I have created an App under Azure B2C tenant.
The app is using a custom sign-in/sign-up policy to log in to local users.
However, my app has an admin view, where I would want the log-in users to be able to create accounts for whoever needs access within the app. I have seen that this is possible using Azure Ms Graph API.
However, I keep getting an InvalidAuthenticationToken Error, when I try to call Ms Graph API.
error:
code: "InvalidAuthenticationToken"
innerError: {date: "2021-08-11T14:25:09", request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc", client-request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc"}
message: "Invalid x5t claim."
I couldn't find any solution online. Is this even possible? And if there's a way around it, how can I do it?
Thank you!.
It would help if you went into more detail on your use case.
You have a B2C local account and you want to create users in AAD or in B2C?
If in B2C, yes you can do this as per this article.
If in AAD, see here.
Make sure that your application has the correct permissions.
Related
I have a dotnet 5 Blazor Server-Side website deployed to Azure App Service. I've followed the tutorial at https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service to provide Authentication. Now, any attempt to reach my site requires a login from a user of the Azure AD.
Unfortunately, I haven't been able to find any guidance on how to manage Authorization though. For example, I'd like to restrict access to pages to members of specific groups within the Azure AD. I seem to remember years ago, there was some kind of membership provider database that the site would check.
The kind of thing I'm looking for is to be able to decorate the razor page with the name of an Azure AD group of which anyone attempting to load the page must be a member. Does anyone know of a link that describes the "official" way to achieve this?
Role-based access control (RBAC) a way to authorize applications based on the role permissions granted by the administrator to individual users/groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
Please refer this link for more details on how you can access the razor pages base on the roles assigned to the users/groups.
I have a graph API app and want it to be accessible to every user for authorizing.
The app is made to be a multi-tenant application that should be available to everyone (see screenshot)1.
When a user who is not added to the azure active directory tries to access to grant permissions to the app, they get this error saying "the user is not added to the azure active directory, and the user needs to be added as a tenant to the app"
I am using this link for oauth access https://login.microsoftonline.com/DIRECTORY_ID/oauth2/v2.0/authorize?client_id=CLIENT_ID2&response_type=code&redirect_uri=http://localhost:3000/auth/callback&response_mode=query&scope=offline_access Channel.Create Channel.ReadBasic.All ChannelMessage.Send Team.ReadBasic.All Group.ReadWrite.All&state=12345
error message from graph app
You are using a tenant specific endpoint which will not support personal account. You need to use a common endpoint(login.microsoftonline.com/common/oauth2/v2.0/).
Based on your URL you have shared, you can use below example syntax,
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=CLIENT_ID2&response_type=code&redirect_uri=http://localhost:3000/auth/callback&response_mode=query&scope=offline_access
Also, Please refer to similar question here.
I'm following a guide online to generate an access token to access Microsoft Dynamics 365 Customer Engagement: https://eax360.com/dynamics-365-online-connect-using-postman/.
All of it works fine, however I am wondering why delegated Admin permissions need to be supplied in Azure Active directory during app registration. I have seen a lot of guides explain that permissions must be delegated but the above site documents the process well. As a general rule, I thought that starting with the lowest security permissions was the norm. I am new to Azure AD so thoughts are very much welcome.
If your app will be a client which allows the authenticated user to perform operations, you must configure the application to have the Access Dynamics 365 as organization users delegated permission.
Application permission means that you want your app to access Common Data Service without a user.
So whether to use delegated permission in Azure app registration depends on your needs. It is not mandatory.
But we can see that the Application permissions in Azure app registration is gray out. This is because Microsoft provides a different way to implement it.
We need to create a Common Data Service application user an then bound it to the registered app. After that, we could connect using the application secret. See the details here: Connect as an app.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
When I try to login for the first time with new user via active directory to graphexplorer.windowsazure.net I get following scopes:
In my apps.dev.microsoft.com I have following permissions:
Why am I getting only these two scopes in access token:
Apps registered via the Application Registration Portal use the Azure AD v2 endpoint which supports incremental consent.
This means that while your app registration determines which scopes can be requested, you still need to specify specific scopes when you make the authorize request. Also, you should avoid requesting all scopes up front, rather incrementally request scopes as needed in the context of specific operations. So start out with your authorize request as you have it, with no extra scopes but when you need to send an email on behalf of the user issue another authorize request like so:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
For more info on scopes in the v2.0 endpoint check out the Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint document.
For an example of an app that incrementally requests scopes, check out this Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect sample.
Also note that there 2 different Graph APIs:
Azure AD Graph (endpoint: graph.windows.net, explorer: https://graphexplorer.azurewebsites.net/)
Microsoft Graph (Endpoint: graph.microsoft.com, Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer)
From https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api:
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
I'm not quite sure where that screen shot is coming from, but the URL you're going to is incorrect. The correct URL for Graph Explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.