I have a .NET Azure App Service with Web API endpoints protected by [Authorize], and a corresponding App Registration. This works fine and allows Azure AD user accounts to access the API.
Now I want to build a Logic App that accesses the Web API under its system-assigned Managed Identity, but this results in a 403 (Forbidden).
I have enabled the system-assigned Managed Identity for the Logic App, and in the authentication parameters of the HTTP connector, I entered the App Registration's resource ID (api://<guid>) in the "Audience" field.
What is missing?
I found out what was missing.
I had to add an App Role to the app registration with "allowed member types" set to "Applications".
Then I added a service app role assignment with Azure Powershell:
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -objectid {managed-identity-object-id} -principalid {managed-identity-object-id} -id {app-role-id} -resourceid {enterprise-application-object-id-of-app-service}
Related
The azure app service provided an URL in such format https://your-app-name.azurewebsites.net
When Expose an API in azure app registration the Application ID URI is needed. But when I use the url provided by the azure app service I got the following error:
Values of identifierUris property must use a verified domain of
the organisation or its subdomain: https://your-app-name.azurewebsites.net
the URL provided by the app service is not a verified domain? and how can I make it verified?
Application ID URI is an identifier that can be used instead of the client ID when specifying a scope defined in that app.
It has nothing to do with authentication redirect URIs, where it would need to match your app hosting.
Agree with juunas and this is just additional description. Screenshot below contained the error you met and one of the supported App ID URI pattern.
I'm afraid that the reason for exposing API is that you want to protect your web API with Azure AD. The App ID URI here is used for the authorization. Your web app also requires to configure the audience, then after you integrate Azure AD authorization into your application, the scope, the audience and other claims containing in the incoming access token will all be verified. I have a sample which is based on a web api. You can see the configuration for Azure AD authorization.
And https://your-app-name.azurewebsites.net is for authentication which used for redirect from microsoft identity platform back to your own web app. The scenario can be opening your own web page which requiring user to sign in --> redirect to microsoft sign in page --> sign in then redirect back to your web page. So we need to identify the redirect URL in Azure AD.
Using client credentials flow in Azure for app registrations that live in different tenants, results in bearer tokens not containing any app roles.
I created 1 app registration named "fake-web-api" in Tenant A for a web api and that app registration contains an App Role named "fakeAppRole".
I created a admin consent link by using the following format
https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
I navigated to that link and signed in as an Admin of Tenant B and approved the consent.
This resulted in an enterprise application "fake-web-api" to appear in Tenant B's azure active directory.
I created 1 app registration named "fake-daemon-app" in Tenant B and added an API Permission to "fake-web-api"/"fakeAppRole".
I created a client secret for the "fake-daemon-app".
Now the code that I used to test this example is in here: https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi
This example works perfectly fine for single tenant scenario, but when I tried to get it to work for muilti tenant scenario, I run into the problem that the bearer token that is returned to me does not contain any app roles and is therefor rejected by the "fake-web-api".
I expected the token that was returned to me to contain app roles, because it did contain app roles in the single tenant scenario.
In this case the issue turned out to be using Tenant A as the authority here:
.WithAuthority(new Uri("TENANT_A_DOMAIN_NAME"))
Since the app role was assigned in tenant B, we must use tenant B as the authority to see the role in the token.
can I login a user to AAD without using an App Registration?
My problem is the following:
I am currently writing a python module that wraps the Power BI REST API.
Everything works fine if I register an app in AAD and authenticate via Client ID and Client Secret.
I would like to enable a user login, so that a user logs in with their credentials and can run the script with the privileges assigned to their account.
MSAL seems to support that with a PublicClientApplication and the acquire_token_interactive method. It still expects a Client ID, though.
My issue is that I would like to distribute my python module to other developers, without them having to register an app in AAD first.
After all, I can use the MicrosoftPowerBiMgmt PowerShell module without first registering an app.
How can I do that? Is there an authentication flow that does not need an App Registration?
It is not possible to authenticate user without App registration with OAUTH and OPENID connect, multi-tenant authentication means a template which will be deployed on multiple tenants with same client-id and secret
I have recently registered an app using the new Microsoft registration portal located at apps.dev.microsoft.com, and it all is working great.
However, I am concerned that this registration is tied to my personal account. I would like to grant access to these app registrations to other members of my team. Is this possible?
It sounds like when you signed in to the App Registration portal, you used your personal Microsoft account, which ties this only to your personal account.
You can do what you want, but you will have to re-register your app using a "work or school" organizational account instead (i.e. Azure AD), and then you can add other users in your organization as additional "owners" of the app.
Sign in to https://apps.dev.microsoft.com using your work or school account.
Register your app, and copy your Application ID. Because you're signed in with an organizational account, this will result as a new Application object in your organization's Azure AD tenant.
Use Azure AD PowerShell to add other owners to the Application object. (Note: Normally I would suggest you use the Azure portal's "App registration" functionality for this, but that view currently filters out apps registered in the App Registration portal.)
$AppId = "dc9bc6e6-9893-476f-884f-8bbc1e61f7c5" # <- Your app's Application ID
$OtherUsername = "bob#contoso.com" # <- Other user who should also own the app
Connect-AzureAD # <-- Sign in with your organizational account
$app = Get-AzureADApplication -Filter "appId eq '$AppId'"
$user = Get-AzureADUser -Filter "userPrincipalName eq '$OtherUsername'"
Add-AzureADApplicationOwner -ObjectId $app.ObjectId -RefObjectId $user.ObjectId
Verify that now both you and the new user are owners of the Application object:
Get-AzureADApplicationOwner -ObjectId $app.ObjectId
Now, when the team member you added as an app owner signs in to the App Registration portal (using their organizational account), they will be able to see the app registration.
How can I enable authentication with a multitenant AngularJS single page application calling a multitenant service Web API using Azure AD?
This is the high level flow I am trying to enable:
Multi-tenant AngularJS application [ClientApp] -> Multi-tenant ASP.NET Web API [ServicesApp]
I have a multi-tenant AngularJS application which requires Azure AD login using ADAL for JS (OpenID Connect). That web application is registered as a multi-tenant application ClientApp in a developer Azure AD, which I'll call DevAAD. I consented to use this ClientApp application in another Azure AD, which I'll call Tenant1. Once a user from the Tenant1 directory logs into the web application with their credentials into the login.microsoftonline.com portal, they are able to access the web UI. However, the UI is unable to call Web APIs on behalf of the user using the OAuth 2.0 Implicit Flow. This is the error message I am seeing in the Javascript code:
AADSTS65001: The user or administrator has not consented to use the
application with ID '<ClientApp_ClientID>'. Send an interactive
authorization request for this user and resource.
There is another Azure AD multi-tenant app representing backend Web API services called ServicesApp that is registered in the same DevAAD directory as the ClientApp UI application. The client ID and app ID URI of ServicesApp are the valid audiences for those services. This ServicesApp application has been consented to in the same Tenant1 directory. When invoked from a native client application with permissions to ServicesApp, the services are authorizing users from the Tenant1 directory using the OWIN middleware provided in System.IdentityModel.Tokens.Jwt 4.0.0 and the [System.Web.Http.Authorize] attribute in the controller.
Configuration details:
ClientApp
Azure AD application manifest has availableToOtherTenants set to true and oauth2AllowImplicitFlow set to true. ClientApp has permissions to access ServiceApp Azure AD application.
The AngularJS application has the following configuration:
adalAuthenticationServiceProvider.init(
{
tenant: 'common',
clientId: <ClientApp_ClientID>,
endpoints: { <ServiceEndpoint> : <ServiceApp_ClientID> }
}, $httpProvider);
ServiceApp
ValidateIssuer is set to false in TokenValidationParameters object in WindowsAzureActiveDirectoryBearerAuthenticationOptions configuration object passed to IAppBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication()
"
knownClientApplications" property in "ServiceApp" Azure AD manifest is
set to ["<ClientApp_ClientID>"]
I have not been able to locate any examples of a multi-tenant web application calling multi-tenant Web APIs, specifically a single page application built with AngularJS. How can this be implemented with Azure AD?
You should try generating a Authorization Code URL using the template described here.
You can also copy this and replace the values with your own:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<appid>&response_type=code&redirect_uri=<replyurl>&resource=<resource>&prompt=admin_consent
Note at the end of the url I added the query string: "prompt=admin_consent".
This is something that only a company administrator can do, and it will consent to your app for the entire tenant, so that no one else needs to consent in the future. Note that you can change this to "prompt=consent" if you want to only consent at an individual user level, or remove it all together if you do not want to force a consent prompt.
Let me know if this helps!