Is it possible to programmatically forget a signed-in Azure AD user?
I see this functionality in office.com. See image below.
Note:
Forget an account can be done manually using the Pick an account > https://login.microsoftonline.com
msal.js logout() does not forget the account.
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
I have a Azure Active Directory application and I have provided some of the user delegated permissions for accessing Graph APIs. For example 'user.read' and 'user.read.all' etc.
To provide User Consent for the Graph APIs which have Delegated permission. I need to login using my credentials to the test application (I developed) and then there will be a Popup displayed on the Web UI with title "Permissions requested" to grand the consent. I need to select Accept button to grand the consent.
My questions:
Is there a way we can preauthorize the user consent without following Web UI flow?
Just like the admin consent in Active Directory, is there a way to grant user consent?
Yes, it is possible through MS Graph API.
When you grant user consent, an OAuth2PermissionGrant object is created.
Admin consent also creates one but in that one the principal is set to be "all users".
You can also create these programmatically.
You can see the docs for the API endpoint here.
It is created under the service principal of your app and you specify consentType as "Principal" and principalId as the user's objectId.
I think you may try to hit this url and signed in with the admin account, then you may consent on behalf of your organization. This url is used to get auth code for using auth code flow(generate access token)
https://login.microsoftonline.com/hanxia.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=your_azure_ad_app_clientid
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost:8080%2F
&response_mode=query
&scope=user.read
&state=12345
I want to use AAD for PowerBI Rest API and thus need to get Token for auth. Even the permission granted to App does not need Admin consent yet, I always receive a popup saying:
<App> needs permission to access resources in your
organization that only an admin can grant. Please ask an admin to
grant permission to this app before you can use it.
App API Permissions (see no where it requires Admin consent)
Code I am using for auth:
var userAuthnResult = authenticationContext.AcquireTokenAsync(
ProgramConstants.PowerBiServiceResourceUri,
ProgramConstants.ClientID,
new Uri(ProgramConstants.RedirectUri),
new PlatformParameters(PromptBehavior.Auto)).Result;
P.S I have tried auth. using creds which is not working for me due to multi-factor auth on my org.
var userAuthnResult = authenticationContext.AcquireTokenAsync(
ProgramConstants.PowerBiServiceResourceUri,
ProgramConstants.ClientID,
userCreds).Result;
If your organization has disabled or restricted users' authorization to consent to applications, you won't be able to grant consent yourself, even if the permissions your app is requesting don't require admin intervention.
You can check if user consent is enabled or disabled in your organization in the Azure portal > Azure AD > Enterprise apps > User settings. (Even if you're not an administrator, you should be able to see if the switch it on or off.)
For v1 app registered in portal, you can 'Grant Permissions' to consent to an application's delegated permissions on behalf of all the users in your tenant. For an app registered in v2 endpoint, can only see it in the 'Enterprise Applications' tab and there is no option for 'grant permissions' in the permissions tab. How to get to the same goal that I do not want individually consent each user?
Edit: after make the adminconsent call,
This worked, (with only graph scope)
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=myappid&response_type=code&response_mode=query&scope=openid profile email offline_access https%3A%2F%2Fgraph.microsoft.com%2FCalendars.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FContacts.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=12345&redirect_uri=redirecturl
This still give me a AADSTS90094 error and ask for admin consent, (with openid scopes)
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=myappid&response_type=code&response_mode=query&scope=openid profile email offline_access https%3A%2F%2Fgraph.microsoft.com%2FCalendars.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FContacts.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=12345&redirect_uri=redirecturl
Edit:
This issue happens only when I turn on 'User Assignment Required' flag
in azure portal, if that flag is disabled, users will be able to individually consent and login, no issues, however we need this flag since we do not want all our users in AD be able to use the app.
To request consent for all users in a tenant in Azure AD V2.0, your app can use the admin consent endpoint:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
Please refer to docunment : Using the admin consent endpoint
The listings in the enterprise apps tab are all service principals rather than app registrations. These are apps that your tenant has signed into & consented thus provisioning the service principal into the tenant.
v2 apps are created and managed through the App Registration Portal; however, there is no equivalent functionality to Grant Permissions at this time. In order to perform admin consent in v2, you have to construct a request to Azure AD.
Just go to your browser and drop the following request (populated with your regisered apps Client/App ID & Redirect URI:
https://login.microsoftonline.com/{tenant}/adminconsent?client_id=<Client/App ID>&redirect_uri=<App's Redirect URI>&state=111
I am building a SaaS app that will be authenticating users using Azure AD.
Let's say I am asking for just 1 delegated permission from user during consent prompt and user accepts it.
Later on my app evolves and need to get more delegated permissions. In that case how do I re-prompt the user with the consent page? I would like do this only once when the permissions are changing.
Do I need to track in my app what permissions each user has consented to and then determine to add the prompt=admin_consent query parameter while redirecting to the auth page?
The prompt=admin_consent is used when an administrator needs to provide consent for their organization. If you just require the users’s consent, you use prompt=consent.
Another way is that you can redirect to the login page to add the prompt parameter to re-consent when the app get the exception because the lack of permission to call the new API.
You could also consider use the V2.0 endpoint which support the incremental and dynamic consent.
Here is the document about Azure AD V2.0 endpoint for your reference.