Access token and authentication for guest user

0
votes

TLDR: is it possible to have guest account, like [email protected], at company's MS Office 365 cloud that will have "read" permission to organization's users calendars and events with constant access token? By constant access token I mean that I sign in once for this guest user and receive constant access token from Azure AD (like application access authentication but as guest account).

I have my own company's MS Office 365 account with some users in it. There is one global administrator account and few regular users. There is second company, let's call it XYZ, with their own MSO365 account with many of administrators and users. Big company.

Now I'm writing simple app where I need to have access to read XYZ company's users calendars and events. I have list of required users in my app with proper MSO365 ID's. I think that 'read' privilege is enough since we can send invitation for events through ordinary email message. My App will read user events through MS Graph API etc. with some logic and realease it (send invitations for events etc.) with CRON jobs.

And here is my problem with authentication. I don't want to have "application access" Azure AD privileges at my App. I know the XYZ company security policy won't apply it since "application access" gives access to all accounts at organization. Application access means that XYZ company's global administrator apply application privileges for my App by single sign in into Azure AD. If he do so i have Access token which i can use for API calls at my app withoud need of additional authentication.

I can't use "user access" Azure AD authentication neither. Due to my CRON jobs and API calls which fire then. User access means that user need sign in at Azure AD login service what gives me Access token and Refresh token for API calls. Those tokens are 1 hour lifetime.

So I though about: if there is possibility to have a guest account at XYZ company's MSO365 that would let me use authentication mechanism like the "application access"? By this I mean that XYZ company's global Admin creates me a guest account like [email protected] which will have access to read users calendar and events. What is more I need this account to have constant access token which I can use in my cron job's api calls with no need to sign in at Azure AD.

The question is: is it possible? If so how to do it?

1
azureazure-active-directoryoffice365microsoft-graph-apioffice365api

1 Answers

2
votes

The only way there (AFAIK) is to use refresh tokens. Application-level access is more robust but requires organization-wide access.

So you use delegated access (user access), store refresh tokens somewhere. You can use those tokens basically indefinitely, however certain events can expire the refresh token. It doesn't happen often, but it can happen. In that case you would need the user to login again so you can get a new refresh token. You should also store the new refresh token that you get when you acquire tokens using a refresh token. This new token can overwrite the old token for that user.

And of course keep in mind refresh tokens are user-specific so you gotta store one for each user. This is the approach that one of our bigger apps takes.

If we fail to acquire a token in the background process, that user gets a flag set on them that their token does not work, and they'll get a notification that they need to re-authenticate for the feature to start working again.