I have a mailbox in on prem exchange server (which is in hybrid mode) abc#onprem.com and i am trying to access this via graph api (/messages). This works perfectly if i do this in graph explorer, but fails when i do via implementation.
Required application permission is given in Azure app registration portal.
Implementation uses grant_type as client_credentials with certificate and this works perfectly for cloud users.
Response of API
{ 'error': {
'innerError': {
'date': '2019-02-28T14:17:45',
'request-id': '6a85f8c3-4e13-4cf0-84b2-ddc934241afd'
},
'message': '',
'code': 'UnknownError'
}}
IIS Logs
For call came from graph explorer
2019-02-28 15:02:31 172.31.10.98GET /api/V2.0/Users('abc#onprem.com')/Messages/$count &CorrelationID=;&cafeReqId=bc8e8aef-de46-4c72-bcf4-b4f567bc45dd; 443 S-1-5-21-1392771109-4043059535-3934338706-1147 20.190.145.177Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_14_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/71.0.3578.80+Safari/537.36 - 200 0 0 287
For call from implemented app
2019-02-28 15:00:05 172.31.10.98GET /api/V2.0/Users('abc#onprem.com')/Messages/$count &CorrelationID=;&cafeReqId=c504b658-b9df-43b5-9dbb-8e83050c3d2f; 443 - 20.190.128.103- - 401 0 0 102
What would be reason for this authentication failure , could it be because that token is provided by azure AD which is
authenticated against onprem ?
Update
Added some more headers for logging and found that below is the error.
2019-03-04 04:05:13 172.31.10.98 GET /api/V2.0/Users('abc#onprem.com')/Messages &CorrelationID=;&cafeReqId=2823c302-3c84-4847-b586-accced4b6dd5; 443 - 20.190.145.177 PostmanRuntime/7.6.0 - 401 0 0 332 Bearer+eyJ0 blah blah.....blah blah.....hSd mail.onprem.com - - - Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+token_types="app_asserted_user_v1+service_asserted_app_v1",+authorization_uri="https://login.windows.net/common/oauth2/authorize",+error="invalid_token" 2000001;reason="This+token+profile+'V1S2SAppOnly'+is+not+applicable+for+the+current+protocol.";error_category="invalid_token"
We are using self signed certificate on exchange server , can this lead to this issue ? If so wondering how everything is working from graph explorer.
The issue is actually somewhere else - Exchange doesn't seem to support client_credentials flow. You can, however force it via following PowerShell (make sure to restart your IIS after applying):
$apps = Get-PartnerApplication
# Microsoft Graph is 2nd item in the array, if you are unsure, list the items by calling $apps first
$apps[1] | Set-PartnerApplication -AppOnlyPermissions $apps[1].ActAsPermissions
The full explanation can be found here: https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/
Related
I have a question about how to use Microsoft Azure AD SCIM Validator.
Microsoft Azure AD SCIM Validator: https://scimvalidator.microsoft.com/
I'm trying to provision user/group by using SCIM Provisioning in Azure Active Directory.
And I deployed SCIM server by SCIMReferenceCode(github repository) on GCP(actually on GKE).
SCIMReferenceCode Repository: https://github.com/AzureAD/SCIMReferenceCode
This SCIMReferenceCode also includes Postman's Collection, so I used that and all tests has passed.
To use Microsoft Azure AD SCIM Validator, I have to input two fields.
SCIM Endpoint
Token
Even both of them are required field, but I'm not abled to find correct input for "Token" field.
For example, an SCIM server (by SCIMReferenceCode) have
/scim/Token
endpoint and this endpoint returns some JWT token.
So I think I can use this JWT, but result is not.
Microsoft Azure AD SCIM Validator, returns error like folloiwngs...
Invalid credentials!
Please confirm if token is valid and try again. SCIM Endpoints should respond with HTTP OK (200), and SCIM JSON with header application/scim+json.
I figured out that SCIMReferenceCode is not implemented to return 200 OK status code when connecting to / (it returns 500 error), so maybe that is the reason... (If so, this is not working as a sample...)
So, I'm not sure what is the root cause of above error.
SCIMReferenceCode does not return 200 OK when connect to "/"
or
Token input is wrong
Has anyone have experience to use this tool?
Translated with www.DeepL.com/Translator (free version)
Regards,
Keiichi Hikita
These are what I've tried.
Launch SCIMReferenceCode on GKE
Test above environment from Postman included in same repository and all test has passed
Use Microsoft Azure AD SCIM Validator and try to connect above environment
I'm not possible to find correct input to use above tool
I'm trying to develop a drive solution (Onedrive) in a windev program.
I created an application in Microsoft Azure and created a secret key.
When doing the first request https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope} &response_type=code&redirect_uri={redirect_uri} I'm redirected on the connection page.
Once I'm connected I get a code back as https://login.live.com/oauth20_authorize.srf?code={code}.
But when I ask for a token posting this request : POST https://login.live.com/oauth20_token.srf Content-Type: application/x-www-form-urlencoded client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret} &code={code}&grant_type=authorization_code
I get this back
{ "error":"invalid_client", "error_description":"The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https:\/\/go.microsoft.com\/fwlink\/?linkid=2083908.", "correlation_id":"471e800c-69b4-43c6-a03f-a1f7e9512e6b" }
Thank you for your help.
This error means you are using a Microsoft Account to login your client app, but it is not enabled for that.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
I am trying to upload a file to Sharepoint. I Got the Accesstoken based on the client id and tenant id given by the application and able to do it.
'client_id='||'xxxx'||'&scope='||'https%3A%2F%2Fgraph.microsoft.com%2F.default'||'&client_secret='||'xxxxxx'||'&grant_type='||'client_credentials'
Token as follows :
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Based on the token i am trying to create an upload session and it is saying http1.1 403 forbidden. I have the known site id and Drive (Item id).
HTTPResponseHeader X-Original-HTTP-Status-Line:CHARACTER:HTTP/1.1 403
Forbidden X-Original-HTTP-Status-Code:INTEGER:403 Cache-Control:CHARACTER:private
Content-Type:CHARACTER:application/json request-id:CHARACTER:1f6e2c51-5061-41c0-be0d-ee38a2c2a533
client-request-id:CHARACTER:1f6e2c51-5061-41c0-be0d-ee38a2c2a533 x-ms-ags-
diagnostic:CHARACTER:{"ServerInfo":{"DataCenter":"South Central US","Slice":"SliceC","Ring":"3","ScaleUnit":"000","RoleInstance":"AGSFE_IN_11"}}
Strict-Transport-Security:CHARACTER:max-age=31536000
Date:CHARACTER:Fri, 19 Jun 2020 17:23:53 GMT Content-Length:CHARACTER:256
Application had given permissions to Sites.readwrite.All provided admin consent as well. Any help is Appreciated.
So there's a couple of things here:
To use the Microsoft Graph APIs to create an upload session to write a file to SharePoint using the site/library as a drive with an app only permission (client_credentials) you need to request the at least the Sites.ReadWriteAll scope for the Microsoft Graph resource https://graph.microsoft.com: https://learn.microsoft.com/en-us/graph/api/driveitem-createuploadsession?view=graph-rest-1.0
Instead of requesting the https://graph.microsoft.com/.default scope try using 'https://graph.microsoft.com/Sites.ReadWriteAll`
I've have an App that would like to access SharePoint API.
I've registered it in AD, and gave it the following permissions:
But when I ask it to be authenticated with the following scopes
- https://graph.microsoft.com/User.Read.All
- https://graph.microsoft.com/Group.Read.All
- https://graph.microsoft.com/Sites.Read.All
- https://graph.microsoft.com/Calendars.Read.Shared
- https://graph.microsoft.com/MailboxSettings.Read
- https://graph.microsoft.com/Files.Read.All
- https://graph.microsoft.com/Directory.Read.All
- https://graph.microsoft.com/AuditLog.Read.All
- https://graph.microsoft.com/AuditLog.Read.All
- offline_access
- https://manage.office.com/ActivityFeed.Read
- https://microsoft.sharepoint-df.com/Sites.FullControl.All
- https://microsoft.sharepoint-df.com/Sites.Read.All
- https://microsoft.sharepoint-df.com/User.Read.All
I get this error:
invalid_client&error_description=AADSTS650053:
enter code here`The application 'XXX' asked for scope
'Sites.FullControl.All' that doesn't exist on the resource
'00000003-0000-0ff1-ce00-000000000000'.
Contact the app vendor.
What does this mean that it that doesn't exist on the resource?
With all the other scopes (except SharePoint's) it all works fine
Looks like the Sites.FullControl.All has moved to the Graph API section but trying to add it in the Azure portal results in a different error saying that permission is not currently supported (see on screenshot below).
In my test application, I succeeded using AllSites.FullControl (AllSites as a single word, no periods) and then listing all sites on SharePoint Online tenant with MSAL for .NET.
var app = PublicClientApplicationBuilder.Create(MyAppId)
.WithAuthority("https://login.microsoftonline.com/common", false)
.WithDefaultRedirectUri()
.Build();
return await app
.AcquireTokenInteractive(new string[] { "https://tenantxx.sharepoint.com/.default" })
.WithParentActivityOrWindow(parentWindow) // optional, used to center the browser on the window
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync();
API Permissions in the Azure portal:
I ran into this same thing. It took a while but this was my clue: How to Access Sharepoint Online API with v1 Azure AD Application and Client Credentials
Using client secret, I could get a token but it would fail. Using a certificate, I was able to successfully authenticate.
I have succesfully enrolled a Device (Windows 10 Pro Version 1803) to our own MDM by authenticating an Azure AD user. Next I have to tell Azure AD that the device is managed by our MDM and that is where the problem happens.
The patch that I do is the same like in the documentation https://learn.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm#report-device-compliance-to-azure-ad
The error I got is Resource 'xyz' does not exist or one of its queried reference-property objects are not present.
What I have done so far is:
On Azure AD Portal I added an MDM OnPremise App, set its Terms Of Use URL, Discovery URL, generate a secret. Also configured MDM User scope to Some and selected a group where my users are member of.
On Required persimision I verified that "Read and write devices" under "Application Permissions" is checked.
The user authenticates (using Azure AD crendentials), accepts Terms of Use (of the MDM) and voilá all fine. That is done on the device under Settings => Accounts => Access work or school => + Connect.
During the enrollment, I parse the Bearer Token and extract the Device ID (e.g. xyz), which is the same as the one on the Azure AD portal once the device succesfully managed.
To report compliance status I do a patch like this
PATCH https://graph.windows.net/mytenant.onmicrosoft.com/devices/xyz?api-version=1.0 HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ "isManaged":true,
"isCompliant":true
}
But I got the error described above.
I have tested as well different Device Ids such as
the one Windows 10 shows on Settigns => System => About.
Or the one that is present on the element ContextItem attribute DeviceID on the Request Security Token request during enrollment.
The bearer token I use on the patch above is retrieved from microsoft graph when the registered MDM app (using its credentials such as appid, secret, etc) authenticates it self to Azure AD.
Whould you please help me to find the source of this error, or maybe give me some hints in order to solve this. I'd apreciate it a lot.
Thanks in advance.
The deviceId of a Device object in Azure AD is often confused with the object's objectId attribute. (The latter is known as objectId in Azure AD Graph, and as id in Microsoft Graph. In both cases, deviceId is a different property.)
In a GET request for a single Device object with Azure AD Graph:
GET https://graph.windows.net/{tenant-id}/devices/{object-id}
The field identified by {object-id} is not the deviceId attribute of the Device object, it's the objectId attribute.
If you don't already have the Device object's objectId value, but you do have the deviceId, you can use either Azure AD Graph or Microsoft Graph to do the appropriate lookup. With Azure AD Graph:
GET https://graph.windows.net/{tenant-id}/devices?$filter=deviceId eq '{device-id}'
With Microsoft Graph, you would use:
GET https://graph.microsoft.com/v1.0/devices?$filter=deviceId eq '{device-id}'