activities
latest
false
重要 :
请注意此内容已使用机器翻译进行了部分本地化。
生产力活动
Last updated 2024年9月13日

How to connect to Microsoft 365 activities

概述

Microsoft 365 activities have different authentication flows that you can choose from. Your choice is dependent on: the type of automation mode you plan to run (attended or unattended), the type of projects you want to build (cross-platform or Windows), the type of permissions you want to grant (delegated or app-only), and your application authentication requirements (consult with your administrator if you're unsure which authentication requirements apply to your application).

Use the table below to understand the basic differences between each authentication type:
Microsoft Authentication flowMicrosoft 365 Scope - Authentication type Integration Service 连接Robot type - AttendedRobot type - UnattendedAPI permission type
OAuth 2.0 authorization code flow

Interactive Token - public app

OAuth 2.0 授权代码docs image 

委派权限

Interactive Token - BYOA 自带 OAuth 2.0 应用程序 docs image 委派权限
Integrated Windows authentication (IWA) 不适用 docs image

委派权限

用户名和密码 不适用 docs image

委派权限

OAuth 2.0 client credentials flowApplication ID and secret不适用 docs image

应用程序权限

不适用 docs image

应用程序权限

Delegated permissions versus application permissions

To understand the differences between delegated and application permissions, see the Microsoft official documentation: Comparison of delegated and application permissions.

Briefly, the differences are as follows:

  • With delegated permissions, the application impersonates a user and acts on the user's behalf. The application can access only what the signed-in user can access.
  • With application permissions, the application acts on its own, without a signed-in user. The application can access any data that its permissions are associated with.

For both delegated and application permissions, you can restrict what the application can and can't access using the scopes defined when you create the app. Refer to Scopes and permissions in the Microsoft documentation.

Multitenant versus single-tenant applications

Both Microsoft 365 Scope and Integration Service connections support single tenant applications and multitenant applications. To learn the difference between the two, refer to Who can sign in to you app? in the Microsoft official documentation.

Azure environments

Both Microsoft 365 Scope and Integration Service connections support multiple Azure environments:

  • Connections through the Scope activity support: Azure, Azure Global, China, Germany or US Government. The default value is Global.
  • Connections through Integration Service support: Default, US Government L4, US Government L5, and China.

Integration Service 连接

Integration Service connectors use OAuth 2.0 authorization code flow with delegated permissions.

The Microsoft 365 modern activities and triggers establish an authenticated connection to the Integration Service Microsoft OneDrive & SharePoint and the Microsoft Outlook 365 connectors. To learn more about Integration Service connections, refer to Set up Integration Service connectors.

When you connect to the Microsoft connectors in Integration Service, you have the option to use the standard UiPath public application (with a set of default, non-configurable scopes) or create your own application with Microsoft and customize the scopes you need.

Microsoft 365 Scope connections

The Microsoft 365 Classic activities establish an authenticated connection to your Microsoft 365 applications via the Microsoft 365 Scope activity.

The activities need authorization from the Microsoft identity platform. To enable authorization, you first register your Microsoft 365 application in your Azure Active Directory. When registering your application, you assign Microsoft Graph API permissions to specify the resources your Robot can access on your behalf.

After registering your Microsoft 365 application, Azure Active Directory assigns a unique application (client) ID that you enter in the Microsoft 365 Scope activity. The Application ID is used to collect the necessary information about your registered app to initiate authentication and get the access token to establish the connection.

When you add an activity to Microsoft 365 Scope, its required scopes are automatically detected. You can also choose to allow additional scopes.


docs image

交互式令牌

概述

  • Runs: as a user.
  • Scenario: attended automation.
  • Delegated permissions.
注意:这与 Integration Service 中支持的身份验证方法相同,即通过公共 UiPath 应用程序或私有自定义应用程序(自带应用程序方法)进行身份验证。

详细信息

  • When registering your application, you must select an application type. For interactive token authentication, use a mobile/desktop application (which uses OAuth 2.0 authorization code flow).
  • You have the option to register and use your own Azure app (i.e., OAuthApplication = Custom) or the one provided by UiPath (OAuthApplication = UiPath).
  • When you run the Microsoft 365 activity for the first time using this authentication type, you are prompted to authorize access to the resources (you granted permissions to when registering your app) via a consent dialogue box. See Get access on behalf of a user.
  • If you select this authentication type in Microsoft 365 Scope, leave the Username, Password, and Tenant fields empty.

Windows 集成身份验证 (IWA)

概述

  • Runs: as a user.
  • Scenario: unattended automation.
  • Delegated permissions.
Note: This authentication type does not work when multi-factor authentication (MFA) is enabled. If your application requires MFA, you can run attended automation using the Interactive Token authentication type or unattended automation using Application ID and Secret and Application ID and Certificate. Application ID and Secret and Application ID and Certificate authentication types are appropriate for unattended automation and work regardless of whether the MFA is enabled or disabled.

详细信息

  • “集成 Windows 身份验证”身份验证类型可用于 Unattended 自动化。 此选项可适用于在加入 Windows 域或 Azure Active Directory 的计算机上运行的 Windows 托管应用程序。
  • When registering your application, you must select an application type. For IWA authentication type, you must use a mobile/desktop application (which uses OAuth 2.0 authorization code flow).
  • Works only for federated users and if your registered Azure application is configured to support IWA. Doesn't work for multi-factor authentication (MFA). See details here: IWA on GitHub.
  • You should only select this option if your registered application is configured to support Integrated Windows Authentication.
  • If you select this authentication type in Microsoft 365 Scope, leave the Username and Password fields empty. The Tenant field is optional.

用户名和密码

摘要

  • Runs: as a user.
  • Scenario: unttended automation.
  • Delegated permissions.
Note: This authentication type does not work when multi-factor authentication (MFA) is enabled. If your application requires MFA, you can run attended automation using the Interactive Token authentication type or unattended automation using Application ID and Secret and Application ID and Certificate. Application ID and Secret and Application ID and Certificate authentication types are appropriate for unattended automation and work regardless of whether the MFA is enabled or disabled.

详细信息

  • This authentication type is provided only for legacy reasons. We do not recommend using this option, as it goes against the principles of modern authentication. It doesn't work for multi-factor authentication (MFA). See details here: User & Password on GitHub.
  • 尽管 Microsoft 不建议这样做,但您可以在公共客户端应用程序中使用此身份验证类型。 使用此身份验证类型会对您的应用程序施加限制。 例如,使用此流程的应用程序将无法登录需要执行多重身份验证(条件访问)的用户。 它也不会使您的应用程序受益于单点登录。
  • The ApplicationID property is required when selecting the Username and Password authentication type. You can register your Microsoft 365 Application using your personal, work, and/or school account.

应用程序 ID 和密码

摘要

  • Runs: as background service.
  • Scenario: unattended and unattended with MFA enabled.
  • Application permissions.
  • Recommended for unattended executions or when you want to access the Microsoft Graph API as an application (a background service / daemon) without a signed-in user.

详细信息

  • When registering your application, you must select an application type. For application ID and secret authentication type, use a confidential/web application (which uses OAuth 2.0 client credentials flow).

  • 必须为 Azure 应用程序配置适当的 API 权限,以便 Microsoft 365 活动正常工作(例如,在使用“组”活动时,应为 Microsoft Graph 配置应用程序权限Group.CreateGroup.Read.AllGroup.ReadWrite.All )。

  • A single organization can have multiple application (client) IDs for their Microsoft 365 account. Each application (client) ID contains its own permissions and authentication requirements. For example, you and your colleague can both register a Microsoft 365 application in your company's Azure Active Directory with different permissions. Your app can be configured to authorize permissions to interact with files only, while your colleague's app is configured to authorize permissions to interact with files, mail, and calendar. If you enter your application (client) ID into this property and run attended automation, the consent dialogue box would be limited to file permissions (and subsequently, only the Files activities can be used).

  • Some activities can't be used with this type of authentication because the corresponding Microsoft Graph API does not support application permissions (e.g. Find Meeting Times).

  • 对于电子邮件活动,必须为“ 帐户 ” 参数指定一个值(即,要使用所有租户邮箱中的哪个邮箱)。

  • Use Sites.Selected application permission to allow the application to access just the specific SharePoint site collections rather than all.
  • When using this authentication type, the application has access to all mailboxes from your tenant, the reason being that application API permission Mail.Read means Read mail in all mailboxes and Mail.ReadWrite means Read and write mail in all mailboxes. One solution is to restrict Application permissions to specific mailboxes, so the application has access only to the specified mailboxes. For more information, see Scoping application permissions to specific Exchange Online mailboxes.

应用程序 ID 和证书

摘要

  • Runs: as background service.
  • Scenario: unattended and unattended with MFA enabled.
  • Application permissions.

详细信息

  • When registering your application, you must select an application type. For application ID and certificate authentication type, use a confidential/web application (which uses OAuth 2.0 client credentials flow).
  • This authentication mtehod is similar to application ID and secret, but it uses a certificate as a secret instead of a client secret string.

Using certificates

To authenticate using a certificate as a secret, take the following steps:

  1. In the the Azure portal:

    • 找到已注册的 Microsoft 365 应用程序。
    • 选择 “证书和 密码”,然后上传您的证书(公钥)文件。 它可以具有以下文件类型之一: .cer.pem.crt


  2. Convert the raw contents of your .pfx file representing the certificate to a base64 string. You can use a web-based tool like Base64.Guru or assign the Convert.ToBase64String(System.IO.File.ReadAllBytes(pfxFilePath)) value to a String variable.
  3. In the Microsoft 365 Scope activity:
  • Set Authentication Type to Application ID and Certificate.
  • CertificateAsBase64 设置为证书的 base64 表示形式。
  • 如果需要密码才能使用证书,请同时设置“证书密码” 属性的值。

如何在没有 Integration Service 连接的情况下使用 Microsoft 365 活动

关于

现在,即使您没有 Integration Service,也可以通过 Microsoft 365 作用域 使用 较新 的 Microsoft 365 活动。

The Microsoft 365 activities designed specifically for Integration Service feature a Connection field, which enables you to choose a connection created through an Integration Service connector. When used inside Microsoft 365 Scope, the activities simply inherit the connection information from the Scope.

身份验证和项目类型矩阵

Microsoft 365    
 CloudOn Prem
 Microsoft Office 365 应用程序作用域Integration ServiceMicrosoft Office 365 应用程序作用域Integration Service
跨平台    
应用程序 ID 和证书不可用 不可用 不可用 不可用
应用程序 ID 和密码不可用不可用 不可用 不可用
OAuth - BYOA available 不可用不可用
OAuth - UiPath App不可用 available 不可用不可用
用户名和密码不可用 不可用不可用 不可用
Windows 集成身份验证不可用 不可用 不可用 不可用
Windows    
应用程序 ID 和证书available 不可用available 不可用
应用程序 ID 和密码availableavailable available 不可用
OAuth - BYOAavailable available available 不可用
OAuth - UiPath Appavailable available available 不可用
用户名和密码available不可用 available 不可用
Windows 集成身份验证available不可用 available 不可用

连接方法

有两种方法可以在Microsoft 365 作用域活动中设置连接。

连接方法 描述收益缺点
资产
注意:推荐。
 

使用 Orchestrator 资产将连接与作用域配置一起存储。

资产为 JSON 格式。

每次使用时,该活动都会从资产中检索配置。

根据资产配置,作用域的行为会有所不同;它会标识身份验证类型并隐藏不必要的字段。

如果资产 JSON 设置不正确,则会提示验证错误。

这些活动受益于设计时查找,并且可以发现文件、文件夹、列表、范围等。

由于凭据不会以纯文本形式从一个用户传递到另一个用户,因此该连接可以轻松转移。

可由管理员配置。

这更安全,因为凭据不会到达 Studio 工作流。

需要高级用户才能配置资产。

Citizen Developer 设置起来并不容易。

属性面板 

使用现有的“属性”面板配置连接凭据。

可以以纯文本或变量的形式添加配置。

更易于使用。

保持向后兼容性。

 
 通过纯文本配置
注意:不推荐。
使用纯文本值配置“属性”面板。这些活动受益于设计时查找,并且可以发现文件、文件夹、列表、范围等。 安全性较低,因为凭据需要以纯文本在用户之间传递。
 通过变量进行配置

使用变量配置属性面板。

更安全,因为凭据不会到达 Studio 工作流。

这些活动无法在设计时发现任何资源。

Microsoft 365 作用域资产格式

标准资产格式
{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default" | "Global" | "China" | "Germany" | "USGovernment" | "USGovernmentDOD",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "",
        "TenantId": ""
    }
}{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default" | "Global" | "China" | "Germany" | "USGovernment" | "USGovernmentDOD",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "",
        "TenantId": ""
    }
}
UiPath application asset configuration
{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "f2f43f65-16a6-4319-91b6-d2a342a88744",
        "TenantId": ""
    }
}{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "f2f43f65-16a6-4319-91b6-d2a342a88744",
        "TenantId": ""
    }
}
自定义应用程序资产配置
注意:这只是一个示例。 配置您自己的应用程序并检索所需的 OAuth2 应用程序数据。 
{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "d47f7253-65ae-58n5-ag04-26109734e6de",
        "TenantId": "3ce4ef03-chb1-871f-94b0-345136965f10"
    }
}{
    "CertificateAsBase64": "",
    "CertificatePassword": "",
    "ClientSecret": "",
    "Environment": "Default",
    "Mode": "interactive" | "integrated" | "uap" | "appidsecret" | "appidcertificate",
    "OAuth2AppData": {
        "ApplicationId": "d47f7253-65ae-58n5-ag04-26109734e6de",
        "TenantId": "3ce4ef03-chb1-871f-94b0-345136965f10"
    }
}

限制

Microsoft 365 作用域内使用活动时,以下功能不可用:触发器、绑定和覆盖体验。

令牌刷新

没有可用于刷新连接令牌的服务,例如 Integration Service 中提供的服务。

If the Authorization Token isn't refreshed for a certain number of days, it expires, and you must re-authenticate. To avoid the expiration of authorization tokens, run a robot with that specific connection. Running an automation with the Scope activity refreshes the authorization token.

docs image
其他 OAuth 2.0 资源:

此页面有帮助吗?

支持与服务
获取您需要的帮助
UiPath Academy
了解 RPA - 自动化课程
UiPath 论坛
UiPath Community 论坛
Uipath Logo White
信任与安全
使用条款
隐私策略
Cookie 政策
© 2005-2024 UiPath。保留所有权利。