365 session

Github repo of demos from the Microsoft Graph session

insider-dev-tour-sydney-cameron-dwyer-mvp-graph-api-office-365-microsoft

 

%d bloggers like this: