Why access token does not contain all permissions after updating Office 365 application permissions in Azure AD? - azure-active-directory

I registered multi tenant Office 365 application in Azure AD admin center and configured required permissions that this application asks for. Also I created web service that uses this application.
My web service had been working for half a year and at some point I extended functionality of my web service and now it requires several new permissions. Also I realized that some permissions are not required for my web service any more.
So I added extra permissions and removed those that I don't need in Azure AD, saved the permissions and clicked "Grant permissions" button.
In my web service I perform re-authentication flow in order to update access token for working with created Office 365 application and use extra permissions. But when I get access token using my web service and decoded the token on this site I don't see that extra permissions were provisioned. Also I see that my web service gets token with those permissions granted that I removed from my application. So even after re-authentication user from another tenant that use my web service gets token with "old" permissions set.
Why so? How can I provision all the application permissions I previously set up for my Office 365 application in Azure AD to the tenant that uses my service? I just need the permission set in the token be up to date with those I configured in Azure AD.

Related

Error AADSTS650052 - Apps service principal access

I am getting the below error message when my Application (A) is trying to access another application (B) which is hosted in a different Tenant. Both applications have been registered to support multi-tenant access (i.e Accounts in any identity provider or organizational directory (for authenticating users with user flows) within their respective tenant. The microsoft outlook account I am using is associated with both tenants. What am I missing?
'AADSTS650052: The app is trying to access a service 'xxx-xxxx-xxxx' that your organization 'xxx-xxx-xxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
In order for an application to authenticate with a tenant, a service principal representing it must exist in that tenant. For multi-tenant apps this is created when you go through authentication to that app on the target tenant. So you need to do a login against your app with the target tenant as the authority.

How to configuring Azure AD sso to allow guest logins

I have a php application that I want active directory users to be able to login to using azure sso. Getting this working with simplesamlphp was really easy.
Now I am trying to allow non organization users to be able to login as guests.
I updated azure AD to allow external entities, and then created a workflow allowing AD users, microsoft.com accounts and one time password. I have enabled "guest self-service signup" and I have associated this user flow with my azure application however the authentication flow hasn't changed at all. There isn't any option for guests to login. Am I missing something? I am using the azure ad federation metadata document xml in the simplesaml metadata converter and using the output of that for my metadata provider in simplesaml.
Here is the screen a user gets when trying to sign in to azure:

SharepontOnline access with azure ad token

Is it possible to access sharepoint online from desktop app with azure ad token, but as a currently logged user?
I already registered client app in the azure ad and i'm able to connect to share point when the api permissions are set to "Application permissions", but when i set the permissions to "Delegated permissions" I can't access sharepoint site.
What i need is a way to create sp ClientContext based on the token i get from the azure. I know it's possible to try with SharePointOnlineCredentials, but i don't want to mess with users credentials.
To get the Access Token for Azure, pls use the below article.
active-directory-dotnet-native-headless
Below are the steps you have to follow:
Followed the steps mentioned in the article
Added Office 365 Sharepoint Online API access permissions for the App.
Selected necessary permissions for the App.

Giving access to third party application

I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.

Azure B2C. User account does not exist in tenant 'xxx' and cannot access application

We get the following error when trying to access an AAD application, which is connected to Azure B2C.
User account 'xxxxx#gmail.com' from identity provider 'live.com' does not exist in tenant 'xxxxxxxx' and cannot access the application 'xxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The live account shows up in both the B2C and AAD as a live.com user. Manually created accounts can log in. Yet when logging in from a B2C account, I get the above error.
How can I solve this problem?
If your requirement is to accept both personal accounts in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the so called Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal, so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.

Resources