Add service principal using Graph client Sdk using proof jwt - azure-active-directory

I need to add a key credential to Azure active directory app using one of the existing key credentials. The Api action for it is explained here. https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/functions-and-actions#addkey-add-a-keycredential-for-an-application--
I use an existing key credential to sign the jwt proof as explained and it works fine.
I need a similar functionality in the Active directory Graph client sdk. https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient/
The ActiveDirectoryClient.ServicePrincipals.AddServicePrincipalAsync method does not take a proof input. And currently if I call only taking an auth token it says "not enough privelge".

The nuget package that you have included has a last update of 10-17-2016.
Per the samples included in that Nuget package :
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console
Both have been archived. This library linked is neither maintained nor supported anymore. My suggestion would be to move over to utilize ADAL so that you can make http calls to the AAD Graph API.
The more preferred option is the Microsoft Graph as Microsoft is
moving towards having all apis under the Microsoft Graph. And
Preferably moving to MSAL as that is the library that will be used
moving forward as well.
However the issue with that is the addkey is not supported yet under
the Microsoft Graph. See here for differences in the Microsoft graph
and the AAD Graph currently. The idea is that there will be parity
between the two over time.
For an example on using the ADAL library making a call to the Microsoft Graph please see the following sample : https://github.com/FrankHu-MSFT/ADAL-.NET-Console-Application
Note that your setup will be similar but the only difference is that you'll be getting an access token on behalf of the AAD Graph API and making calls to the AAD Graph API accordingly.
For more up to date MSAL samples making calls to the Microsoft Graph API, please take a look at the samples here : https://github.com/microsoftgraph/aspnet-snippets-sample
As ADAL and the AAD Graph API are both getting older, it is suggested to move towards the Microsoft Graph API and MSAL when possible.

Related

ADAL and MSAL confusion

My References
According to this,
Starting June 30th, 2020 we will no longer add any new features to
Azure Active Directory Authentication Library (ADAL) and Azure AD
Graph. We will continue to provide technical support and security
updates but we will no longer provide feature updates. Applications
will need to be upgraded to Microsoft Authentication Library (MSAL)
and Microsoft Graph. Learn more
And this,
Starting June 30th, 2022, we will end support for ADAL and Azure AD
Graph and will no longer provide technical support or security
updates. Apps using Azure AD Graph after this time will no longer
receive responses from the Azure AD Graph endpoint. Apps using ADAL on
existing OS versions will continue to work after this time but will
not get any technical support or security updates.
and this link,
using Microsoft.IdentityModel.Clients.ActiveDirectory; // ADAL
using Microsoft.Identity.Client; // MSAL
ADAL should be replaced by MSAL. However, my project does not reference either of the above libraries.
These are the references I have in my project.
Microsoft.IdentityModel.JsonWebTokens
Microsoft.IdentityModel.Protocols.OpenIdConnect
Microsoft.IdentityModel.Tokens
Microsoft.Owin
Microsoft.Owin.Security
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Security.OpenIdConnect
Owin
Questions
The more I read about this topic the more I get confused because one minute I'm under the impression that ADAL is only authorization and not authentication and the next minute I see it referred to as ADAL Authentication. I just want to know if I need to update my authentication code for it to continue working.
Since my project does not reference Microsoft.IdentityModel.Clients.ActiveDirectory and only uses Azure AD for authentication and not authorization, does this mean this change will not affect me?
ADAL and MSAL are only for authorization and not authentication correct? If this is the case, why do they reference MSAL and Microsoft Graph, what is the difference?
Since you did not use either of the libraries(Microsoft.IdentityModel.Clients.ActiveDirectory and Microsoft.Identity.Client) and you only use Azure AD for authentication, so I don't think this change will affect your project.
For your question about why they reference MSAL and Microsoft Graph but not ADAL and Azure AD Graph. In fact, the two are similar and changes are minor. You can refer to this document to know the differences between them.
The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to June 30, 2023. Ref to the ADAL to MSAL Migration Document here

Skype For Business Online supproted by Azure AD 2.0?

I developed an app which has integration with Microsoft Graph API and uses Azure 2.0 API for authentication.
From Microsoft Graph I can get users.
Now I want to see a presense information for each user and therefore I need to use Skype for business online.
I send request to:
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
And a user href is:
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Than I got access token for https://webdir0f.online.lync.com from:
https://login.microsoftonline.com/<mytenant>/oauth2/v2.0/token
And token has not "roles" claim which is strange.
Than https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user returns me 500.
Is there a way to use Azure 2.0 to get access to Skype For Business Online?
Is there a way I can get presence information without a signed in user in Skype For Business Online?
UPD:
I was able to get access token for scope https://webdir0f.online.lync.com/Contacts.ReadWrite using client secret.
Small correction, what you're here isn't "Azure 2.0" but rather Azure Active Directory's "App v2" or, more commonly, the "v2 Endpoint".
The v2 Endpoint has several well-known limitations and not all APIs and features are supported. The Skype and Skype for Business APIs both lack support for the v2 Endpoint.
In general, unless it's a recently released API or it is surfaced by Microsoft Graph, then it will only work with tokens issued by the v1 Endpoint.
I managed to get access to Skype For Business using Azure 2.0 application. Just followed the guidelines.
During autodiscovery you need to set scope to next user or redirect uri like this: https://webdir0f.online.lync.com/Contacts.ReadWrite.
Than Azure 2.0 realizes it's Skype For Business uri and scope and works properly.
Though still Skype For Business API is old and very hard to use.
And I haven't found a way to get all other company user presence information from Sfb API.
Looks like it makes sense to wait until Trusted Application API will work.
Also trying to get Application token doesn't work.

Microsoft-graph-api, SSO and ADAL mobile sdk

I have developed few iOS/Android app using Azure Ad SDK 'ADAL'.
The app works properly for SSO feature and other login mechanisms. However now I want to add 'new contact' using Azure ad access token. But I came to know that Azure ad graph is no longer supported hence latest Microsoft Graph is suggested sdk for the same.
My issue is: The most important feature according to me is the Single Sign-On feature with respect to mobile apps SDK Azure ad SDK offers API for most convenient login user experience. Thus you are free to pick account from Authenticator app (if present) or any other app in the device which is already logged in.
But Microsoft Graph SDK does not support Authenticator app available on the mobile phone. And prompts user a Login screen though he has already logged in to other app having outlook/Microsoft login
Please help me with some more information on this use case so that I can migrate to Microsoft graph from Azure Ad app.
I have a huge tradeoff as follow
1. Azure ad supports SSO but does not support Latest Graph features like: Adding new contact in 'My Contacts'
2. Microsoft Graph being Latest library/SDK has all features EXCEPT SSO.
Please provide me answers for these question of any suggestion if I am missing anything.
The Graph SDKs do not contain any helpers for authentication/authorization. For that you need to use either ADAL or MSAL to acquire tokens to use with Microsoft Graph (to instantiate a GraphClient object). Please take a look at some of our Microsoft Graph samples. [NOTE the Azure AD Graph SDK also relied on ADAL or other mechanisms to acquire tokens and does not do this for you]. Here are the iOS samples: https://github.com/search?q=ios+sample+user:microsoftgraph&type=Repositories
Also Azure AD Graph does not support personal contacts - this is ONLY supported by Microsoft Graph.
If you want to see an integrated client library, where token acquisition is implicitly taken care of as part of GraphClient instantiation then please post a request on UserVoice for this feature.
Hope this helps,

Authentication failed using Graph API

I am trying to build a Windows form app for cloud migration and while authenticating OneDrive using Microsoft Graph API, i am getting this exception.
Please help or give any workaround
Before you can execute a call against Microsoft Graph, you'll first need to authenticate that user and retrieve an access token. Each time you make a call to Graph, you'll include this token in your HTTP request Authorization header.
In order operate against a user's data, you'll also need to request the proper permission scopes during the authentication process. From what I understand of your scenario here , you'll need at least Files.ReadWrite.
If your application is build on .NET 4.5 or newer, you may also want to go with the Microsoft Graph .NET SDK. This will simplify calling the API itself. It will not however handle the authorization process. For obtaining the token you can use Microsoft Authentication Library (MSAL).
There is an excellent walkthrough for this as well: Call the Microsoft Graph API from a Windows Desktop app. While it isn't specific to Windows Forms, the concepts are pretty similar.

Using Microsoft Graph APIs with Azure AD 1.0 Authentication

I'm trying to understand what is expected to fail (if anything) when using different Microsoft Graph REST endpoints with an access token that was obtained against the Azure 1.0 oauth endpoint (implicit flow). For example, I created a new app registration in Azure AD tenant, added the Microsoft Graph service and selected every single permission available - 66 in total. What I find is that I can use the access token I get from the https://login.windows.net/common/oauth2/authorize endpoint to execute basic directory queries against the https://graph.windows.net/ REST endpoint. However other things - like the "me" or OneNote REST endpoints fail with a 401 unauthorized error. As a side note - I can get ALL of these scenarios to work with the Azure 2.0 oauth endpoint and passing in SCOPES for my permission requirements.
So...based on all of that, I'm not sure if big parts of the Microsoft Graph endpoints are not expected to work in this scenario, or perhaps I'm passing in the wrong RESOURCE parameter when I redirect to the .../authorize endpoint to get my access code, or something else. So if there is any info that describes if this is not expected to be supported, or if it is other info we should know - for example, is there a different RESOURCE needed when using the 1.0 oauth endpoint (the only variable I'm seeing right now), or whatever. Any sort of specific details here would be appreciated.
Thanks.
An access token is available for one endpoint , you could check the aud(audience) claim in access token . That's why we suggest using microsoft graph api , since useing Microsoft Graph to build apps for organizations and consumers that connect to a wealth of resources, relationships, and intelligence, all through a single endpoint: https://graph.microsoft.com.
You said that execute basic directory queries against the https://graph.windows.net/ REST endpoint , so the access token could be used to call Azure AD Graph APi (https://graph.windows.net/) . If using that token to make microsoft graph api calls (https://graph.microsoft.com) , you can't do that since access token is not available for microsoft graph api endpoint .

Resources