activities

latest

false

Important :

Veuillez noter que ce contenu a été localisé en partie à l’aide de la traduction automatique.

Activités de productivité

Last updated 13 sept. 2024

How to connect to Microsoft 365 activities

Vue d'ensemble (Overview)

Microsoft 365 activities have different authentication flows that you can choose from. Your choice is dependent on: the type of automation mode you plan to run (attended or unattended), the type of projects you want to build (cross-platform or Windows), the type of permissions you want to grant (delegated or app-only), and your application authentication requirements (consult with your administrator if you're unsure which authentication requirements apply to your application).

Use the table below to understand the basic differences between each authentication type:

Microsoft Authentication flow	Microsoft 365 Scope - Authentication type	Connexion Integration Service	API permission type
OAuth 2.0 authorization code flow	Interactive Token - public app	Code d'autorisation OAuth 2.0	Autorisations déléguées
OAuth 2.0 authorization code flow	Interactive Token - BYOA	Apportez votre propre application OAuth 2.0	Autorisations déléguées
Integrated Windows authentication (IWA)	IntegratedWindowsAuthentication	S/O	Autorisations déléguées
UsernameAndPassword	UsernameAndPassword	S/O	Autorisations déléguées
OAuth 2.0 client credentials flow	Application ID and secret	S/O	Autorisations de l'application
OAuth 2.0 client credentials flow	Application ID and certificate	S/O	Autorisations de l'application

Delegated permissions versus application permissions

To understand the differences between delegated and application permissions, see the Microsoft official documentation: Comparison of delegated and application permissions.

Briefly, the differences are as follows:

With delegated permissions, the application impersonates a user and acts on the user's behalf. The application can access only what the signed-in user can access.
With application permissions, the application acts on its own, without a signed-in user. The application can access any data that its permissions are associated with.

For both delegated and application permissions, you can restrict what the application can and can't access using the scopes defined when you create the app. Refer to Scopes and permissions in the Microsoft documentation.

Multitenant versus single-tenant applications

Both Microsoft 365 Scope and Integration Service connections support single tenant applications and multitenant applications. To learn the difference between the two, refer to Who can sign in to you app? in the Microsoft official documentation.

Azure environments

Both Microsoft 365 Scope and Integration Service connections support multiple Azure environments:

Connections through the Scope activity support: Azure, Azure Global, China, Germany or US Government. The default value is Global.
Connections through Integration Service support: Default, US Government L4, US Government L5, and China.

Connexion Integration Service

Integration Service connectors use OAuth 2.0 authorization code flow with delegated permissions.

The Microsoft 365 modern activities and triggers establish an authenticated connection to the Integration Service Microsoft OneDrive & SharePoint and the Microsoft Outlook 365 connectors. To learn more about Integration Service connections, refer to Set up Integration Service connectors.

When you connect to the Microsoft connectors in Integration Service, you have the option to use the standard UiPath public application (with a set of default, non-configurable scopes) or create your own application with Microsoft and customize the scopes you need.

Microsoft 365 Scope connections

The Microsoft 365 Classic activities establish an authenticated connection to your Microsoft 365 applications via the Microsoft 365 Scope activity.

The activities need authorization from the Microsoft identity platform. To enable authorization, you first register your Microsoft 365 application in your Azure Active Directory. When registering your application, you assign Microsoft Graph API permissions to specify the resources your Robot can access on your behalf.

After registering your Microsoft 365 application, Azure Active Directory assigns a unique application (client) ID that you enter in the Microsoft 365 Scope activity. The Application ID is used to collect the necessary information about your registered app to initiate authentication and get the access token to establish the connection.

When you add an activity to Microsoft 365 Scope, its required scopes are automatically detected. You can also choose to allow additional scopes.

Jeton interactif

Vue d'ensemble (Overview)

Runs: as a user.
Scenario: attended automation.
Delegated permissions.

Remarque : il s'agit de la même méthode d'authentification prise en charge dans Integration Service, soit via l'application UiPath publique, soit via une application personnalisée privée (méthode Fournissez votre propre application).

Détails (Details)

When registering your application, you must select an application type. For interactive token authentication, use a mobile/desktop application (which uses OAuth 2.0 authorization code flow).

Le type d'authentification par jeton interactif peut être utilisé dans le cadre de l'automatisation assistée et lorsque l'authentification multifacteur (MFA) est requise. C'est l'option par défaut et ce que nous utilisons dans nos exemples. Si vous souhaitez essayer le package d'activités, cette option est facile à configurer et fonctionne bien pour les comptes personnels (en utilisant l'URI de redirection par défaut notée à l'étape 7 de la section Enregistrer votre application du guide de configuration ).

You have the option to register and use your own Azure app (i.e., OAuthApplication = Custom) or the one provided by UiPath (OAuthApplication = UiPath).
When you run the Microsoft 365 activity for the first time using this authentication type, you are prompted to authorize access to the resources (you granted permissions to when registering your app) via a consent dialogue box. See Get access on behalf of a user.

If you select this authentication type in Microsoft 365 Scope, leave the Username, Password, and Tenant fields empty.

IntegratedWindowsAuthentication

Vue d'ensemble (Overview)

Runs: as a user.
Scenario: unattended automation.
Delegated permissions.

Note: This authentication type does not work when multi-factor authentication (MFA) is enabled. If your application requires MFA, you can run attended automation using the Interactive Token authentication type or unattended automation using Application ID and Secret and Application ID and Certificate. Application ID and Secret and Application ID and Certificate authentication types are appropriate for unattended automation and work regardless of whether the MFA is enabled or disabled.

Détails (Details)

Le type d'authentification par authentification Windows intégrée peut être utilisé pour l'automatisation non assistée. Cette option peut s'appliquer aux applications hébergées Windows s'exécutant sur des ordinateurs connectés à un domaine Windows ou à Azure Active Directory.

When registering your application, you must select an application type. For IWA authentication type, you must use a mobile/desktop application (which uses OAuth 2.0 authorization code flow).

Works only for federated users and if your registered Azure application is configured to support IWA. Doesn't work for multi-factor authentication (MFA). See details here: IWA on GitHub.
You should only select this option if your registered application is configured to support Integrated Windows Authentication.

If you select this authentication type in Microsoft 365 Scope, leave the Username and Password fields empty. The Tenant field is optional.

UsernameAndPassword

Résumé

Runs: as a user.
Scenario: unttended automation.
Delegated permissions.

Détails (Details)

This authentication type is provided only for legacy reasons. We do not recommend using this option, as it goes against the principles of modern authentication. It doesn't work for multi-factor authentication (MFA). See details here: User & Password on GitHub.

Bien que Microsoft ne le recommande pas, vous pouvez utiliser ce type d'authentification dans les applications clientes publiques. L'utilisation de ce type d'authentification impose des contraintes à votre application. Par exemple, les applications utilisant ce flux ne pourront pas se connecter à un utilisateur qui doit effectuer une authentification multifacteur (accès conditionnel). Cela ne permettra pas non plus à votre application de bénéficier de l’authentification unique.
The ApplicationID property is required when selecting the Username and Password authentication type. You can register your Microsoft 365 Application using your personal, work, and/or school account.

ID d’application et Clé secrète

Résumé

Runs: as background service.
Scenario: unattended and unattended with MFA enabled.
Application permissions.
Recommended for unattended executions or when you want to access the Microsoft Graph API as an application (a background service / daemon) without a signed-in user.

Détails (Details)

When registering your application, you must select an application type. For application ID and secret authentication type, use a confidential/web application (which uses OAuth 2.0 client credentials flow).
Les autorisations d'API appropriées doivent être configurées pour l'application Azure afin que les activités Microsoft 365 fonctionnent correctement (par exemple, les autorisations d'application Group.Create, Group.Read.All et Group.ReadWrite.All doivent être configurées pour Microsoft Graph lors de l'utilisation des activités Groupes).
A single organization can have multiple application (client) IDs for their Microsoft 365 account. Each application (client) ID contains its own permissions and authentication requirements. For example, you and your colleague can both register a Microsoft 365 application in your company's Azure Active Directory with different permissions. Your app can be configured to authorize permissions to interact with files only, while your colleague's app is configured to authorize permissions to interact with files, mail, and calendar. If you enter your application (client) ID into this property and run attended automation, the consent dialogue box would be limited to file permissions (and subsequently, only the Files activities can be used).
Some activities can't be used with this type of authentication because the corresponding Microsoft Graph API does not support application permissions (e.g. Find Meeting Times).
Pour les activités de messagerie, il est obligatoire de spécifier une valeur pour le paramètre Account (c'est-à-dire quelle boîte aux lettres de toutes les boîtes aux lettres du locataire souhaitez-vous utiliser).
Use Sites.Selected application permission to allow the application to access just the specific SharePoint site collections rather than all.
When using this authentication type, the application has access to all mailboxes from your tenant, the reason being that application API permission Mail.Read means Read mail in all mailboxes and Mail.ReadWrite means Read and write mail in all mailboxes. One solution is to restrict Application permissions to specific mailboxes, so the application has access only to the specified mailboxes. For more information, see Scoping application permissions to specific Exchange Online mailboxes.

IDApplication et Certificat

Résumé

Runs: as background service.
Scenario: unattended and unattended with MFA enabled.
Application permissions.

Détails (Details)

When registering your application, you must select an application type. For application ID and certificate authentication type, use a confidential/web application (which uses OAuth 2.0 client credentials flow).

This authentication mtehod is similar to application ID and secret, but it uses a certificate as a secret instead of a client secret string.

Using certificates

To authenticate using a certificate as a secret, take the following steps:

In the the Azure portal:
- Localisez votre application Microsoft 365 enregistrée.
- Sélectionnez Certificats et secrets (Certificates & secrets ) et téléchargez votre fichier de certificat (clé publique). Il peut avoir l'un des types de fichiers suivants : .cer, .pem, .crt.
Convert the raw contents of your .pfx file representing the certificate to a base64 string. You can use a web-based tool like Base64.Guru or assign the Convert.ToBase64String(System.IO.File.ReadAllBytes(pfxFilePath)) value to a String variable.
In the Microsoft 365 Scope activity:

Set Authentication Type to Application ID and Certificate.
Définissez CertificateAsBase64 sur la représentation base64 du certificat.
Si un mot de passe est requis pour utiliser le certificat, définissez également la valeur de la propriété Mot de passe du certificat ( Certificate Password ).

Comment utiliser les activités Microsoft 365 sans connexion Integration Service

À propos

Vous pouvez désormais utiliser les nouvelles activités Microsoft 365 même si vous n'avez pas Integration Service, via les fonctionnalités Microsoft 365.

The Microsoft 365 activities designed specifically for Integration Service feature a Connection field, which enables you to choose a connection created through an Integration Service connector. When used inside Microsoft 365 Scope, the activities simply inherit the connection information from the Scope.

Authentification et matrice des types de projets

Microsoft 365
	Cloud		Version locale
	Étendue de l'application Microsoft Office 365	Integration Service	Étendue de l'application Microsoft Office 365	Integration Service
Multiplateforme
ID d’application et Certificat
ID et clé secrète de l’application
OAuth – BYOA
OAuth – application UiPath
Nom d’utilisateur et mot de passe
IntegratedWindowsAuthentication
Windows
ID d’application et Certificat
ID et clé secrète de l’application
OAuth – BYOA
OAuth – application UiPath
Nom d’utilisateur et mot de passe
IntegratedWindowsAuthentication

Méthodes de connexion

Il existe deux façons de configurer une connexion dans l’activité Étendue Microsoft 365 ( Microsoft 365 Scope ).

Méthode de connexion		Description	Bénéfices	Inconvénients
Ressource Remarque : Recommandé.		Utilise une ressource Orchestrator pour stocker la connexion avec la configuration de l'étendue. La ressource est au format JSON. Chaque fois qu'elle est utilisée, l'activité récupère la configuration de la ressource. En fonction de la configuration des ressources, l'activité Scope se comporte différemment ; il identifie le type d'authentification et masque les champs inutiles. Si la ressource JSON n’est pas correctement définie, une erreur de validation s’affiche.	Les activités bénéficient des recherches au moment de la conception et peuvent découvrir des fichiers, des dossiers, des listes, des plages et d'autres. La connexion est facilement transférable, car les informations d'identification ne sont pas transmises d'un utilisateur à un autre en texte brut. Peut être configuré par un administrateur. C'est plus sécurisé, car les informations d'identification n'atteignent pas le workflow Studio.	Nécessite qu'un utilisateur avancé configure la ressource. Pas facile à mettre en place par un Citizen Developer.
Panneau propriétés		Utiliser le panneau Propriétés (Properties) existant pour configurer les identifiants de connexion. La configuration peut être ajoutée en texte brut ou via des variables.	Plus facile à utiliser. Assure la rétrocompatibilité.
	Configuration en texte brut Remarque : Non recommandé.	Configurez le panneau Propriétés (Properties) avec des valeurs en texte brut.	Les activités bénéficient des recherches au moment de la conception et peuvent découvrir des fichiers, des dossiers, des listes, des plages et d'autres.	Moins sécurisé, car les informations d'identification doivent être transmises entre les utilisateurs en texte brut.
	Configuration via des variables	Configurez le panneau Propriétés avec des variables.	Plus sécurisé, car les informations d'identification n'atteignent pas le workflow Studio.	Les activités ne peuvent découvrir aucune ressource au moment de la conception.

Format de ressource Étendue Microsoft 365

Format de ressource standard

{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default" | "Global" | "China" | "Germany" | "USGovernment" | "USGovernmentDOD",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "",
        "TenantId": ""
    }
}{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default" | "Global" | "China" | "Germany" | "USGovernment" | "USGovernmentDOD",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "",
        "TenantId": ""
    }
}

UiPath application asset configuration

{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "f2f43f65-16a6-4319-91b6-d2a342a88744",
        "TenantId": ""
    }
}{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "f2f43f65-16a6-4319-91b6-d2a342a88744",
        "TenantId": ""
    }
}

Configuration personnalisée des ressources d'application

Remarque : il ne s'agit que d'un exemple. Configurez votre propre application et récupérez les données OAuth2AppData requises.

{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "d47f7253-65ae-58n5-ag04-26109734e6de",
        "TenantId": "3ce4ef03-chb1-871f-94b0-345136965f10"
    }
}{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "d47f7253-65ae-58n5-ag04-26109734e6de",
        "TenantId": "3ce4ef03-chb1-871f-94b0-345136965f10"
    }
}

Limitations

Les fonctionnalités suivantes ne sont pas disponibles lors de l’utilisation d’activités à l’intérieur de Microsoft 365 Scope: déclencheurs, liaisons et expérience de remplacement.

Actualisation du jeton

Aucun service n'est disponible pour actualiser vos jetons de connexion, comme celui disponible dans Integration Service.

If the Authorization Token isn't refreshed for a certain number of days, it expires, and you must re-authenticate. To avoid the expiration of authorization tokens, run a robot with that specific connection. Running an automation with the Scope activity refreshes the authorization token.

Ressources OAuth 2.0 supplémentaires :