My network admin gave me an "application account" so I can write a Java program that uses MS Graph. I would like to use the Graph Explorer with this account to tests this account.
The admin registered an application and gave me:
clientId, tenantId, clientSecret
And these rights:
application:Calendars.ReadWrite
delegated:UserRead
... and from the Azure web pages he also gave me this.
Can I use this account with the Graph Explorer? And how?
Thanks!
Graph explorer uses Delegated permissions, not application permissions.
You should be able to use the Postman Collection, however.
https://github.com/microsoftgraph/microsoftgraph-postman-collections
Related
we have a website that was developed in C# using ASP.NET Web Forms ans is working well,
the thing is that it works with an internal (of the company) authentication, and that kind of authentication will soon expire,
so I have been asked to develop an Azure AD one, but when testing we receive this error
to develop the Azure Authentication, we followed some guides like 1st link
I know that this issue has been reported many times before but Azure AD is continuously evolving so a guide from the beginning of 2021 for example is hard to apply it at the end of 2022
and thanks in advance
PS: if you need any complementary document that I can provide, just ask
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Admin Consent is not consented to the API Permissions you have granted to the Azure AD Application.
Make sure to grant the Admin Consent to the API Permissions like below:
Go to Azure Portal -> Azure Active Directory -> API Permissions -> Grant Admin Consent
You can use the below endpoint and sign in as Global Admin and Accept the consent on behalf of organization like below:
https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID
Otherwise, you can allow users to consent to the Application like below:
Go to Azure Portal -> Enterprise Application -> User Settings -> Go to Consent and permissions
I have created an App under Azure B2C tenant.
The app is using a custom sign-in/sign-up policy to log in to local users.
However, my app has an admin view, where I would want the log-in users to be able to create accounts for whoever needs access within the app. I have seen that this is possible using Azure Ms Graph API.
However, I keep getting an InvalidAuthenticationToken Error, when I try to call Ms Graph API.
error:
code: "InvalidAuthenticationToken"
innerError: {date: "2021-08-11T14:25:09", request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc", client-request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc"}
message: "Invalid x5t claim."
I couldn't find any solution online. Is this even possible? And if there's a way around it, how can I do it?
Thank you!.
It would help if you went into more detail on your use case.
You have a B2C local account and you want to create users in AAD or in B2C?
If in B2C, yes you can do this as per this article.
If in AAD, see here.
Make sure that your application has the correct permissions.
I'm following a guide online to generate an access token to access Microsoft Dynamics 365 Customer Engagement: https://eax360.com/dynamics-365-online-connect-using-postman/.
All of it works fine, however I am wondering why delegated Admin permissions need to be supplied in Azure Active directory during app registration. I have seen a lot of guides explain that permissions must be delegated but the above site documents the process well. As a general rule, I thought that starting with the lowest security permissions was the norm. I am new to Azure AD so thoughts are very much welcome.
If your app will be a client which allows the authenticated user to perform operations, you must configure the application to have the Access Dynamics 365 as organization users delegated permission.
Application permission means that you want your app to access Common Data Service without a user.
So whether to use delegated permission in Azure app registration depends on your needs. It is not mandatory.
But we can see that the Application permissions in Azure app registration is gray out. This is because Microsoft provides a different way to implement it.
We need to create a Common Data Service application user an then bound it to the registered app. After that, we could connect using the application secret. See the details here: Connect as an app.
I want to lookup people Name and email address using their ADID/SAMAccountName/UPN from a console app running with its own credentials and not under my account.
How would I do this with Microsoft Graph?
I was following up on https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2 but that seem to require admin access. (BTW is there an easy way to figure out the admin on my company's graph?)
I did lookup LDAP querying but domain limitations limit the search scope ,and would rather do this via Microsoft Graph.
Accessing Microsoft Graph without user credentials (i.e. using the OAUTH client credentials flow) requires Admin Consent for your application. Typically this consent would be handled by your IT department.
When I try to login for the first time with new user via active directory to graphexplorer.windowsazure.net I get following scopes:
In my apps.dev.microsoft.com I have following permissions:
Why am I getting only these two scopes in access token:
Apps registered via the Application Registration Portal use the Azure AD v2 endpoint which supports incremental consent.
This means that while your app registration determines which scopes can be requested, you still need to specify specific scopes when you make the authorize request. Also, you should avoid requesting all scopes up front, rather incrementally request scopes as needed in the context of specific operations. So start out with your authorize request as you have it, with no extra scopes but when you need to send an email on behalf of the user issue another authorize request like so:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
For more info on scopes in the v2.0 endpoint check out the Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint document.
For an example of an app that incrementally requests scopes, check out this Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect sample.
Also note that there 2 different Graph APIs:
Azure AD Graph (endpoint: graph.windows.net, explorer: https://graphexplorer.azurewebsites.net/)
Microsoft Graph (Endpoint: graph.microsoft.com, Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer)
From https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api:
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
I'm not quite sure where that screen shot is coming from, but the URL you're going to is incorrect. The correct URL for Graph Explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.