MipSDK-File-Dotnet-ServicePrincipalAuth
This sample application demonstrates using the Microsoft Information Protection SDK .NET wrapper to label and read a label from a file using service principal authentication. The sample provides steps and code or both client secret and certificate-based authentication.
Beyond the authentication flow, it demonstrates:
- Fetching labels for the tenant
- Applying a label to a file
- Reading a label from a file
Summary
This sample application illustrates using the MIP File API to list labels, apply a label, then read the label as a service principal identity. All SDK actions are implemented in action.cs. All auth behaviour is implemented in AuthDelegateImplementation.cs.
Getting Started
Prerequisites
- Visual Studio 2015 or later with Visual C# development features installed
Sample Setup
In Visual Studio 2017:
- Right-click the project and select Manage NuGet Packages
- On the Browse tab, search for Microsoft.InformationProtection.File
- Select the package and click Install
Create an Azure AD App Registration
Authentication against the Azure AD tenant requires creating a native application registration. The client ID created in this step is used in a later step to generate an OAuth2 token.
Skip this step if you've already created a registration for previous sample. You may continue to use that client ID.
- Go to https://portal.azure.com and log in as a global admin.
Your tenant may permit standard users to register applications. If you aren't a global admin, you can attempt these steps, but may need to work with a tenant administrator to have an application registered or be granted access to register applications. 2. Click Azure Active Directory, then App Registrations in the menu blade. 3. Click New Registration 4. Under Supported account types select Accounts in this directory only 5. Under Redirect URI select Public client 6. For Redirect URI, enter mipsdk-auth-sample://authorize
Note: This can be anything you'd like. 8. Click Register
The registered app should now be displayed.
Add API Permissions
- Click API permissions.
- Click Add a permission.
- Select Microsoft APIs.
- Select Azure Rights Management Services.
- Select Application permissions.
- Under Select Permissions select Content.DelegatedWriter and Content.Writer.
- Select Add permissions.
- Again, Select Add a permission.
- Select APIs my organization uses.
- In the search box, type Microsoft Information Protection Sync Service then select the service.
- Select Application permissions.
- Select UnifiedPolicy.Tenant.Read.
- Select Add permissions.
- In the API permissions blade, Select Grant admin consent for and confirm.
Set Redirect URI
- Select Authentication.
- Select Add a platform.
- Select Mobile and desktop applications
- Select the default native client redirect URI, which should look similar to https://login.microsoftonline.com/common/oauth2/nativeclient.
- Select configure and be sure to save and changes if required.
Generate a client secret
If you'd prefer to use certificate based auth, skip ahead to Generate a client certificate.
- In the Azure AD application regisration menu, find the application you registered.
- Select Certificates and secrets.
- Click New client secret.
- For the description, enter "MIP SDK Test App".
- Select In 1 year for expiration
This can be 1 year, 2 years, or never. 6. Click Add.
The secret will be displayed in the portal. Copy the secret now, as it will disappear after page refresh.
Storing client secrets in plaintext isn't a best practice
Generate a client certificate
This step generates a self-signed certificate, writes the thumbprint to the console, then exports the certificate to a cert file. If you used a client secret, skip ahead to update application configuration settings.
Run the following PowerShell script:
mkdir c:\temp
cd c:\temp
#Generate the certificate
$cert = New-SelfSignedCertificate -Subject "CN=MipSdkFileApiDotNet" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
$cert.Thumbprint
$certFile = (Get-ChildItem -Path Cert:\CurrentUser\my\$($cert.thumbprint))
Export-Certificate -cert $cert -FilePath cba.cer -Type:CERT
# take the CER file and upload to AAD App Registration portal
Import the certificate to the application registration
In this step, the public certificate generated in the previous section will be imported to the application registration.
- In the Azure AD application regisration menu, find the application you registered.
- Select Certificates and secrets
- Click Upload certificate
- Browse to the CER file generated in the previous section, then click Add
The certificate will appear in the list, displaying the thumbprint and validity period.
Update application configuration settings
- In Visual Studio open app.config.
- Replace YOUR CLIENT ID with the application ID copied from the AAD App Registration Overview blade.
- Replace YOUR APP NAME with the friendly name for your application. This will appear in logging and AIP Analytics.
- Replace YOUR APP VERSION with the version of your application. This will appear in logging and AIP Analytics.
- If you set the application to use client secret for auth, change YOUR CLIENT SECRET to the secret you copied earlier from Certificates & secrets and set DoCertAuth to false.
- If you intend to use a certificate, set change YOUR CERTIFICATE THUMBPRINT to the thumbprint of the certificate displayed in the Certificates & secrets section and set DoCertAuth to true.
- Replace YOUR TENANT GUID with the name of your Azure Active Directory Tenant (i.e. Contoso.com, or Contoso.onmicrosoft.com)
<appSettings>
<add key="ida:ClientId" value="YOUR CLIENT ID"/>
<add key="ida:RedirectUri" value="https://login.microsoftonline.com/common/oauth2/nativeclient"/>
<add key="ida:CertThumbprint" value="YOUR CERT THUMBPRINT"/>
<add key="ida:ClientSecret" value="YOUR CLIENT SECRET"/>
<!-- change this flag to true if you're doing certificate based auth. False if using client secret. -->
<add key="ida:DoCertAuth" value="false"/>
<!-- Tenant name in format of Contoso.com or contoso.onmicrosot.com -->
<add key="ida:Tenant" value="YOUR TENANT ID"/>
<!-- Your app name. This name will appear in AIP Analytics logs -->
<add key="app:Name" value="MIP SDK Service Principal Auth Test App"/>
<!-- Your app version. This will appear in AIP Analytics logs -->
<add key="app:Version" value="1.10.0"/>
</appSettings>
Run the Sample
Press F5 to run the sample. The console application will start and after a brief moment displays the labels available for the user.
- Copy a label ID to the clipboard.
- Paste the label in to the input prompt.
- Next, the app asks for a path to a file. Enter the path to an Office document or PDF file.
- Finally, the app will display the name of the applied label.
- Attempt to open the file in a viewer that supports labeling or protection (Office or Adobe Reader)