I want to use authContext.AcquireTokenAsync method to acquire an access token from Azure AD for access a storage account.
// Acquire an access token from Azure AD.
AuthenticationResult result = authContext.AcquireTokenAsync(ResourceId,
"<client-id>",
new Uri(#"<client-redirect-uri>"),
new PlatformParameters(PromptBehavior.Auto)).Result;
See Authenticate with Azure Active Directory from an application for access to blobs and queues (Preview).
According to the doc, I know that the ResourceId is https://storage.azure.com/ for public cloud. Are they different for national clouds?
Related
I am using microsoft graph api to access groups in azure active directory, I have created 2 groups in AAD named OIC and other named as testing
When I test using microsoft graph explorer, URL that I use
GET https://graph.microsoft.com/v1.0/groups
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": []
}
Why do I get empty value for groups even though I have groups in AAD.
I have logged in as admin user.
It seems that you have created groups in a tenant which is not your home tenant.
It means credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. It retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of common. This isn't supported by Explorer. You'd have to download the source an reengineer the auth process.
Reference SO thread: https://stackoverflow.com/questions/53341544/how-can-i-change-default-tenant-in-microsoft-graph-explorer#:~:text=If%20you%20want%20to%20sign,use%20tenant%20query%20string%20parameter.&text=A%20simple%20url%20to%20go,or%20tenantId%2C%20both%20work).
In data factory v2, I have created a linked service to O365 using a Tenant ID, Client ID and Access key.
But, O365 dataset only supports blob as sink with service principal authentication.
I have tried adding the client ID I had used for O365 connector a contributor role to my storage account. But, it is not found in the search. I am thinking client id is the service principal.
How can I add the same service principal I had used to create o365 connector in ADF to my storage account?
Thanks
Client id is not supported in this case.
We need to search for a security principal by entering a string to search for name or email address.
So here you should search for the name of the service principal rather than client id.
when an application is registered to Azure AD via consent, a service principal is created. The application object resides in another tenant.
From my understanding, the applicationID refers back to the application object.
When the application object resides in another tenant, is it possible to find out in which tenant based on the applicationID? Or may there is another value on a service principal which is an indicator where the application object resides (if its not an app registration).
BR
Thomas
Yes, you can. But you need to make sure the service principal is in your tenant.
Navigate to the Azure Active Directory-> Enterprise applications in the portal. Search for the APPLICATION ID (select the Application Type with All Applications option), then you will find the service principal, copy the OBJECT ID.
Then navigate to the MS Graph Explorer, call the MS Graph API : Get servicePrincipal as below, in the result you could find the "appOwnerOrganizationId": "xxxxxxxx","publisherName": "Organization name" which is the tenant id and name you are looking for.
GET https://graph.microsoft.com/beta/servicePrincipals/{OBJECT ID}
When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned.
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. They are out of sync and I'm baffled.
Any ideas? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request.
Don't create a new Azure account. When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? If not, Graph Explorer will default to use a demo tenant for your queries.
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain}. If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same.
UPDATE based on comment below:
I think I know what's going on here. In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. In this case you aren't signing into an Azure AD tenant at all. Microsoft Graph supports access from both personal and commercial accounts.
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. In your application, you are getting an app token to your Azure AD tenant. When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal).
Hope this helps,
I have a multitenant ASP.NET application using OpenIdConnect and Azure AD as an Identity provider for Office 365. When the user is authenticated I receive my claims in ClaimsPrincipal.Current.
I wanted to identify a user and store this id reference in my database. I asked this question.
It was replied that
When trying to identify a user uniquely [NameIdentifier] should be your go-to choice.
But it seems that the NameIdentifier claim, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
depends on the application. Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user. Keep in mind that the we may have to create another Azure AD manifest (because we could need other scopes) and we should be able to find back the same end-users.
Meanwhile, I remarked another claim: ObjectIdentifier http://schemas.microsoft.com/identity/claims/objectidentifier
It seems that ObjectIdentifier, is the same for all Azure AD-secured application for a given Office 365 user.
Can you explain precisely the difference between those two claims? And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.
Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user.
I made a quick test as following:
Register a multi-tenant-webapp and single-tenant-webapp in AD Contoso.
Log in with user1#contoso.onmicrosoft.com and get the name identifier in both web applications, it turns out the name identifier are the same in both applications. So the name identifier should be able to identify users cross applications, but it can not be used to identify the user in Azure AD.
For the object identifier, it is a GUID which you can used to identify a user in Azure AD. For example, you can use object identifier to query the user in Azure AD.
Powershell:
$msolcred = get-credential
connect-msolservice -credential $msolcred
get-msoluser -ObjectId "{guid:object_identifier}"
And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.
Based on my understanding, the object identifier is a GUID which can identify for a user in Office 365 subscriptions.
Or to put it another way:
The NameIdentifier is the GUID of the Application which is registered in Azure AD. This won't change whether it's a single or multi-tenant application. It won't matter if you are using client credentials (i.e. AppId and AppSecret) to authenticate AS the application or using logging using real user credentials (i.e. delegated), the NameIdentifier will remain the same.
The ObjectIdentifier is the User Principal Name (UPN) for the user when using delegation or Service Principal Name (SPN) of the application when using client creds.
The reason you see different ObjectIdentifier values when an application is multi-tenant is that there is a separate and unique SPN in EACH TENANT which points back to the ApplicationGUID in the tenant where the application is registered. This SPN is used to assign rights to the application against resources in each tenant.