I have been using Sharepoint Online REST API to integrate with my O365 AddIn app which is working perfectly fine for my Old O365 tenant.
However I am getting an error while I am trying to call any API with the Bearer token that I get for my new O365 tenant app.
{"error":"invalid_request","error_description":"Token type is not allowed."}
Is the auth token URL changed for new tenants, or is it something else.
I am using https://accounts.accesscontrol.windows.net/{{tenant_id}}/tokens/OAuth/2
Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), got retired on November 7, 2018. This retirement doesn't impact the SharePoint Add-in model, which uses the https://accounts.accesscontrol.windows.net hostname (which isn't impacted by this retirement).
Check out Impact of Azure Access Control retirement for SharePoint add-ins.
Note that, you can connect SharePoint directly to Azure AD using token issuance policies.
SharePoint 2013, 2016, and SharePoint Online customers have long used ACS for authentication purposes in the cloud, on-prem, and hybrid scenarios. Some SharePoint features and use cases will be affected by ACS retirement, while others will not. The below table summarizes migration guidance for some of the most popular SharePoint feature that leverage ACS:
Authenticating users from Azure AD
Previously, Azure AD did not support SAML 1.1 tokens required by SharePoint for authentication, and ACS was used as an intermediary that made SharePoint compatible with Azure AD token formats. Now, you can connect SharePoint directly to Azure AD using token issuance policies.
App authentication & server-to-server authentication in SharePoint on-prem or SharePoint Online – SharePoint add-in registrations done through appregnew.aspx etc.
Not affected by ACS retirement; no changes necessary.
Low trust authorization for SharePoint add-ins (provider hosted and SharePoint hosted)
Not affected by ACS retirement; no changes necessary.
SharePoint cloud hybrid search
Not affected by ACS retirement; no changes necessary.
We had the same issue when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:
Set-SPOTenant -DisableCustomAppAuthentication $false
Source:
https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed
https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists
Furthermore:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Azure Access Control (ACS), a service of Azure Active Directory (Azure
AD), has been retired on November 7, 2018. This retirement does not
impact the SharePoint Add-in model, which uses the
https://accounts.accesscontrol.windows.net hostname (which is not
impacted by this retirement). For more information, see Impact of
Azure Access Control retirement for SharePoint Add-ins. For new
tenants, apps using an ACS app-only access token is disabled by
default. We recommend using the Azure AD app-only model which is
modern and more secure. But you can change the behavior by running
‘set-spotenant -DisableCustomAppAuthentication $false' (needs the
latest SharePoint admin PowerShell).
More details:
https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5/
Related
We are using the ADFS activity report to migrate our applications to AAD. Everything shows as Ready and when we click on the Ready link, the text says "We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so." By the last statement, it seems like the application is automatically created now. Is that the case? If so, how long does it take to create the application and does it keep the same name as in ADFS?
• The message that you encountered “We've detected on-premises settings for this relying party that can be migrated to a new Azure AD enterprise application. We'll map the fields and create the new application, but users won't be redirected to it until you say so.” Means that the application is a SaaS application available in Enterprise application gallery in Azure AD. This does not in anyway mean that the application has been created automatically, it just means that the application is ready to be migrated to Azure AD and is fully available as a SaaS application in Azure AD gallery and doesn’t need any further relying party configuration migration from the on-premises ADFS server.
• Since the message is displayed only for SaaS apps readily available in Azure AD gallery and are equally configured as a relying party trust in ADFS, its configuration information is readily migrated through the ADFS Connect health application to Azure AD and it can be configured in the cloud itself with admin account access needed for the SaaS application’s account for SSO and SAML authentication configuration required through Azure AD.
You can find the image below for your reference, it shows the ‘Dropbox’ application as ready for migration from ADFS to Azure AD: -
Through the above option enabled, you can easily configure your application’s SSO configuration in Azure AD. If all the configurations are up and running, it will happen instantaneously within a few minutes of time.
Kindly refer to this link for more information on migrating federated apps from ADFS to Azure AD: -
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
I think the report is still in preview and it is missing a create application button.
All the documentation only shows the reports & not the create process.
Also this migration tool, is a repackage of the powershell test commands:
https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration
So I assume you need to create the application manually based on the report.
We have G Suite as an identity provider in our company. Some of users also use Azure and Office 365. We want to be able to login by using Google account to Azure Ad and later have this account in AD and assign roles and groups in AD and whole Azure. We want to change passwords in Google etc.
How to setup SSO from Google to Azure?
Azure AD supports the concept of Identity Providers for External Identities. You can read about it here on Microsoft Docs.
You could enable users from identity providers like :
Google
Facebook
Direct federation (to external identity providers that support SAML or WS-Fed protocols)
Since you specifically mention G suite as an identity provider in your company, Direct federation may be the most relevant one for you. I say this because using Google federation directly is designed for Gmail accounts as mentioned in the note here on Microsoft Docs
How to setup Direct Federation is explained in detail here on Microsoft Docs
Please note that
This feature is currently in Preview
There some important limitations in terms of domain requirements and authentication URL as stated here on Microsoft Docs
I registered multi tenant Office 365 application in Azure AD admin center and configured required permissions that this application asks for. Also I created web service that uses this application.
My web service had been working for half a year and at some point I extended functionality of my web service and now it requires several new permissions. Also I realized that some permissions are not required for my web service any more.
So I added extra permissions and removed those that I don't need in Azure AD, saved the permissions and clicked "Grant permissions" button.
In my web service I perform re-authentication flow in order to update access token for working with created Office 365 application and use extra permissions. But when I get access token using my web service and decoded the token on this site I don't see that extra permissions were provisioned. Also I see that my web service gets token with those permissions granted that I removed from my application. So even after re-authentication user from another tenant that use my web service gets token with "old" permissions set.
Why so? How can I provision all the application permissions I previously set up for my Office 365 application in Azure AD to the tenant that uses my service? I just need the permission set in the token be up to date with those I configured in Azure AD.
I am Using ADAL libs for java to connect MS Dynamics CRM in my backend application. I registered my trial version of CRM Azure Active Direstory and I got clientID and clientsecret from there. So now I can able to connect with my crm.
But my question is If I have multiple CRM Account how should I do this.Is there any api to register the CRM in azure active directory or is there any API to do that using the CRM crendials?
Can anyone please explain me.
AFAIK, the MS Dynamics CRM only support Authorization code grant flow(OAuth).
If you were developing an web app, it should works well for your scenario. Since every user could sign-in the web app and than the web app can delegate the user to integrate with MSDynamics.
More detail authentication with Microsoft Dynamics 365, you can refer the document below:
Connect to Microsoft Dynamics 365 web services using OAuth
In doing some more testing today, I am finding that when I get an access token for a user that has been added to a tenant via the Azure B2B feature, I cannot access the site content using the Office 365 APIs.
Is there any plan to enable this scenario by RTM for Azure B2B? I'm finding more and more blocking scenarios like this where a user has been granted access to a resource, but access through the Office 365 APIs is not working.