I have configured Azure AD multi-tenant autentication by following this article: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=applications
The authentication worked on friday last week, but now its suddenly failing. I tried to re-register the application in Azure AD with new App Id and new App secret that was added in both ends.
Error i'm getting:
Sorry, but we’re having trouble with signing you in.
AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption.
Am I overlooking something obvious?
Authentication is used with a SPA Web App using React with react-aad-msal
Solution: Changed platform configuration from SPA to Web solved it.
Related
I have a multi tenant enterprise app. It authorises a few graph API permissions when installed and has SAML SSO configured. The whole idea is that my customers can install this and in one process grant my application access to their tenant, and setup SSO for that customers users.
The graph API permissions work totally as expected, I get the needed access to the tenants who installed the app.
Then there is the SAML SSO part. That's just totally not working. In my test tenant where I installed my app, it says that the app has SAML SSO and that it is only application owner who can configure - all fine.
I then try to log in (to the web app using this SSO configuration) with a user from my test tenant - no luck!
First I thought that it had to do with the user not being assigned the app, but it complains the the application in tenant A is not available for user in my test tenant and the user should be added to tenant A. That of course is not a solution since I want to use this for customers.
So right now I am stuck with 2 app's. One gallery app for SAML SSO and my app granting API permissions. It works, but it just seems SO stupid. Isn't there a better way?
Azure AD SAML applications are not intended to be multi-tenant, this is why you need to invite external users as guests.
It's worth to mention it's possible for an Azure AD app to support both OIDC/OAuth2 and SAML and thus rely on the same session cookie to obtain an access token for MS Graph.
If you need multi-tenancy, you should use modern protocols such as OpenID Connect for authentication and OAuth2 for authorization. MS Graph relies on JWT access token anyways.
I'm trying to write an R package to let users access the files in their OneDrive folders from R. The API is Microsoft Graph.
Everything is working fine with OneDrive for Business (which is basically SharePoint under the hood, as I understand it). However, I can't get it to work with personal OneDrive.
Custom app registration, consumers authorization endpoint
When I use an app registration under my own AAD tenant, I get the following error from the consumers AAD authorization endpoint:
AADSTS50020: User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'Consumers' and cannot access the application 'd44a05d5-c6a5-4bbb-82d2-443123722380'(AzureRtest_cli) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Custom app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint
From this page it appears that the token should be for the tenant 9188040d-6c67-4c5b-b112-36a304b66dad instead of the generic consumers. When I tried that, I obtained a seemingly valid token. However, talking to the https://api.onedrive.com/v1.0/drive endpoint results in a cryptic 401 error.
Azure CLI app registration, consumers endpoint
As a hack, I tried piggybacking off the Azure CLI's app registration. This fails with
AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization. Visit https://identitydocs.azurewebsites.net/static/aad/preauthorization.html for details
Azure CLI app registration, 9188040d-6c67-4c5b-b112-36a304b66dad endpoint
Finally, I tried using the CLI app registration with this tenant, which also failed:
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
What are the exact steps I need to do to get to my personal OneDrive?
It turns out I had a bug in my code: I was using the tenant consumers.onmicrosoft.com instead of consumers. The process to communicate with Graph for personal OneDrive that worked for me was:
Use the authorization code flow as described here, with the following specs:
tenant: consumers
client id: for my custom app registration
scope: https://graph.microsoft.com/{scope} offline_access openid where the scope is one of those listed here
Use the API endpoint https://graph.microsoft.com/v1.0.
With regard to that last point, note that the documentation here is incorrect or at least outdated, as it still gives https://api.onedrive.com/v1.0 as the endpoint for personal OneDrive requests.
I'm investigating options for adding AzureAD authentication to Angular SPA application with .NET core backend. I'm using VS 2019 MVC project with Angular (same as dotnet new Angular is producing). It's using .NET Core 3.1 and Angular 8.
From what I learned so far I have 3 options:
Built in Azure App Service Authentication
Adal.js - looks like the older brother of,
MSAL.js - which after making it work locally with Azure AD I learned on this page that "At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions. Please check back for updates." I couldn't make it work on Azure today so maybe this Note is for a good reason.
EDIT: Interestingly now point 3 works for me on Azure App Service so I'm not sure what this note means.
My requirements so far are that no screen is accessible to users unless they log in and that I will be able to read information about them from Azure AD - Roles, groups.
I never worked with Angular and I don't have any experience with Azure AD and I need someone that implemented it already to at least tell me which option I should choose and I can go from there.
My requirements so far are that no screen is accessible to users unless they log in and that I will be able to read information about them from Azure AD - Roles, groups.
I think the option 1 could meet your requirement, the configuration of Azure AD in Authentication / Authorization is higher than your code, the user could not access the app unless they log in.
To read the information about the roles, groups, you could check this good blog.
Here you have an angular E2E auth scenario using App Service built in authentication:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-auth-aad
I believe the part you are interested in is this one:
Enable authentication and authorization for front-end app
This way app service is the one redirecting you to AAD and getting a valid token that you can just pass in to your APIs afterwards. If the APIs are hosted in App Service as well, then APP service will be the one validating the token for you, so your backend code does not need to worry about authentication (you still need to handle authorization)
The Microsoft Graph beta API (here) allows us to POST new applications to Azure AD (v2.0).
If I post these applications to a specific tenant, using a url like this:
https://graph.microsoft.com/beta/{tenantId}/applications
and also authenticated without a user, where can I view these applications? They certainly aren't on my apps.dev.microsoft.com page (I checked), and they also aren't in the list of registered applications in the tenant on portal.azure.com
PS: I know my applications are being created because I can call GET against that url and it will return the applications in that tenant, including the ones I created through the API. Also don't question why I was doing this, I was poking around figuring some stuff out about the API.
More Details: The app that is posting these applications to the beta API is registered as an Azure AD v1.0 app in the same tenant these applications are being posted to. The POSTs use the app's authentication token.
I know that apps created in portal.azure are v1 apps, and apps created on apps.dev.microsoft are v2 apps. I am making my apps through the Microsoft Graph beta API, which makes v2 apps.
Also, for those that don't click the link to see what authentication without a user means, I am getting the bearer token for the POST request using the app's credentials, not a user's credentials.
If I post these applications to a specific tenant (which is an Azure
AD v1.0 tenant), using a url like this
Here there is no version definition for the tenant. V1.0 and V2.0 are the endpoints, not means tenant. You could know about their difference from Azure AD v2.0 endpointand v1 and v2 comparison.
If you register the app in the Azure portal, the app is v1 app; if you register the app by using App Registration Portal, the app is v2 app.
and also authenticated without a user, where can I view these
applications? They certainly aren't on my apps.dev.microsoft.com page,
and they also aren't in the list of registered applications in the
tenant on portal.azure.com
If you create the app in the App Registration Portal, the app could be seen in the apps.dev.microsoft.com page(App Registration Portal), but cannot be seen in the Azure portal.
If you create the app is v1 app, the app can be seen both in Azure portal and App Registration Portal.
I have a built a .NET Console app. It uses MSAL for interacting with Azure AD and Azure AD B2C. This app is a sample to show the various ways to connect to Org, Social & Local Accounts.
I’m able to do Signup and Signin with local account without any errors. When I try with Multi Tenant Azure ID or even a single tenant, I get the following error. I’m confused as to which application is this that is missing the ReplyURL. Appreciate guidance.
Azure AD B2C App
Type: Native Application
Redirect URIs: urn:ietf:wg:oauth:2.0:oob, https://login.microsoftonline.com/tfp/oauth2/nativeclient
Custom Redirect URIs: https://login.microsoftonline.com/tfp/oauth2/nativeclient, com.onmicrosoft.<tenantname>.MythicalB2C://redirect/path
Azure AD App
Type: Native Application
Redirect URIs: urn:ietf:wg:oauth:2.0:00b, https://login.microsoftonline.com/common/oauth2/nativeclient
I get the following error when using Org Account
Additional technical information:
AADSTS50011: Reply address '' specified by the request is not a valid URL.
Allowed schemes: '*'