The Office365Mon REST APIs Continue to Grow

At Office365Mon we love, love, love developers, so we continue to invest in growing the APIs we provide.  As we noted last month, we added support for webhooks to our notification pipeline.  That allows you to receive a JSON payload in your own web site and kick off your own workflow when outages occur or an Office 365 service changes status.  It’s this second scenario where we’ve done a little more work with our REST API this month.

To briefly recap what we mean by an Office 365 service changing status – at Office365Mon you can choose to monitor for service status changes.  That means a service – like Exchange Online – has several sub-services or features, such as “Sign-in”, “E-mail and calendar access”, “Voice mail”, etc.  Each of those sub-services has a service status.  The status can be one of these values:

  • Investigating
  • RestoringService
  • VerifyingService
  • ServiceRestored
  • PostIncidentReviewPublished
  • ServiceDegradation
  • ServiceInterruption
  • ExtendedRecovery
  • Scheduled
  • InProgress
  • Completed
  • Canceled
  • ServiceOperational

So being able to monitor a change in the service status means that you can get notified when a sub-service enters the “Investigating” state, or “ServiceInterruption” state, etc.  This has in fact been an extremely popular Office365Mon feature for our Enterprise Premium customers.  Until now though, you had to manage the statuses that we monitor in the browser.  What we’ve just released are some additions to our Subscription Management API to allow you to manage this programmatically as well.  Given the popularity of this feature, as well as the desire of most of our Partners to be able to script everything, this was a natural fit to add to our API.

Here’s a brief rundown on the new APIs we’ve added in support of this:

  • Get Service Status Values – Use this method to get a list of all of the possible service statuses that can be monitored.  You can use this to allow your users to select the service statuses they want to monitor, or as values to send to the Subscription Management API to set the statuses that are being monitored for a subscription.
  • Get the Monitored Service Statuses – Use this method to get the service statuses that are being monitored for a subscription.
  • Set the Monitored Service Statuses – Use this method to set the service statuses that are being monitored for a subscription.

All of these new APIs have been fully documented in our SDK, which you can download from here. We’ve also added code samples for each of these new APIs to our Subscription Management API sample code that you can download from here.  We hope you’ll find this APIs a nice addition to your developer tool belt at Office365Mon.

From Sunny Phoenix,


Office 365 Outage Notifications the Way You Want Them – Announcing Webhooks at Office365Mon

From day one Office365Mon has made short work of letting you set up monitoring for your Office 365 tenant in a couple of minutes and notifying you by text and email when an outage occurs. Today we’re happy to announce that we’re taking the next step forward in keeping you in the know by releasing support for webhook notifications. Now you can decide exactly what processes you want to kick off whenever your Office 365 tenant experiences an outage, or even when the status of one of the Office 365 features change.

For those of you who aren’t familiar with what a webhook is, it’s worth a short explanation. A webhook consists of a web site that you host, and that site includes a “place” where another application can send it data. You can then configure another application – in this case Office365Mon – to send data there so that you can process it. With the Office365Mon webhook that’s exactly what we do – when there’s an outage starting for example, we send over a JSON payload that describes what Office365Mon subscription is being impacted, what type of webhook it is, and what resource is being impacted; for example, your SharePoint Online site.

As noted above though, we do this for more than just those times when an outage starts. We send notifications to your webhook under the following conditions:

  • When an outage starts
  • When an outage ends
  • When an Office 365 feature enters one of the following states (NOTE: you control which of these states you want monitored when you configure your Office365Mon subscription):
    • Investigating
    • RestoringService
    • VerifyingService
    • ServiceRestored
    • PostIncidentReviewPublished
    • ServiceDegradation
    • ServiceInterruption
    • ExtendedRecovery
    • Scheduled
    • InProgress
    • Completed
    • Canceled
    • ServiceOperational

If you compare this to how notifications are handled today, you can quickly see the power of the webhook. When an outage starts you get an email and/or a text message; then what do you do? You pull up a laptop or get on your phone and start emailing people, start updating your service status on internal sites, let your help desk know there’s an issue, maybe check in with your Technical Account Manager (TAM) at Microsoft, etc. You probably have a whole checklist of things to do.

Now imagine this same scenario with a webhook. You automate everything. You’re no longer manually working through a checklist of tasks. You can create your own workflows that take different actions depending on the information you get in your webhook. For example, you can have it automatically update an internal Help Desk portal with an alert status that SharePoint Online is currently experiencing an outage. That informs users, reduces Help Desk phone calls, and keeps your team focused on fixing issues. Your workflows can automatically send out an email to your Help Desk organization letting them know an outage is occurring. It can fire off an email to your TAM letting him or her know that you have an outage going on so they should be prepared in case you need to open or escalate a support case. You can kick off a triage process with your engineering teams to start assessing the impact. You get the idea – you can do whatever you want – because now its notifications the way you want them.

To get started creating your webhook you should download our developer documentation for our Subscription Management API from here: It explains the particulars around what data is sent to your webhook, the requirements that your webhook needs to support, how to process the webhook data that is sent to you, etc. We’ve added support for webhooks in both our website and through our Subscription Management API. That means that you can add and remove a webhook, as well as test a webhook entirely using our Subscription Management API. You can also do the same thing when you go to configure your Office365Mon subscription in our site. In the Notification Info section you can add or remove a webhook, as well as send a test webhook right from that page:


As a developer, I love the possibilities that a feature like this opens up. I hope that you’ll find many useful ways to take advantage of this for your own organizations. This is also a good time to point out that this is yet another example of a feature that we added based on suggestions and feedback from you, our customers. Please keep them coming, we love hearing them.

From sunny Phoenix,


New Year-Over-Year Reporting at Office365Mon

We just released a mini-feature that our long and loyal customer base will appreciate.  For those of you not following closely, we opened the doors to our service just about a year ago.  One of the things that means is that for customers who have been with us since the beginning, you will be able to take advantage of new Year-over-Year data in your My Info reporting.

For those of you not familiar with the My Info page at Office365Mon.Com, it’s what we call the 360° view of your tenant.  You get the basic info we know about you, the absolute latest status for your tenant resources that we are monitoring for you, the recent status of all of your features and feature services as reported by Microsoft, the latest messages that Microsoft has sent to your Office 365 Service Health Dashboard, a chart with your availability info for the month, and a Tweet link to share with the world exactly how you’re doing.

What we’ve done is to update the charting feature on the My Info page so that you can compare your up-time data for the current month with what it was one year ago.  It’s always interesting to see how things compare over time, and this is a really nice quick snapshot of what things look like side-by-side.  Here’s an example of how your chart will look once you’ve been a customer for a year:


As you see, if you really only want to see the data for the current month then it’s easy enough to click the box and turn off the data for the prior year.  We thought it was kind of a neat feature though, and a nice little reminder of how far we’ve come.  We hope you’ll enjoy this little feature, but remember – you can always get:

  • LOADS of reports in the Basic Reports and Advanced Reports options
  • Download raw report data as a CSV file so you can open it in Excel and create your own reports like this or anything else you want
  • Programmatically retrieve data with our Report Data REST API endpoints and create your own dashboards or pull the data into your own reporting systems
  • Use Power BI in Office 365 for the ultimate in reporting power and customization

That’s all for now.  We’re busy working on some great new features as we speak, but as always, please send any ideas, suggestions and feedback to  We love to hear from you!

From Sunny Phoenix,



The New Azure Converged Auth Model and Office 365 APIs

Microsoft is currently working on a new authentication and authorization model that is simply referred to as “v2” in the docs that they have available right now (UPDATE:  they prefer the “v2 auth endpoint”). I decided to spend some time taking a look around this model and in the process have been writing up some tips and other useful information and code samples to help you out as you start making your way through it. Just like I did with other reviews of the new Azure B2B and B2C features, I’m not going to try and explain to you exactly what they are because Microsoft already has a team of humans doing that for you. Instead I’ll work on highlighting other things you might want to know when you actually go about implementing this.

One other point worth noting – this stuff is still pre-release and will change, so I’m going to “version” my blog post here and I will update as I can. Here we go.

Version History

1.0 – Feb. 3, 2016

What it Does and Doesn’t Do

One of the things you should know first and foremost before you jump in is exactly what it does today, and more importantly, what it does not. I’ll boil it down for you like this – it does basic Office 365: email, calendar and contacts. That’s pretty much it today; you can’t even query Azure AD as it stands today. So if you’re building an Office app, you’re good to go.

In addition to giving you access to these Microsoft services, you can secure your own site using this new model. One of the other terms you will see used to describe the model (besides “v2”) is the “converged model”. It’s called the converged model really for two reasons:

  • You no longer need to distinguish between “Work and School Accounts” (i.e. and “Microsoft Accounts” (i.e. This is probably the biggest achievement in the new model. Either type of account can authenticate and access your applications.
  • You have a single URL starting point to use for accessing Microsoft cloud services like email, calendar and contacts. That’s nice, but not exactly enough to make you run out and change your code up.

Support for different account types may be enough to get you looking at this. You will find a great article on how to configure your web application using the new model here: There is a corresponding article on securing Web API here:

Once you have that set up, you can see here what it looks like to have both types of accounts available for sign in:


The accounts with the faux blue badges are “Work or School Accounts” and the Microsoft logo account is the “Microsoft Account”. Equally interesting is the fact that you can remain signed in with multiple accounts at the same time. Yes! Bravo, Microsoft – well done.  🙂


Knowing now what it does and doesn’t do, it’s a good time to talk about some tips that will come in handy as you start building applications with it. A lot of what I have below is based on the fact that I found different sites and pages with different information as I was working through building my app. Some pages are in direct contradiction with each other, some are typos, and some are just already out of date. This is why I added the “version” info to my post, so you’ll have an idea about whether / when this post has been obsoleted.


Tip #1 – Use the Correct Permission Scope Prefix

You will see information about using permission scopes, which is something new to the v2 auth endpoint. In short, instead of defining the permissions your application requires in the application definition itself as you do with the current model, you tell Azure what permissions you require when you go through the process of acquiring an access token. A permission scope looks something like this: This is the essence of the first tip – make sure you are using the correct prefix for your permission scope. In this case the permission prefix is “” and is used to connect to the Outlook API resource endpoint.  Alternatively your app can also call the Microsoft Graph endpoint under, in which case you should use the prefix for your permission scope.  The net of this tip is fairly simple – make sure you are using the same host name for your permission scopes as you do for your API endpoints.  So if you want to read email messages using the API endpoint of, make sure you use a permission scope of  If you mix and match – use a permission scope with a prefix of but try to access an API at… – you will get an access token; however when you try and use it you will get a 401 unauthorized response.

Also…I found in one or more places where it used a prefix of “”; note that it is missing the “s” after “http”. This is another example of a typo, so just double check if you are copying and pasting code from somewhere.


Tip #2 – Not All Permission Scopes Require a Prefix

After all the talk in the previous tip about scope prefixes, it’s important to note that not all permission scopes require a prefix. There are a handful that work today without a prefix: “openid”, “email”, “profile”, and “offline_access”. To learn what each of these permission scopes grants you can see this page:  One of the more annoying things in reviewing the documentation is that I didn’t see a simple example that demonstrated exactly what these scopes should look like. So…here’s an example of the scopes and how they’re used to request a code, which you can use to get an access token (and refresh token if you include the “offline_access” permission – see, I snuck that explanation in there). Note that they are “delimited” with a space between each one:

string mailScopePrefix = “”;

string scopes =
“openid email profile offline_access ” +
mailScopePrefix + “Mail.Read ” + mailScopePrefix + “Contacts.Read ” +
mailScopePrefix + “Calendars.Read “;

string authorizationRequest = String.Format(             “{0}&scope={1}&redirect_uri={2}&state={3}&response_mode=form_post&nonce={4}”,
Uri.EscapeDataString(“Index;” + scopes + “;” + redirUri),

//return a redirect response
return new RedirectResult(authorizationRequest);

Also worth noting is that the response_type in the example above is “code+id_token”; if you don’t include the “openid” permission then Azure will return an error when it redirects back to your application after authentication.

When you log in you see the standard sort of Azure consent screen that models the permission scopes you asked for:


Again, worth noting, the consent screen actually will look different based on what kind of account you’ve authenticated with. The image above is from a “Work or School Account”. Here’s what it looks like when you use a “Microsoft Account” (NOTE: it includes a few more permission scopes than the image above):


For completeness, since I’m sure most folks today use ADAL to get an access token from a code, here’s an example of how you can take the code that was returned and do a POST yourself to get back a JWT token that includes the access token:

public ActionResult ProcessCode(string code, string error, string error_description, string resource, string state)

string viewName = “Index”;

if (!string.IsNullOrEmpty(code))

string[] stateVals = state.Split(“;”.ToCharArray(),


viewName = stateVals[0];
string scopes = stateVals[1];
string redirUri = stateVals[2];

//create the collection of values to send to the POST
List<KeyValuePair<string, string>> vals =
new List<KeyValuePair<string, string>>();

vals.Add(new KeyValuePair<string, string>(“grant_type”, “authorization_code”));
vals.Add(new KeyValuePair<string, string>(“code”, code));
vals.Add(new KeyValuePair<string, string>(“client_id”, APP_CLIENT_ID));
vals.Add(new KeyValuePair<string, string>(“client_secret”, APP_CLIENT_SECRET));
vals.Add(new KeyValuePair<string, string>(“scope”, scopes));
vals.Add(new KeyValuePair<string, string>(“redirect_uri”, redirUri));

string loginUrl = “;;

//make the request
HttpClient hc = new HttpClient();

//form encode the data we’re going to POST
HttpContent content = new FormUrlEncodedContent(vals)

//plug in the post body
HttpResponseMessage hrm = hc.PostAsync(loginUrl, content).Result;

if (hrm.IsSuccessStatusCode)
//get the raw token
string rawToken = hrm.Content.ReadAsStringAsync().Result;

//deserialize it into this custom class I created
//for working with the token contents
AzureJsonToken ajt =
//some error handling here
//some error handling here

return View(viewName);


One note – I’ll explain more about the custom AzureJsonToken class below.  To reiterate Tips #1 and 3, since my permission scope is based on the host name, I can only use the access token from this code with the Outlook API endpoint, such as or  Yes, that is not a typo, you should be able to use the access token against either version of the API.


Tip #3 – Use the Correct Service Endpoint

Similar to the first tip, I saw examples of articles that talked about using the v2 auth endpoint but used a Graph API permission scope with a Outlook API endpoint. So again, to be clear, make sure your host names are consistent between the permission scopes and API endpoints, as explained in Tip #1.


Tip #4 – Be Aware that Microsoft Has Pulled Out Basic User Info from Claims

One of the changes that Microsoft made in v2 of the auth endpoint is that they have arbitrarily decided to pull out most meaningful information about the user from the token that is returned to you. They describe this here –

In the original Azure Active Directory service, the most basic OpenID Connect sign-in flow would provide a wealth of information about the user in the resulting id_token. The claims in an id_token can include the user’s name, preferred username, email address, object ID, and more.

We are now restricting the information that the openid scope affords your app access to. The openid scope will only allow your app to sign the user in, and receive an app-specific identifier for the user. If you want to obtain personally identifiable information (PII) about the user in your app, your app will need to request additional permissions from the user.

This is sadly classic Microsoft behavior – we know what’s good for you better then you know what’s good for you – and this horse has already left the barn; you can get this info today using the v1 auth endpoint. Never one to be deterred by logic however, they are pressing forward with this plan. That means more work on you, the developer. What you’ll want to do in order to get basic user info is a couple of things:

  1. Include the “email” and “profile” scopes when you are obtaining your code / token.
  2. Ask for both a code and id_token when you redirect to Azure asking for a code (as shown in the C# example above).
  3. Extract out the id_token results into a useable set of claims after you exchange your code for a token.

On the last point, the Microsoft documents say that they provide a library for doing this, but did not include any further detail about what it is or how you use it, so that was only marginally helpful. But hey, this is a tip, so here’s a little more. Here’s how you can extract out the contents of the id_token:

  1. Add the Security.IdentityModel.Tokens.Jwt NuGet package to your application.
  2. Create a new JwtSecurityToken instance from the id_token. Here’s a sample from my code:

JwtSecurityToken token = new JwtSecurityToken(ajt.IdToken);

  1. Use the Payload property of the token to find the individual user attributes that were included. Here’s a quick look at the most useful ones:

token.Payload[“name”] //display name
token.Payload[“oid”] //object ID
token.Payload[“preferred_username”] //upn usually
token.Payload[“tid”] //tenant ID

As noted above though in my description of the converged model, remember that not every account type will have every value. You need to account for circumstances when the Payload contents are different based on the type of account.


Tip #5 – Feel Free to Use the Classes I Created for Deserialization

I created some classes for deserializing the JSON returned from various service calls into objects that can be used for referring to things like the access token, refresh token, id_token, messages, events, contacts, etc. Feel free to take the examples attached to this posting and use them as needed.

Microsoft is updating its helper libraries to use Office 365 objects with v2 of the app model so you can use them as well; there is also a pre-release version of ADAL that you can use to work with access tokens, etc. For those of you rolling your own however (or who aren’t ready to fully jump onto the pre-release bandwagon) here are some code snippets from how I used them:

//to get the access token, refresh token, and id_token
AzureJsonToken ajt =

This next set is from some REST endpoints I created to test everything out:

//to get emails
Emails theMail = JsonConvert.DeserializeObject<Emails>(data);

//to get events
Events theEvent = JsonConvert.DeserializeObject<Events>(data);

//to get contacts
Contacts theContact = JsonConvert.DeserializeObject<Contacts>(data);

You end up with a nice little dataset on the client this way. Here’s an example of the basic email details that comes down to my client side script:


Finally, here’s it all pulled together, in a UI that only a Steve could love – using the v2 app model, some custom REST endpoints and a combination of jQuery and Angular to show the results (yes, I really did combine jQuery and Angular, which I know Angular people hate):








The new auth endpoint is out and available for testing now, but it’s not production ready. There’s actually a good amount of documentation out there – hats off to dstrockis at Microsoft, the writer who’s been pushing all the very good content out. There’s also a lot of mixed and conflicting documents though so try and follow some of the tips included here. The attachment to this posting includes sample classes and code so you can give it a spin yourself, but make sure you start out by at least reading about how to set up your new v2 applications here: You can also see all the Getting Started tutorials here: Finally, one last article that I recommend reading (short but useful):
You can download the attachment here:

Know When Your Azure Identity Won’t Work with Office 365 APIs

As those of you who are familiar with Office365Mon know, we heavily leverage the Office 365 APIs in our solution.  It’s been a key player in being able to issue now over 100 million health probes against Office 365.  I know and have talked to lots of you as well that are starting to build apps that leverage this same infrastructure for your own solutions.  As you develop these solutions based on the Office 365 APIs, it’s pretty important that you understand the scenarios where the Azure access token you get will and will not work to access Office 365 resources.

First, a couple of basics.  When you get an access token, for purposes of our conversation here today, the token represents your identity that is going to be used to access a resource in some way.  There are exceptions to this, i.e. app only tokens, but this post is about user identities and Office 365.  When you try and access a resource, you say here is my access token, I want do this with the content – for example, I am Steve, I want to read the email in my inbox.

The problem is this – what I just described is a common scenario, and it works well today with the Office 365 APIs.  But there are actually at least four scenarios, and you may be surprised to learn that the Office 365 APIs only work with one of them.  Part of the reason in writing this blog post is to make sure you all are aware of that, but also to hopefully drive a discussion with the folks that own the service so that they can give some consideration to expanding their support of these other scenarios in the future.  Here’s a quick run down on the scenarios that I’ve looked at so far; there may be others.

  1. I own or otherwise have direct rights to a resource – WORKS!  This is the first scenario I described above – for example, when I want to access the email in my inbox, or if I’m part of a SharePoint group in my Office 365 tenant and I want to access content in that site.
  2. I have been granted delegate rights to a mailbox – DOESN’T WORK!  In this scenario, I’ve been granted rights to another mailbox.  Now if open up Outlook for example I can read the mail in that mailbox no problem.  If I’m using the Exchange Web Services (EWS), I can access the mail in that mailbox.  But if I’m using the Office 365 APIs, it doesn’t work.
  3. I have been invited to a SharePoint Online site – DOESN’T WORK!  In this scenario I’ve been invited as an external user to a SharePoint Online site.  I use my Azure AD credentials to accept the invitation and I can connect to the site in the browser.  However if I try and use an Azure access token against that resource it fails with an access denied error.
  4. I have been added to an Azure tenant using the Azure B2B feature – DOESN’T WORK!  This is similar to #3 – after being added to the Azure tenant with the B2B feature I can be added to a SharePoint Online site and access it just fine in the browser.  However my Azure access token will only get me an access denied error if I try and use it on that site with the Office 365 APIs.

The key and common thread in all of these scenarios is that I am using my Azure AD identity.  It is a durable, immutable identity containing an immutable identifier known to Azure AD.  Even though I’m using that immutable identity, there is still a disconnect between it and all of the ways in which it has been granted access to resources in Office 365.  That is to say, there is a disconnect in the Office 365 APIs; in the browser applications they have this figured out.  Make sure you know these limitations, and let your favorite Microsoft human if you would like to these disconnects eliminated for a comprehensive and integrated identity and resource solution.


Thanks All for the Awesome 2015 Blog Stats

The stats helper monkeys prepared a 2015 annual report for this blog.  It was a GREAT year for the blog, with 440,000 views from people in 193 countries.  Glad you folks are using it!

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 440,000 times in 2015. If it were an exhibit at the Louvre Museum, it would take about 19 days for that many people to see it.

Click here to see the complete report.

Invalid Client Secret when Publishing Azure AD Secured Apps

Back to my old nemesis…the long very long blog post title.  🙂   I ran across this problem myself recently, and had seen someone else experience but not had the time to dig into it.  In short the problem goes something like this – you create a new ASP.NET web application in Visual Studio 2015.  You configure it to be secured with Azure AD (i.e. Work and School accounts).  You do your thing, you build your web site, you test it locally, you can authenticate and everything works fine – great!

Now you want to deploy the app to your Azure web site.  You go through the publishing wizard, which pushes the content up to your web site.  It launches the browser for you to log in and check out your site but – boom – your app blows up.  After you authenticate it redirects you back to your site and you get the dreaded yellow page of death (i.e. an unhandled exception).  When you turn customErrors to Off in web.config you can see the error is “invalid client secret”.  You know it works fine when you run it on your local machine, so how can it be invalid?

This is the question that plagued me for a couple of days before I finally had the time to completely unwind it.  This post is partially “here’s how you fix it” and partially “this is why I think it happens”.  In the two cases where I’ve seen this happen so far, the project started out targeting .NET 4.52, then was subsequently changed to 4.61.  I noticed that the publishing wizard changes the UI slightly when you do that.

When targeting 4.52 the wizard includes a checkbox that says “Enable Organizational Accounts”.  The default behavior is to have that box checked.  I always uncheck it because my “organizational account” configuration is completed when I’m building and testing the application.  When targeting 4.61 I no longer see this option in the UI.

So here’s the fix and here’s the guess at what’s wrong.  If you look in the Properties folder in your project you will find one or more .pubxml files, which represent your publishing profiles.  In this case, the .pubxml file contained a completely different ClientId and ClientSecret value than my web.config did.  It was that client ID and secret that was getting pushed up to the Azure web site, and that’s why my application blew up once it was published to Azure.  To fix it, I just manually copied the ID and secret from my web.config into my .pubxml file.

Now…my guess as to why I think it happens (I deleted some stuff before I could actually verify this), I think when you have that box checked in the wizard when targeting 4.5.2, Visual Studio creates a new application definition in Azure AD, and then pulls in the client ID and secret from it into the publishing wizard.  That would explain how the wrong client ID and secret gets published and “stuff breaks”.

Anyways, if you run across this problem hopefully you’ll find this post.  Good luck!