HELP ME! Office365 saas integration - What all is required for multi-tenant Office 365 api authorization? RRS feed

  • Question

  • So I've got a multi-tenant php application where we want to authorize the user's Office 365 account with oauth2 so that our app can push/pull calendar events and do some stuff with their email. Let's just call it Super CRM (made up name).

    We did have oauth2 stuff working fine, but I keep running into all these permission issues and can't get it to authorize.  I just need help figuring this out, because I'm kind of restricted from playing around with my company's Azure AD, and I need to know if I need another Azure AD subscription of my own just to do testing.  Here's my understanding of how it works, please correct my misconceptions and educate me:

    1. Super CRM must be registered in Azure AD (the classic version, not the new version), and the necessary permissions set.
    2. You must have a paid Azure AD subscription to do number 1.
    3. If you're from a different organization (one of our tenants), you or your admin must go into YOUR Azure AD and add Super CRM to your authorized apps, which is already registered with a different organization's Azure (that's us).
    4. You must have a paid Azure AD subscription to do number 2 (a free Office365 developer account won't cut it).
    5. Admin of whichever organization must have it set to allow users to authorize Super CRM for their own accounts.
    6. Once the Office 365 account is authorized, you can utilize the Outlook API to interact with email and calendar.

    Seriously, any help is appreciated.

    Thursday, May 19, 2016 12:28 PM

All replies

  • You need to set app permission in azure ad for doing required operation. Azure AD application permission setup does not require a paid license. I can access my Office365 Developer subscription Azure AD without paying anything.

    seems like apart from the resources like outlook, mail , app need read dir permission and read profile permission.

    If you app running from Azure AD, then you must set it to be multi tenant app.

    Your point 1,3 & 5 are correct. 6 should work itself once prev things sorted.

    Thanks, Ashish | Please mark a post helpful/answer if it is helpful or answer your query.

    Friday, May 20, 2016 2:50 AM
  • Hi Code,

    This forum is used to discuss about Office add-ins, your issue is more related with O365 APIs, I will move this thread to the more related forum.


    Thanks for your understanding.

    Best Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, May 20, 2016 5:55 AM
  • Thanks Ashish,

    Ok, I got in.  It actually just wanted my credit card info, but it says it won't charge me.  This has been very confusing, but I think I'm starting to get the hang of it.

    Ok, so now I'm getting this error when I try to authorize Super CRM with oauth2:

    "This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."

    I'm sort of familiar with "admin consent", but how can I set it up so that, if that admin needs to, he can give consent, but users still have to authorize office 365 on their own?

    Friday, May 20, 2016 2:51 PM
  • (thanks, didn't really know where to put it)
    Friday, May 20, 2016 2:52 PM
  • When you are building an Multi-Tenant application . First, the web application is configured to indicate the permissions it requires to be functional. This list of required permissions is shown in a dialog when a user or administrator in the destination directory gives consent to the application, which makes it available to their organization. Some applications require just user-level permissions, which any user in the organization can consent to. Other applications require administrator-level permissions, which a user in the organization cannot consent to. Only a directory administrator can give consent to applications that require this level of permissions. When the user or administrator consents, the web application is  registered in their directory.

    Please refer to below article to confirm which Office 365 API permission requires admin consent :

    There are different OAuth2 authentication flows that Azure AD supports :

    Authorization Code Grant Flow is common when websites or custom applications leverage Azure AD as a federated authentication provider. One benefit to this model is that the custom application or web site never sees your username & password… all authentication happens over on Azure AD and instead, the application just gets the code that’s a result of this login process, and as such, this is very secure.

    Client Credentials Grant Flow is typically used when you need to get an access token but you don't want to work under the context of a user+app permissions, rather you want to work with just app permissions.

    Please refer to below article for more details if you have authentication issues :

    Best Regards,

    Nan Yu

    Tuesday, May 24, 2016 3:16 AM