What is the best way to access a company calendar for employee facing website through Microsoft Azure Entra ID?
I have spent a lot of time trying to figure out a solution to this problem and it seems like my situation is pretty unique because I have been unable to find a helpful solution. Essentially, I am developing a new employee website for our organization using ASP.NET Core. I am using Razor pages and already have the frontend the way I want it except that we as an organization would like to display a company-wide calendar on the homepage. I already have authentication working, the users enter their username and password into a login form which then uses Ldap to authenticate them with our Active Directory. From there I would like the web app to connect to the account that owns the calendar.
We have a Microsoft Azure Entra ID (or Azure AD as it was formerly called), and we would like to have one account in our tenant that owns the calendar. The idea would be that a user logs in to the website which then connects with this specific account to read and display the calendar for all users. Additionally, users who have the correct permissions should be able to add or delete events from the calendar directly from the website. I already have authorization in place from the Ldap authentication process. I retrieve the user's groups from our AD and can use those to determine who can access the add and delete events options on the calendar. My problem is that I do not understand how to get my web app to connect to a specific account within our company tenant to access the calendar, regardless of which user logs into the site. Also, when the app connects to the calendar account, it should do this behind the scenes and acquire any access tokens and refresh tokens without the user who logged in having to do anything, as this is a core feature of the site.
At this point I am left wondering if the ROPC (Resource Owner Password Credentials) authentication process is the only way of achieving this, but everything I have seen tells me that this method is not recommended for security reasons. I want to be sure I am following best practices, so if there is another, better way of achieving this, I would like to do that instead.
I have tried different authentication flows, such as using the DelegateAuthenticationProvider function, however, due to a recent update to Microsoft Graph, this function is no longer available. I would like to use the most up to date version as I need this web app to be supported for the foreseeable future. I have also followed a Client Credentials approach to acquire an access token but have struggled to be able to use that access token to create a GraphServiceClient object to access the calendar. I ultimately just want to ensure I am doing this the best possible way that will be secure and efficient.
Your requirement can be divided into 2 part, the first is that you want your application to get calendar of a specific user no matter who is signing in the web app right now. In this scenario, let's say this API is what you are now using. Then we can use /users/{id | userPrincipalName}/calendar request to do it.
Since I don't have a test resource, so I couldn't test for your to verify if the delegated api permission is enough to do it. But anyway, we are able to use application permission and the client credential flow to achieve it. Client credential flow allows us to call graph api without any user signs in, because it calls the api stand for the application but not the user, so it must be able to get calendar of a specific user.
using Microsoft.Graph;
using Azure.Identity;
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "aad_app_id";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var calendar = await graphClient.Users["userId"].xx
The second question is retrieve the user's groups from our AD and can use those to determine who can access the add and delete events, this is what we know as RBAC. I have a test here and you might take a look at it.
- When did C allow casting constants and variables to struct for assignment?
- Why in C can I initialize more values than the size of an array?
- Using c to create a file and write+read to it, what went wrong?
- Does write system call need the data to be read to give >-1 return?
- Difference between fgetc() and read() function in C
- How can I get to know the IP address for interfaces in C?
- read fails with EFAULT
- In this case, how to achieve modularity and information hiding at the same time?
- Are global variables always initialized to zero in C?
- OpenGL function calls seemingly affecting unrelated data
- What Values of Variables x and y Will Produce Incorrect Results When Testing for Overflow After Subtraction of x-y in the Following Program?
- How to write a general-type queue library in c?
- Which gcc and g++ version support which standard of c and c++?
- How to dereference a member in a struct whose definition is not visible?
- How to name a type in a meaningful way?
- What are Vectors and < > in C?
- Why does 1.0/100.0 == 0.1/10.0 give True?
- How to organize the receive msg and user current input in C network such that it's clean
- Using inclusive scan syntax in OpenMP in the C language
- Unable to understand context in book "OOP in C" by Axel Schreiner
- variable-length array in struct with TI compiler in C (socket programming)
- A faster way to test 32bpp DDBs for a valid Alpha channel
- How can I compile the zephyr example-application as a freestanding application?
- Why does my forked process sometimes overwrite data in a file?
- _Generic in C needs typecasting?
- Declaring/defining an unused variable changes the output from an unrelated variable
- How to use gdb to explore the stack/heap?
- How can I read an input string of unknown length?
- Confused by difference between expression inside if and expression outside if
- Fast Arc Cos algorithm?