My References
According to this,
Starting June 30th, 2020 we will no longer add any new features to
Azure Active Directory Authentication Library (ADAL) and Azure AD
Graph. We will continue to provide technical support and security
updates but we will no longer provide feature updates. Applications
will need to be upgraded to Microsoft Authentication Library (MSAL)
and Microsoft Graph. Learn more
And this,
Starting June 30th, 2022, we will end support for ADAL and Azure AD
Graph and will no longer provide technical support or security
updates. Apps using Azure AD Graph after this time will no longer
receive responses from the Azure AD Graph endpoint. Apps using ADAL on
existing OS versions will continue to work after this time but will
not get any technical support or security updates.
and this link,
using Microsoft.IdentityModel.Clients.ActiveDirectory; // ADAL
using Microsoft.Identity.Client; // MSAL
ADAL should be replaced by MSAL. However, my project does not reference either of the above libraries.
These are the references I have in my project.
Microsoft.IdentityModel.JsonWebTokens
Microsoft.IdentityModel.Protocols.OpenIdConnect
Microsoft.IdentityModel.Tokens
Microsoft.Owin
Microsoft.Owin.Security
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Security.OpenIdConnect
Owin
Questions
The more I read about this topic the more I get confused because one minute I'm under the impression that ADAL is only authorization and not authentication and the next minute I see it referred to as ADAL Authentication. I just want to know if I need to update my authentication code for it to continue working.
Since my project does not reference Microsoft.IdentityModel.Clients.ActiveDirectory and only uses Azure AD for authentication and not authorization, does this mean this change will not affect me?
ADAL and MSAL are only for authorization and not authentication correct? If this is the case, why do they reference MSAL and Microsoft Graph, what is the difference?
Since you did not use either of the libraries(Microsoft.IdentityModel.Clients.ActiveDirectory and Microsoft.Identity.Client) and you only use Azure AD for authentication, so I don't think this change will affect your project.
For your question about why they reference MSAL and Microsoft Graph but not ADAL and Azure AD Graph. In fact, the two are similar and changes are minor. You can refer to this document to know the differences between them.
The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to June 30, 2023. Ref to the ADAL to MSAL Migration Document here
Related
I followed this article to implment OAuth flow with the following authority url
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d8e21783-5956-4bef-80ae-fdd636006223&prompt=login&response_type=code&response_mode=query&redirect_uri=xxxxx&scope=offline_access+user.read+files.readwrite.all&state=xxxxx
The page provides two sign-in ways:
With email address.
Without entering the email address.
You can see this screenshot, green line is the first option and orange line is the second.
Both of the two login ways supports 「Windows Hello Face」 and 「Security Key」 (Passwordless)
However, the authorization will fail if I choose the second sign-in way.
AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'.
Does this mean Microsoft OAuth flow not supporting the second sign-in way?
PS: The ancient authority URL (ref) supports the second sign-in
way.
GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
This approach is no longer recommended.
Use your personal Microsoft account to get access to Azure and all
consumer-oriented Microsoft products and cloud services, such as
Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft
365. Sign up your organization - Azure Active Directory - Microsoft Entra | Microsoft Docs
Note: Usually approach using the Azure AD v2.0 endpoint is recommended. However, some enterprise scenarios may require using the original Azure AD endpoint.
Please check this Microsoft Docs on Error AADSTS50020 to check for relatable cause to troubleshoot.
References:
Get OneDrive data in UWP using Microsoft (Live) Accounts and Azure
AD - DEV Community
Authorization and sign-in for OneDrive in Microsoft Graph
You can raise a support request.
I need to add a key credential to Azure active directory app using one of the existing key credentials. The Api action for it is explained here. https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/functions-and-actions#addkey-add-a-keycredential-for-an-application--
I use an existing key credential to sign the jwt proof as explained and it works fine.
I need a similar functionality in the Active directory Graph client sdk. https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient/
The ActiveDirectoryClient.ServicePrincipals.AddServicePrincipalAsync method does not take a proof input. And currently if I call only taking an auth token it says "not enough privelge".
The nuget package that you have included has a last update of 10-17-2016.
Per the samples included in that Nuget package :
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console
Both have been archived. This library linked is neither maintained nor supported anymore. My suggestion would be to move over to utilize ADAL so that you can make http calls to the AAD Graph API.
The more preferred option is the Microsoft Graph as Microsoft is
moving towards having all apis under the Microsoft Graph. And
Preferably moving to MSAL as that is the library that will be used
moving forward as well.
However the issue with that is the addkey is not supported yet under
the Microsoft Graph. See here for differences in the Microsoft graph
and the AAD Graph currently. The idea is that there will be parity
between the two over time.
For an example on using the ADAL library making a call to the Microsoft Graph please see the following sample : https://github.com/FrankHu-MSFT/ADAL-.NET-Console-Application
Note that your setup will be similar but the only difference is that you'll be getting an access token on behalf of the AAD Graph API and making calls to the AAD Graph API accordingly.
For more up to date MSAL samples making calls to the Microsoft Graph API, please take a look at the samples here : https://github.com/microsoftgraph/aspnet-snippets-sample
As ADAL and the AAD Graph API are both getting older, it is suggested to move towards the Microsoft Graph API and MSAL when possible.
I developed an app which has integration with Microsoft Graph API and uses Azure 2.0 API for authentication.
From Microsoft Graph I can get users.
Now I want to see a presense information for each user and therefore I need to use Skype for business online.
I send request to:
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
And a user href is:
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Than I got access token for https://webdir0f.online.lync.com from:
https://login.microsoftonline.com/<mytenant>/oauth2/v2.0/token
And token has not "roles" claim which is strange.
Than https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user returns me 500.
Is there a way to use Azure 2.0 to get access to Skype For Business Online?
Is there a way I can get presence information without a signed in user in Skype For Business Online?
UPD:
I was able to get access token for scope https://webdir0f.online.lync.com/Contacts.ReadWrite using client secret.
Small correction, what you're here isn't "Azure 2.0" but rather Azure Active Directory's "App v2" or, more commonly, the "v2 Endpoint".
The v2 Endpoint has several well-known limitations and not all APIs and features are supported. The Skype and Skype for Business APIs both lack support for the v2 Endpoint.
In general, unless it's a recently released API or it is surfaced by Microsoft Graph, then it will only work with tokens issued by the v1 Endpoint.
I managed to get access to Skype For Business using Azure 2.0 application. Just followed the guidelines.
During autodiscovery you need to set scope to next user or redirect uri like this: https://webdir0f.online.lync.com/Contacts.ReadWrite.
Than Azure 2.0 realizes it's Skype For Business uri and scope and works properly.
Though still Skype For Business API is old and very hard to use.
And I haven't found a way to get all other company user presence information from Sfb API.
Looks like it makes sense to wait until Trusted Application API will work.
Also trying to get Application token doesn't work.
I am developing a office add-in.
This office Add-In is supposed to retrieve the term store from SharePoint.
By following this tutorial:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-aspnet
I managed to get an access token to be used for Graph api. However the Graph does not expose any way of getting the term store. Is there a way we can generate an access token to be used with SharePoint and maintain the SSO?
It might be possible by registering an Azure AD v1 app but I could not find any documentation describing that.
I have a similar requirement, but in my research I wasn't able to find a good solution for this scenario.
I think it is probably possible to use a provider hosted SharePoint add-in. And then use the Authorization Code flow for obtaining an access token. Since the SharePoint add-in is trusted it will not require user login.
Of course this does mean the add-in needs to be deployed in SharePoint. If your Office add-in is distributed through the store this isn't really a great solution.
Hopefully there are other ways of achieving the same.
You could call SharePoint Online APIs (via REST or CSOM) with Azure Active Directory Apps. To call APIs secured by Azure AD, your app must acquire an access token from Azure Active Directory.
Please first refer to this document for integrating applications with Azure Active Directory. Then use Azure Active Directory Authentication Library (ADAL) to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls.
I have developed few iOS/Android app using Azure Ad SDK 'ADAL'.
The app works properly for SSO feature and other login mechanisms. However now I want to add 'new contact' using Azure ad access token. But I came to know that Azure ad graph is no longer supported hence latest Microsoft Graph is suggested sdk for the same.
My issue is: The most important feature according to me is the Single Sign-On feature with respect to mobile apps SDK Azure ad SDK offers API for most convenient login user experience. Thus you are free to pick account from Authenticator app (if present) or any other app in the device which is already logged in.
But Microsoft Graph SDK does not support Authenticator app available on the mobile phone. And prompts user a Login screen though he has already logged in to other app having outlook/Microsoft login
Please help me with some more information on this use case so that I can migrate to Microsoft graph from Azure Ad app.
I have a huge tradeoff as follow
1. Azure ad supports SSO but does not support Latest Graph features like: Adding new contact in 'My Contacts'
2. Microsoft Graph being Latest library/SDK has all features EXCEPT SSO.
Please provide me answers for these question of any suggestion if I am missing anything.
The Graph SDKs do not contain any helpers for authentication/authorization. For that you need to use either ADAL or MSAL to acquire tokens to use with Microsoft Graph (to instantiate a GraphClient object). Please take a look at some of our Microsoft Graph samples. [NOTE the Azure AD Graph SDK also relied on ADAL or other mechanisms to acquire tokens and does not do this for you]. Here are the iOS samples: https://github.com/search?q=ios+sample+user:microsoftgraph&type=Repositories
Also Azure AD Graph does not support personal contacts - this is ONLY supported by Microsoft Graph.
If you want to see an integrated client library, where token acquisition is implicitly taken care of as part of GraphClient instantiation then please post a request on UserVoice for this feature.
Hope this helps,