Through Powershell it is possible to connect to a Microsoft 365 tenant to perform operations on users, groups and any other element of the tenant. When you use this tool, Powershell presents you with the mask for entering your account and password. You can write accounts and passwords directly in the Powershell script but it would be a serious security compromise.
An alternative is to build a software that connects directly to the Tenant through customized keys present in the Tenant itself. In other words, it is necessary to communicate to the Tenant that there is a certain application that is authorized to access the Tenant. Furthermore, for each operation that you want to perform on the Tenant it is necessary to specify the appropriate permissions. To create these applications, we recommend that you follow the excellent tutorial “.Net Core console application for calling Microsoft Graph“. This post proposes the images present in the previous tutorial only to specify how the application must be prepared on the Microsoft Tenant.
Register a web application with Azure AD Portal App Registration
Open a browser and navigate to the Azure Portal. Login using your account. Select the resource “Azure Active Directory”. On the left side menu, select “App regitstration”. Click New registration from the current page.
On the Register an application page, specify the following values:
- Name = Name of your Application
- Supported account types
- Redirect URI
- Type = Web
- Value = https://localhost:8080 (*)
(*) The Redirect URI value must be unique within your domain. This value can be changed at a later time and does not need to point to a realy hosted URI.
It is now necessary to store 2 values that will be used in your application:
- Application (client) ID
- Directory (tenant) ID
Certificates & secrets
Click Certificates & secrets.
- Click New client secret.
- On the Add a client secret dialog, specify the following values:
- Description = Your secret’s description
- Expires = In 1 year (for example)
- Click Add.
After the screen has updated with the newly created client secret copy the VALUE of the client secret. This secret string is never shown again, so make sure you copy it now.
Click API permissions.
- Click Add a permission
- On the Request API permissions panel select Microsoft Graph.
- Select Application permissions.
Now you have to choose between the permissions to authorize your app. For example, to create an application to read alla information about Tenant’s users, in the “Select permissions” search box type “User”.Select User.Read.All from the filtered list. At the end, on the API permissions content blade, click Grant admin consent for the Tenant.
Summary of the data necessary for the application
Let’s see what data your application needs to connect and operate on the Microsoft Tenant.
- applicationId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
- applicationSecret = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
- tenantId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
- redirectUri = “https://localhost:8080”;
- domain = “yourtenant.onmicrosoft.com”;
- User.Read.All : Read all users’ full profiles
- User.ReadWrite.All : Read and write all users’ full profiles
- Group.ReadWrite.All : Read and write all groups
- Notes.ReadWrite.All : Read and write all OneNote notebooks
Solo per la lingua italiana
Nella eliminazione di una risorsa Azure compare un messaggio di controllo in cui viene richiesto di mettere ‘sì’ in un certo campo per conferma. Proviamo e riproviamo e non riusciamo a farlo : bisogna mettere sì utilizzando la ì accentata della tastiera italiana e non la i … semplice.
This is the procedure we followed to register a new Microsoft Azure subscription for a company that does not have a subscription to Office 365.
Visit https://account.windowsazure.com/organization to sign up for Azure with a new organization.
Enter the name and surname of the company reference.
A name for the company domain similar to xxxxx.onmicrosoft.com.
Use your email address for reference.
Enter an username, for example admin and password; company
Enter company’s vat registration number.
As part of the process of signing up for Azure, you will be required to provide credit card details. We didn’t insert it. Whenever you log in to Azure’s portal you are asked for your credit card details.
You have to bought a new Azure Subscription Services Open from the Microsoft distributor, using Company’s name, your mail address (the same used creating Azure account) and Company’s vat registration number.
Using Microsoft Edge, enter, in Azure Portal : credit card details are no longer required. You can add the license of the new Azure Subscription Services Open. That’s all.