Is there a way to require user to login into Azure AD only with specific account in interactive mode, using MSAL?
I tried
NativeClientApp.AcquireTokenInteractive(Scopes).WithLoginHint(account.Username).ExecuteAsync()
and
NativeClientApp.AcquireTokenInteractive(Scopes).WithAccount(account).ExecuteAsync()
but both allow me to select user.
You can use use WithPrompt(Prompt.NoPrompt) to exclude all other accounts that you not want to choose.
Just try code below:
NativeClientApp.AcquireTokenInteractive(scopes).WithPrompt(Prompt.NoPrompt).WithLoginHint("<account>").ExecuteAsync()
Result:
NOT using WithPrompt(Prompt.NoPrompt):
Using WithPrompt(Prompt.NoPrompt):
Related
I have set up a B2C instance OK and managed to get a basic Blazor (server) app working with it a using the Microsoft Identity Platform (using AD groups for permissions - it was a hassle but works).
However, I'm trying to use an external Azure AD as a custom identity provider in the user flow, so that I am not just restricted to just email/id/social accounts, but can have guest accounts from other directories use the app without having to manage their sign-in's. To do that I performed a web app registration in the AD tenant that I wanted to use to authenticate those accounts against (as suggested in a couple of tutorials).
The application I registered in the external AD has a Redirect URI in the format "https://{My B2C Directory Name}.b2clogin.com/{My B2C Directory Name}.onmicrosoft.com/oauth2/authresp", which matches the name of my B2C instance, and I have added the client id and secret generated from that app registration and put the details into the custom identity provider I have created for the sign-in flow, as per the instructions here (including the mappings etc.):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I also found a slightly older tutorial here, which is pretty similar (different mappings) that I've tried to follow (and adapt the bits that are out-of-date).
https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32
However when I run the user flow I get "AADSTS900971: No reply address provided." - this happens even when I run the flow directly from the User Flows tab in B2C with a 'Reply URL' explicitly set to "http://jwt.ms" (just to capture the token contents).
I'm confused about the reply URL being missing because they exist in both registered apps. Also, it's not saying they're mismatched, just that one isn't set at all (but appears to be).
It feels like I'm missing something simple - does anyone have any idea what that might be?
Ok so I did a couple of things to resolve this:
Re-registered the application in the AD I want to authenticate with (following this tutorial again: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow)
I was careful to ensure that the redirect URI in the format:
https://{B2C Instance Name}.b2clogin.com/{B2C Instance Name}.onmicrosoft.com/oauth2/authresp
was all lower case.
I also had to change from just a 'sign-in' user flow to the 'sign-up, sign-in' one, and then applied the custom identity provider to that flow. Apparently you need that even for users from another AD to be able to complete their invite process (otherwise you just end up with a user doesn't exist error - even if you've invited/added them to the B2C users list).
I also elected to 'Grant admin consent for Default directory' under the API Permissions tab for the application being registered in the external AD (to be used for the custom identity provider).
The flow seems to work now. The only thing that would be useful would be to have an invite only sign-up, sign-in flow so that you could invite specific people without breaking the invite process.
If anyone knows how to do that please do post something.
I am using react-native-biometrics library for login authentication for a banking app I am working. The requirement is to provide both Face ID and Touch ID options to the user so that he can login as per his wish. But while using react-native-biometrics, "biometricType" flag gives only single result.
So, is there any way by which I can customise authentication type?
Also, how can we handle the same scenario in Android as only a common "Biometrics" type is used in the same?
Please help!
I'm trying to get the preferred username of a user via the Graph API for Microsoft Office / Azure
If a user logs in via an enterprise application with an id_token I get the preferred_username claim.
This has the user's actual email address.
If I try to look up the user separately by ID, I can't find any way to get that username.
Seems related to Sign-in to Azure Active Directory using email as an alternate login ID (preview).
The user in question is using a GitHub linked account, it likely has an ugly UPN that I would prefer not to be seen anywhere. Instead I would like to use their preferred_username.
Example "ugly" UPN":
***_gmail.com#EXT##***gmail.onmicrosoft.com
To my knowledge, the preferred_username value isn't exposed by Graph in either v1.0 or Beta.
One potential workaround is to use the otherMails property. This is an array, so this may contain multiple entries for a given user. That said, any otherMails entry is likely to be less 'ugly'.
One thing I do currently in an enterprise app is logon to a single admin email account that has delegation over other users and using delegation, we are able to manipulate email/calendar/contacts of users.
I'm looking to use the Microsoft Graph API and I have managed to use admin delegation and gain access to various resources, however last modified (on Onedrive/Sharepoint) is showing the app instead of an individual user.
I understand I can use Oauth and logon as individual users, capture a token and then do what I need under the context of that user, but, I need to do this server side where tasks run. Is there anyway to use admin approved delegation/impersonation from the app so that the users don't have to signin?
e.g. standard that works:
https://graph.microsoft.com/v1.0/sites/my-site.office.com/drive/root:/file.txt:/content
Looking to add a user tag, but this doesn't work:
https://graph.microsoft.com/v1.0/user/{id-of-user}/sites/my-site.office.com/drive/root:/file.txt:/content`
After searching for ages, the closest I have read seems to be in here however, I was wondering if there was a standard way of doing this - I haven't been able to get the JWT part of this working (and not sure if this is even the correct thing I am looking for).
I would like to be automatically logged on a website using my password an login that are used on my computer when i open an AD session.
Connection must be granted if i'm in the right AD group .
Any advices ?
The easiest solution would be to use the built-in ASP.NET Membership and Role system and just use the "Active Directory" membership and role providers.
That way, your user is automatically authenticated, and you can use role-based security in ASP.NET to do something like:
[PrincipalPermission(SecurityAction=Demand, Role='MyAppRole')]
Put this on your critical or sensitvie methods to allow or refuse access to your app.
With the same method, you can also add protected subfolders to your application and protect them by specifying who has access (or not) in your web.config (in that folder).
See a few links for additional details:
http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx
http://slalomdev.blogspot.com/2008/08/active-directory-role-provider.html
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
Hope this helps a bit.
Marc