Article published on the 1st of August, 2024.
Contents
1. Introduction
2. Creating the basic Application Registration
2.1. Record the Application Registration details
3.1. User impersonation
3.1.1. Enabling User Interactive Authentication
3.1.2. Add a Callback URI
3.1.3. Granting your Application Access to the WorkPoint API
3.1.4. Locate and Authorize access to WorkPoint Web API
3.1.5. Grant Delegated Permission
3.1.6. Review Application Registration
3.1.7. Record the Scope
3.1.8. Summary
3.2. Application Access
3.2.1. Request permission to use the WorkPoint API
3.2.2. Request Application Permission
3.2.3. Review the API Permissions
3.2.4. Record the Scope
3.2.5. Confirm Admin Consent
3.2.6. Summary
1. Introduction
In this support article, we guide you through the process of creating an Application Registration in Azure that will allow you to use the WorkPoint API to integrate with your WorkPoint Solution.
In section 2, we create the basic application registration, generate a client ID and an application secret that you can use for authentication against your own Azure Tenant.
In section 3, we present two different authentication strategies (User Impersonation vs. Application Access), which require slightly different setups in your Application Registration. We discuss the implications of each strategy so you can make an informed decision on which is right for your integration.
At the end of this guide, you will have all the values required to authenticate and start calling the different WorkPoint API so you can begin to explore options for integrating with or automating your WorkPoint365 solution.
2. Creating the basic Application Registration
There are two ways to access Application Registrations for your Tenant:
From the Azure Portal:
- In the Azure Portal, select the "Microsoft Entra ID" blade
- Expand the "Manage" section in the left hand navigation and select the "App Registrations" blade.
- Click on "+ New Registration".
From the Entra Admin Portal:
- In the Entra Admin Portal, expand the "Applications" menu and select "App registrations".
- In the command bar, click "+ New registration".
- Enter a meaningful name for the Application Registration.
- Select "Accounts in this organizational directory only".
When you have provided a name and selected "Accounts in this organizational directory only", click the "Register" button.
Azure will now create the Application Registration and assign a unique application (client id).
2.1. Record the Application Registration details
From the "Overview" screen, record the following details which will be used later to authenticate:
- Record the "Application (client) ID" and the "Directory (tenant) ID values for later use.
Next, we need to generate and record a client secret. The client Secret is a system generated token that will be used in your authentication flow.
To create a new Secret, in the Application Registration View, follow these steps:
- Click on Certificates & Secrets
- Click on New Client Secret, enter a description, then click the "Add" button.
- Take a note of Secret Value. This will be used in your authentication flow later.
Note that the secret value is only available to copy immediately after creation. If you omit to record it now, you will have to create a new secret later.
3. Authentication
Now that we have created the Application Registration, we need to grant it access to use the WorkPoint API. There are two models available. User Impersonation or Application Access.
With User Impersonation, an end-user first authenticates directly with Microsoft using their own Microsoft account within the Tenant to obtain an Access Token. This token can then be used to invoke the WorkPoint API. Importantly, all requests to the WorkPoint Solution utilize the end-user’s permissions and access rights, ensuring they cannot view or manipulate any data they do not have access to. Importantly, all requests to access, create or modify data will be recorded in the audit trail with the end-user’s actual identity rather than a generic service or application account.
With Application Access, the Application Registration is granted admin level access to the WorkPoint API. After the initial authentication against the Tenant using only the Application Client ID, Secret and a request to use the WorkPoint API scope, Microsoft return an Access Token with finite validity (default 3 hours) which can be used for subsequent requests to the WorkPoint API. Critically, with Application Access, the end-user's credentials or permissions are not considered. All requests to read or manipulate WorkPoint data are performed as the application itself - meaning that audit trail and version history will show only the "SharePoint Application", rather than an individual user. As this approach does not require user-interactive authentication, it might be more suitable for automations or system jobs with limited scope (e.g., scheduled entity creation). Given that all requests have admin level of access, the credentials for and access to your automation will need to be secured appropriately.
Once you decide which authentication strategy is right for your application, follow the steps in the appropriate section below.
3.1. User impersonation
3.1.1. Enabling User Interactive Authentication
To authenticate with "User Impersonation", we will require users to first interactively authenticate with Microsoft.
In this example we will use the Web platform to allow the user to complete the authentication process using their web-browser and their Windows credentials.
To enable User Interactive Authentication, follow these steps:
- In the App Registration view, expand the "Manage" menu and select "Authentication".
- Click "+ Add a Platform".
- Select "Web".
3.1.2. Add a Callback URI
After they complete the authentication process, Microsoft needs an internet accessible URI linking back to your application so it can hand-back the authentication token for use in subsequent API calls:
- If you are using this as part of our WorkPoint API PostMan project for User Impersonation authentication, you can add the PostMan URI as follows: In the Configure Web Task Pane, enter the PostMan callback URI below into the "Redirect URIs" field.
https://oauth.pstmn.io/v1/callback
If you are developing a 3rd party application, consult the "Learn more" link in the task pane to understand the requirements of a Redirect URI to participate in the authentication flow.
3.1.3. Granting your Application Access to the WorkPoint API
To allow the application to interact with your WorkPoint solution via the WorkPoint API, we need to grant it access to act on behalf of the end-user.
You can do so by following these steps:
- In the App Registration view, expand the "Manage" menu and select "API permissions".
- Click "+ Add a permission".
3.1.4. Locate and Authorize access to WorkPoint Web API
- In the "Request API permissions" pane, select "APIs my organization uses".
- Search for and select the "WorkPoint365 WebAPI" registration.
Note in the example below, the WorkPoint API is in the Test ring because this is a testing tenant - if your tenant is production, the name may appear slightly differently.
3.1.5. Grant Delegated Permission
- In the "Request API permissions" pane, select "Delegated permissions".
- Select the "user_impersonation" option.
- Click "Add permissions".
3.1.6. Review Application Registration
The summary screen should show that the application registration has "Delegated" access to the WorkPoint365 API registration:
3.1.7. Record the Scope
When using the Application Registration to authenticate with your tenant, you need to provide it with a "scope" value.
The value that you should use can be taken directly from the properties of the Application Registration.
In the API permissions blade, review the "Configured Permissions Table":
- In the "WorkPoint365 WebAPI" section, click on the "user_impersonation" line
- Copy the "Scope" value from the top line of the "user_impersonation" pane. This is the scope to request during Authentication.
3.1.8. Summary
On completion of these steps, you should have a record of the following values that you can use in your authentication flow:
Key | Example value |
---|---|
Directory (tenant) ID | 7d2223c6-3d54-476d-805f-############ |
Application (client) ID | 71433429-a79d-42a9-ac9e-############ |
Client Secret Value | GPN8Q~############################ |
Client Scope | https://workpoint365.com/wp365webapitest/user_impersonation |
3.2. Application Access
Creating an Application Registration that has Application Access to the WorkPoint API will require granting "tenant-wide admin consent". In Azure, this requires signing into the Azure Entra ID portal as a user that is authorized to consent on behalf of the organization. Consult the documentation on Granting Admin Consent on Microsoft's leaning portal to learn more.
3.2.1. Request permission to use the WorkPoint API
In the Application Registration view
- In the "Application Registration" view, expand the "Manage" menu and select "API permissions".
- Click "+ Add a permissions".
- In the "Request API permissions" pane, select "APIs my organization uses".
- Search for and select the WorkPoint365 WebAPI application from the results.
Note: The example shown opposite is from the "Test" ring, hence the "Test" suffix on the WorkPoint365 WebAPI result. If your Tenant is in a different ring, this value may appear slightly differently.
3.2.2. Request Application Permission
- In the "Request API permissions" pane, select "Application permissions".
- Locate and check the "ApplicationAccess" permission.
- Click "Add permissions".
3.2.3. Review the API Permissions
Note that on completion of the above, the permission has been requested - but is not yet granted.
If you have the correct role in your Azure Tenant to grant admin consent on behalf of your organization, the "Grant admin consent for {Tenant}" link highlighted will be available:
- Click on "Grant admin consent for MSFT"
If this link is not available, you will have to raise a request to an authorized user in your tenant to perform this action on your behalf. The "Learn more" link on this page provides instruction on how to create a link that you can send directly to an authorized user to take them directly to an approval process.
3.2.4. Record the Scope
When authenticating using Application Access, you will need to provide a "scope" value as part of the credentials.
This value can be obtained as follows:
- In the API permissions grid, click on the row for "ApplicationAccess"
- In the "ApplicationAccess" pane, copy the URI value.
Note that this URI value will be different if your WorkPoint Solution is on a different release ring (e.g. Production ring). The example shown in this example is from our test system.
The copied URI value needs to be adapted slightly for use in the authentication flow. Simply replace the final part of the URI "ApplicationAccess" with the value ".default" as shown below.
For example:
From: https://workpoint365.com/wp365webapitest/ApplicationAccess
To: https://workpoint365.com/wp365webapitest/.default
Keep a note of this value for use in your authentication request.
3.2.5. Confirm Admin Consent
- When prompted, confirm that you wish to grant admin consent to the Application Registration.
if successful, the Status field of the API permissions should now reflect that the permissions have been authorized:
3.2.6. Summary
On completion of the above, you should now have all the values necessary to authenticate using Application Access and integrate with the WorkPoint API.
Key | Example value |
---|---|
Directory (tenant) ID | 7d2223c6-3d54-476d-805f-############ |
Application (client) ID | cbf69e23-6668-4bd9-a74c-############ |
Client Secret Value | GPN8Q~############################ |
Client Scope | https://workpoint365.com/wp365webapitest/.default |
Comments
0 comments
Please sign in to leave a comment.