Using same authentication for EWS API and Graph API - azure-active-directory

We've been using Azure Active Directory and EWS SOAP web services successfully.
Trying to see if we can use our current authentication method to be able to also invoke Microsoft Graph (i.e. https://graph.microsoft.com/v1.0/me/)
I went into Azure and added Microsoft Graph under App Registrations -> Settings -> Required Permissions.
This was our authorize endpoint url:
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Foutlook.office365.com%2F
I changed it to :
https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com
Is this all I had to do? When I try to go through the oAuth 2.0 flow, the authorize request seems successful, then I'm asked to enter my credentials, and then I get an error:
"Misconfigured application. This could be due to one of the
following: The client has not listed any permissions for 'Microsoft
Graph' in the requested permissions in the client's application
registration. Or, The admin has not consented in the tenant. Or, Check
the application identifier in the request to ensure it matches the
configured client application identifier. Please contact your admin to
fix the configuration or consent on behalf of the tenant. Client app
ID: b1313958-.... "

I went into Azure and added Microsoft Graph under App Registrations ->
Settings -> Required Permissions.
You mentioned this as part of your question. Please check if after performing these steps for your App Registration in Azure AD, did you click on the “Grant Permissions” button to provide consent or not.
Looking at the error it seems Consent for Microsoft Graph related permissions isn’t done yet.

Related

"Need admin approval" while testing as ASP.NET Web Forms application

we have a website that was developed in C# using ASP.NET Web Forms ans is working well,
the thing is that it works with an internal (of the company) authentication, and that kind of authentication will soon expire,
so I have been asked to develop an Azure AD one, but when testing we receive this error
to develop the Azure Authentication, we followed some guides like 1st link
I know that this issue has been reported many times before but Azure AD is continuously evolving so a guide from the beginning of 2021 for example is hard to apply it at the end of 2022
and thanks in advance
PS: if you need any complementary document that I can provide, just ask
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Admin Consent is not consented to the API Permissions you have granted to the Azure AD Application.
Make sure to grant the Admin Consent to the API Permissions like below:
Go to Azure Portal -> Azure Active Directory -> API Permissions -> Grant Admin Consent
You can use the below endpoint and sign in as Global Admin and Accept the consent on behalf of organization like below:
https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID
Otherwise, you can allow users to consent to the Application like below:
Go to Azure Portal -> Enterprise Application -> User Settings -> Go to Consent and permissions

Create Office 365 user in Azure B2C using invitation api in microsoft graph

I need to register office 365 users residing in another Azure AD to be created programmatically using microsoft graph API into Azure AD B2C directory. I am successful in creating and logging into local accounts but creating external identity users hasn't been successful. The microsoft documentation is verbose too for this context. The scenario is as under.
Invited the user using invitation API.
User accepts the invitation received in their email and gets redirected to grant permission screen for the app, and then lands on the redirect url.
The user can be seen in Azure B2C users as invited and then external azure ad after invitation acceptance
Problem:
The same user can't login using the Signin flow that works for the local accounts. I noticed the signInIssuerId is also null for this user. The error received states please sign up user first/no account found.
I understand there is some disconnection behind where the invitation is sent but the user is not signed up from the graph api. How can this be achieved? I would hate to know if that would be possible only using IDEF / custom policies
Please help!
The problem is that these are social/federated users, not local ones.
You need to use the "SocialAndLocalAccounts" policies in the starter pack.
Invitations via the API are for B2B users. This type of user is not supported in B2C.
For examples of B2C invitations, look here.

Getting invalid_grant: AADSTS65001: The user or administrator has not consented to use the application even though it has been consent by the admin

I am trying to access my web api written in .Net Core from a ReactJs client application. I have registered both the application in Azure AD and given Admin Consent to the Web API in ReactJs API Permission section. Even after configuring this I am getting invalid_grant: AADSTS65001: The user or administrator has not consented to use the application
Can any please help me regarding this please. How should I connect to the web api.
To resolve the error "invalid_grant: AADSTS65001: The user or administrator has not consented to use the application", try the following:
Make sure to have Global admin role and grant admin consent for the below API permissions of your application:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your app -> API permissions -> Add permissions
After granting admin consent, please check whether the status turned green or not.
Make sure whether the below options are checked or not in your authentication tab like below:
If still the issue persists, make use of below document if helpful:
4 ways to fix error AADSTS65001 (issues with Admin Consent!) - #SharePointProblems / Koskila.net

MS Graph permission added to Azure AD app registration breaks sign-in flow via Intune Company Portal app

I have created an Azure AD app registration for a cross-platform (Xamarin.Forms) mobile application for our employees. The app registration is setup to work as a single-tenant app and in order to function properly, we have specified a number of permissions to Microsoft Graph, such as "openid", "profile", and "User.Read", which have been given admin consent by our Admin. The app uses broker authentication (using ADAL) in order to sign-in users to the app via the Intune Company Portal app already installed and setup on every user's device.
Up until recently, everything worked fine until we needed to add a new Microsoft Graph permission to the app registration, namely "Group.Read.All". So, we added the new permission to our app registration as a delegated permission and had our admin provide the admin consent for all the users.
After giving consent to the new permission, our users could not login to the app since the Intune Company Portal app did not sign-in the users to the app, but instead advised them to setup their device by installing and setting up the Intune Company Portal app on their device (?!).
As I mentioned before, the devices already had Intune Company Portal installed and properly setup on their device for more than 2 years now.
So, we thought of checking the user sign-ins of the user to find out what the problem was and we found a failure event recorded with sign-in error code 530003 (Access has been blocked due to conditional access policies.) where it showed that the policy "Access Policy: Require Device Enrollment for Accessing EOL & Sharepoint from handheld devices" failed with reason "require compliant device" (under column Grant Controls).
As soon as we revoked the newly added permission "Group.Read.All" from the app registration, our users could sign-in to the app successfully.
When we tried adding other permissions like Directory.Read.All and GroupMember.Read.All, we did not have any issues with our sign-in flow via the Intune Company Portal.
Can you please advise what it is so special about the "Group.Read.All" permission that raises the Azure sign-in error code 530003, forcing the Intune Company Portal app to require the users to setup their (already setup) device, before they can sign-in to our app?
I am at my wits' end with this one.
Any ideas?
For me it is not possible to reproduce your issue due to multiple things involved.
Few suggestions that you could try at your end:
Try isolate each component and leverage graph explorer/postman to make an API call and observe behavior.
I didn't get the need to add graph permission, but as per your use case see if there is any other least privileged permission that could get your job done, add that permission and check behavior.
Check if your scenario really demanded adding permission as delegated and if this is really supported? For e.g, below image shows necessary permssion to get the properties and relationships of a group object.
If problem still persists, consider contacting Microsoft support for your specific scenario.

Using personal account (live.com) to get an access token for my app

I am having trouble getting an access token using the password grant auth end point.
I created an app registration in my Azure account which is tied to my personal live.com Microsoft account.
In the application settings I've set the supported account types to AzureADandPersonalMicrosoftAccount (Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox))
When I attempt to to authorize via my personal account's username/password using the https://login.microsoftonline.com/{{TenantId}/oauth2/v2.0/token end point using grant_type=password I get the following error:
AADSTS50034: The user account {EmailHidden} does not exist in the xxx-xxx directory. To sign into this application, the account must be added to the directory.
I am not sure how this is possible as I am obviously the only member of my Azure AD.
The app, Todo Inventory is listed under the applications in the user profile as shown below:
Note that I am successfully able to get an access token using the auth code flow described in the documentation here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
But I want to use the password grant instead but nothing I tried seem to be working.
Am I missing something here..?
Microsoft identity platform doesn't support resource owner password flow for personal accounts. https://learn.microsoft.com/azure/active-directory/develop/v2-oauth-ropc
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.

Resources