The Nimbus Public REST API allows to manage Nimbus Users and License contingencies. This page describes the setup and usage procedures.
PRECONDITIONS
š”If you have already set up Azure and Nimbus for using the API, you can directly go to ā āAvailable Methods" chapter.Ā
On this page the following topics are covered:Ā
- Check if the API was enabled on your Provisioning Tenant Settings. This feature is enabled by a Luware System Administrator.Ā
-
Set up the Nimbus App Registration and necessary API Permissions in Azure.Ā
As a Tenant Administrator you can perform these steps below in parallel.
Step 1 - Azure Setup
ā Tenant Administrator: The following steps need to be done with Tenant Administrator privileges. You will grant some of the Nimbus App Permissions to be used later via the API.
Create App registration
š Also see: Quickstart: Register an application with the Microsoft identity platform | Microsoft Learn
- Go to Portal.Azure.com
- In your Tenant, Create an App registration, e.g. āMy Nimbus AppāĀ
- Leave the other options as they are.
Grant API Web Access Permissions
š Also see: Configure an app to access a web API - Microsoft identity platform | Microsoft Learn
ā Tenant Administrator:Ā Note that a Nimbus App must be registered at this point.
- Go to "API Permissions"
- Request new API permission by clicking āAdd a permissionā.Ā
- Search for "Luware"
- Select the entry āLuware Nimbus Loginā from your Nimbus App
- Select Application PermissionsĀ
- Select the following role permissions:Ā
- ā
Provisioning.User.Createā - ā
Provisioning.User.Deleteā - "
Provisioning.Tenant.Read"Ā - ā
Provisioning.User.Readā
- ā
- Back In API Permissions, click Ā āGrant Admin Consent for Luware AGā ā Green Checkboxes signal the successful permission grant.
AuthenticationĀ
There are multiple ways to authenticate with your newly created Azure Application. The method of authentication doesn't really matter for Nimbus and depends on your Use Case and external system. We therefore only add some general recommendations and point to the Microsoft Documentation.
Public Client Application
š From: Public client and confidential client applications | Microsoft LearnĀ
Public client applications run on devices, such as desktop, browserless APIs, mobile or client-side browser apps. They can't be trusted to safely keep application secrets, so they can only access web APIs on behalf of the user. Anytime the source or compiled bytecode of a given app is transmitted anywhere it can be read, disassembled, or otherwise inspected by untrusted parties, it's a public client. As they also only support public client flows and can't hold configuration-time secrets, they can't have client secrets.
š From: Public client and confidential client applications | Microsoft LearnĀ
After determining the type of client application you're building, you can decide whether to enable the public client flow in your app registration. By default, allow public client flow in your app registration should be disabled unless you or your developer are building a public client application and using the following OAuth authorization protocol or features:
OAuth Authorization protocol/Feature Type of public client application Examples/notes Native Authentication Microsoft Entra External ID application that requires full customization of the user interface, including design elements, logo placement, and layout, ensuring a consistent and branded look. Note: Native Authentication is only available for app registrations in Microsoft Entra External ID tenants. Learn more here Device code flow Applications that run on input-constrained devices such as a smart TV, IoT device, or a printer Ā Resource owner password credential flow Applications that handles passwords users enter directly, instead of redirecting users to Entra hosted login website and letting Entra handle user password in a secure manner. Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives, such as the Authorization code flow, are available and recommended. Windows Integrated Auth Flow Desktop or mobile applications running on Windows or on a machine connected to a Windows domain (Microsoft Entra ID or Microsoft Entra joined) using Windows Integrated Auth Flow instead of Web account manager A desktop or mobile application that should be automatically signed in after the user has signed into the windows PC system with a Microsoft Entra credential
Confidential Client Application / Client Secret
š From: Quickstart: Register an application with the Microsoft identity platform | Microsoft Learn
Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identify itself.
Client secrets are considered less secure than certificate credentials. Application developers sometimes use client secrets during local app development because of their ease of use. However, you should use certificate credentials for any of your applications that are running in production.
- Select your previously registered Nimbus App.
- Go to Certificates & secrets > Client secrets > New client secret.
- Add a description for your client secret.
- Select an expiration for the secret or specify a custom lifetime.Ā
- Click Add.
-
š§ Record the Secret's value for later use within the Nimbus API.
āThis secret value is never displayed again after you leave this page.
Ā From: Public client and confidential client applications | Microsoft LearnĀ
Confidential client applications run on servers, such as web apps, web API apps, or service/daemon apps. They're considered difficult to access by users or attackers, and therefore can adequately hold configuration-time secrets to assert proof of its identity. The client ID is exposed through the web browser, but the secret is passed only in the back channel and never directly exposed.
Step 2 - Configure Nimbus
ā Checklist:
š§ Ā For the next steps in Nimbus you will need the Application ID of your previously registered Nimbus Application.
- Log into Nimbus Admin Portal.
- Go to Tenant Administration Ā > Provisioning Tenant Settings > āApplication Permissionsā.
- Click on āAddā.Ā
-
Fill in the š§ Ā Azure Application ID from ā Chapter: Step 1 above.
- Define the Organization Units scope under which the Nimbus API will have access.Ā
- Save and Close.Ā
- Still within Admin Portal, Go to the Configuration (Admin) > Organization Units
- Open your Organization Unit Entry and note the GUID in the browser address bar as follows.Ā
š§ Ā Repeat this step and note down any OU ID you wanna create users in later using the API.
Step 3 - API Authentication and Usage
Now your API should be ready to use.Ā
š”In this example we authenticate using a Confidential Client Application using Client Credentials. Of course you can use any other means of authentication as described in ā Chapter: Step 1 > Authentication above.
ā Checklist:
- š§ You will need the Nimbus Application ID and the Secret of your App
- š§ You also need the Organization Units ID to make API calls
- ā Additionally, you need the O365 IDs of the (future) users you want to provision.
- Create token using OAuth 2.0. For example, to get a token using Client Credentials, choose the following:
- Grant type: Client Credentials
-
Access token URL:
https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token1 - Client ID: š§ Application ID of your app
- Client Secret: š§ As created in your app
-
Scope:
https://admin.{geography}-{number}.luware.cloud/.default2 - Client Authentication: Send as Basic Auth header
šFootnotes
Ā 1 Head to your Tenant Administration and check the URL in the browser address bar. Look for the part starting with ātenantId=ā Ā tenantId=9fce70af-a632-49ca-bc0d-53db5a21c5b3
2 The endpoont URL depends on the geographical location of your Nimbus Cluster. When you log into Nimbus Admin Portal you will be redirected to the right cluster. Check the Access URL list below as a reference.
INC Nimbus Admin URLs
| Switzerland 01 | https://admin.ch-01.luware.cloud/ |
|---|---|
| Switzerland 02 | https://admin.ch-02.luware.cloud/ |
| Germany 01 | https://admin.dewe-01.luware.cloud/ |
| Germany 02 | https://admin.dewe-02.luware.cloud/ |
| United Kingdom 01 | https://admin.ukso-01.luware.cloud/ |
| Australia 01 | https://admin.aue-01.luware.cloud/ |
| West Europe 01 | https://admin.euwe-01.luware.cloud/ |
| East United States 01 | https://admin.use-01.luware.cloud/ |
ā
Make sure to configure your web proxies to allow access to these domains or whitelist the complete *.luware.cloud domain.
Available Methods / Commands
ā Before you start: API calls use the Nimbus Admin URL as endpoint. This URL depends on the geographical location of your personal Nimbus Cluster. When you log into your Nimbus Admin Portal you will be redirected to the right cluster. ā See šFootnotes above.
CREATE a new User
| POST Create User | https://admin.{geography}-{number}/api/public-api-next/user |
| Description |
Creates a new empty (unconfigured) Nimbus user, based on the Organization Unit and O365 ID provided from existing users on your tenant. āNote: Only one user can be added per transaction. |
| Notes | ā Precondition: You require the O365 ID of an existing User on your Tenant and the š§ OrganizationUnit ID from the (permitted) OU (ā Chapter: Step 2 above) |
| Body | |
| Error Codes |
|
GET Details of Existing User
| GET User Details | https://admin.{geography}-{number}/api/public-api-next/user/{userO365Id} |
||||||||||||||||
| Description |
Requests the current configuration of an existing/template user.Ā āNote: Only one user can be requested per transaction. What is being returned?The following user detailsĀ
Ā
Ā
|
||||||||||||||||
| Notes | ā Preconditions: You need to provide the O365 ID of EXISTING (Template User) in the request body. | ||||||||||||||||
| Body | |
||||||||||||||||
| Error Codes |
|
GET License Usage
| GET Get License | https://admin.{geography}-{number}/api/public-api-next/user/license-usage |
| Description |
Performs a check in available Nimbus licenses, as also reflected in the Admin UI: License Management. Returns details for all licenses:
|
| Notes | ā Preconditions: API Request should be based on the Tenant ID. |
| Body | |
| Error Codes |
|
COPY an existing User
| POST Copy User | https://admin.{geography}-{number}/api/public-api-next/user/copy |
||||||||||||||||
| Description |
Creates a copy of an existing user, using their Nimbus User settings as template. āNote: Only one user can be copied per transaction. What is being copied over?Copied over are the following tabs and their settings:Ā
Ā
Ā
|
||||||||||||||||
| Notes |
Ā ā Preconditions: You require both the O365 ID of EXISTING (Template User) the NEW (copy target) user for the request body.
|
||||||||||||||||
| Body | |
||||||||||||||||
| Error Codes |
|
āAttention: Copied Users are immediately available to Nimbus
Keep in mind that ā once Nimbus ālearnsā about a newly added user āĀ User StateĀ checks will be immediately performed to potentially distribute newly incoming Service tasks. Depending if your source user was a productive one, the new user ā Ā while Online in MS Teams ā may immediately be considered as āselectableā by Nimbus and receive calls and tasks via MS Teams, even without Nimbus being in focus for them.
š The requirements for a āselectableā Nimbus User StateĀ are:Ā
- The (copied) new User is known to Nimbus (O365 ID), ā This happens after successful API command execution.
- The New user is āOnlineā in MS Teams. ā Note that source Distribution Service Settings apply to verify their MS Teams status.
- In Nimbus: User has a āOn Dutyā Responsibility Profiles set as their default. ā Depending on the source user this may already be the case.
Recommended Actions:
ā After Copying / Creating the User: Note that Nimbus will check for Nimbus User Permissions and request permissions from the User after their first Portal Login. You may need to inform the User about this step or check if the permissions have already granted āon behalf ofā another Tenant Admin.
ā UI Refresh: To see the user in Nimbus listings, a refresh of the Nimbus UI is necessary.
DELETE an existing User
| DELETE User | https://admin.{geography}-{number}/api/public-api-next/user/{userO365Id} |
| Description |
Removes a User profile from the Nimbus Admin Portal. The User is also removed as Service Agent/Service Owner from the services where applicable. āNotes:Ā
Ā
|
| Notes |
ā Preconditions:Ā
Results:Ā
1š”Good to know: If the user is re-added (using the exact same O365 ID) it will get all the same reporting data from before. However, any configuration data is lost and needs to be restored manually or via ā COPY Existing user command. |
| Body | |
| Error Codes |
|
General API Notes & Error Handling
Notes
Rate Limit: There is a limit of 60 API operations/minute. The API will delay processing if this threshold is exceeded.
General Error Codes
If not specificed in the Command, the error codes are as follows:
- 401 - Required role missing
- 401 - No tenant id
- 401 - Invalid tenant id
- 401 - No app id
- 401 - Invalid app id
- 401 - Provisioning Api disabled by admin
- 401 - No app permission found for app id ({appid})
- 403 - No authenticated user
- 500 - Unable to check configuration
Standard Response Codes also apply. See: https://restfulapi.net/http-status-codes/