Hi @dimitrie thank you for the offer, I wanted to check there is no requirement for a “mail.send” application level permission? This would allow the application to send an email on the user’s behalf with no interaction.
Hey @shiangoli
there is no requirement for “mail.send” at all. Emails sent by the speckle server go through the configured SMTP server. So the speckle server does not send emails on behalf of users.
That is good to know. The reason is we were looking at this setting and we didn’t want to turn this on
Hi @AlexHofbeck this is where we have enabled the email in the application registration. Is this the same place you used?
We did not use tokens:
We went for API permissions and used Microsoft Graph for it and chose those ones
Think about the admin grant in case necessary … I believe it was … not sure it helped but it is always nice to force an admin to push a button for what he does not know what he consents to in detail
Some helpful links I have used, which might also help other users:
https://learn.microsoft.com/de-de/azure/active-directory/develop/quickstart-register-app
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
After the first setup with Speckle I thought this was a struggle with Azure AD. Our Head of IT and I wrestled today with Elastic Stack … you could literally write a PhD about the setup …
Regarding the above permission it would be interesting what else is possible @gjedlicska.
Additional parameters might be interesting like, department, location, O365 photo? I don’t know if this is possible but might be cool to have those accounts structured.
UPDATE:
it seems the profile image of Microsoft 365 does not transfer with OpenID. One needs to do it separately and it is not working by default.
On the topic of additional user info params, i would be hesitant to add anything AAD specific, but since authn things are converging towards OIDC, we can look into what the protocol supports.
Hi @AlexHofbeck unfortunately we didn’t get this to work. When you mentioned you need to grant admin consent whereabouts? from your screen shot I can see “admin consent req…” set to no
hmm … it is still the same error message with the mail?
Hi @AlexHofbeck looks like a rebuild of the instance made it work which is great news, fortunately this is dev. I wouldn’t want to be doing this in production. I feel we need to understand all the moving parts with identity management to ensure if something changes and their is an issue we can resolve it without significant impact.
Great to hear. For production, it works on our end stable, at least the user management (except for taking care of external guests). The bigger topic for us is the stability and performance of the server. In case you are interested, we can exchange a bit about this. I’m super curious how your set up and your experiences so far are. Let me know via PM.
Best,
Alex