1

I have written a java program to upload files to Sharepoint in an Office 365 developer tenant where I am an adminstrator. The program authenticates with client_credentials with secret. After Authentication, it does not have an office 365 identity.

The requirement is to upload a file to a specific folder. The user is ready to share their folder, but I can't find a workflow with a daemon application to accomplish this.

Can the admin approve the application to access the user's folder?

In my developer tenant, I have Application Permission of File.ReadWrite.All and the program works fine. However, we will not get approval for Files.ReadWrite.All in production. The question is how can I use Delegated Permissions of File.ReadWrite and authenticate my daemon app so I can upload files to one folder. My application runs on Dell Boomi. Thanks

Seth Fishman
  • 13
  • 5
  • 1
    If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work. This can be beneficial to other community members. Thank you. – Allen Wu Nov 20 '20 at 01:54

1 Answers1

0

Firstly, application permission (client_credentials flow) is supported to upload the file to Sharepoint online.

ClientCredentialProvider authProvider = new ClientCredentialProvider(
                                                    clientId,
                                                    scopes,
                                                    clientSecret,
                                                    tenant,
                                                    endpoint);

IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authProvider).buildClient();

byte[] stream = Base64.getDecoder().decode("The contents of the file goes here.");
    graphClient.users("{userId}").drive().items("{item-id}")
    .buildRequest()
    .put(stream);

But if you cannot grant Application Permission File.ReadWrite.All in the production environment and you cannot implement interactive login in daemon app, you should consider ROPC flow.

Note there is a warning:

Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.

Please refer to Username/password provider.

UsernamePasswordProvider authProvider = new UsernamePasswordProvider(
                                                    clientId,
                                                    scopes,
                                                    username,
                                                    password);

IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authProvider).buildClient();

byte[] stream = Base64.getDecoder().decode("The contents of the file goes here.");
    graphClient.me().drive().items("{item-id}")
    .buildRequest()
    .put(stream);
Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thanks Allen. I neglected to mention I’m discouraged from using ROPC. Can someone explain what Microsoft has in mind when they mention “more secure alternatives?” – Seth Fishman Nov 20 '20 at 11:31
  • 1
    @SethFishman For "more secure alternatives", Microsoft is referring to auth code flow or implicit grant flow. But they all require interactive login. So as I mentioned, if you don't want to log in interactively and want to use delegated permission that contains user information, you can only use ropc flow. – Allen Wu Nov 23 '20 at 02:47
  • Thanks for clarification. What about this? https://learn.microsoft.com/en-us/azure/azure-maps/how-to-secure-daemon-app#daemon-hosted-on-non-azure-resources It seems to be what I'm looking for. Can this be used for non Web Applications to accomplish the "more secure alternative" security they are saying? – Seth Fishman Nov 23 '20 at 13:32
  • Thanks! I am looking for a way that the application authenticates with client_credentials and thereby acquires a delegated role. From what I'm hearing this isn't a supported use-case except through ROPC which is discouraged. – Seth Fishman Nov 23 '20 at 16:28
  • @SethFishman The docs you shared is for Azure resources rather than Microsoft Graph resources. Graph resources are mainly managed in Azure AD, which is different from Azure resources which are managed by Azure subscription. So I'm afraid ROPC is the only choice in you use case despite safety factors. – Allen Wu Nov 24 '20 at 02:10