The Microsoft Graph beta API (here) allows us to POST new applications to Azure AD (v2.0).
If I post these applications to a specific tenant, using a url like this:
https://graph.microsoft.com/beta/{tenantId}/applications
and also authenticated without a user, where can I view these applications? They certainly aren't on my apps.dev.microsoft.com page (I checked), and they also aren't in the list of registered applications in the tenant on portal.azure.com
PS: I know my applications are being created because I can call GET against that url and it will return the applications in that tenant, including the ones I created through the API. Also don't question why I was doing this, I was poking around figuring some stuff out about the API.
More Details: The app that is posting these applications to the beta API is registered as an Azure AD v1.0 app in the same tenant these applications are being posted to. The POSTs use the app's authentication token.
I know that apps created in portal.azure are v1 apps, and apps created on apps.dev.microsoft are v2 apps. I am making my apps through the Microsoft Graph beta API, which makes v2 apps.
Also, for those that don't click the link to see what authentication without a user means, I am getting the bearer token for the POST request using the app's credentials, not a user's credentials.
If I post these applications to a specific tenant (which is an Azure
AD v1.0 tenant), using a url like this
Here there is no version definition for the tenant. V1.0 and V2.0 are the endpoints, not means tenant. You could know about their difference from Azure AD v2.0 endpointand v1 and v2 comparison.
If you register the app in the Azure portal, the app is v1 app; if you register the app by using App Registration Portal, the app is v2 app.
and also authenticated without a user, where can I view these
applications? They certainly aren't on my apps.dev.microsoft.com page,
and they also aren't in the list of registered applications in the
tenant on portal.azure.com
If you create the app in the App Registration Portal, the app could be seen in the apps.dev.microsoft.com page(App Registration Portal), but cannot be seen in the Azure portal.
If you create the app is v1 app, the app can be seen both in Azure portal and App Registration Portal.
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
We are running an API that is configured for and secured by Azure AD. This is working for us with an Angular app where users login interactively.
Now we have a need for a partner firm to use the API in a system to system way (no user login).
What needs to be configured for their application to get an OAuth token for our API from Azure AD?
I've examined the service to service call flow, but I'm wondering if it's best practice to create an application registration in our tenant for an application we don't own/manage. However this seems to be the fastest way to give them a client ID/Secret in order for them to interact with Azure AD.
Thanks in advance!
-Doug
Azure active directory supports the OAuth 2.0 to authorize the
third-party apps too. It doesn’t actually matter where the web APIs
are hosted.You can even see Azure Active Directory
recommendation on third party apps. It actually adds up security
and different type of apps can be integrated .
But you will need to have your web app authenticate to Azure AD, and
provide the token to the web api.so it requires app registration .
Scenario for external web app to call a web api, you can refer to
this:web-app-call-api
Your application can acquire a token to call a web API on behalf of
itself (not on behalf of a user) i.e; you can achieve scenario where
non-interactive app calls a web api
But if you meant app calling a partner api using another api .
The Azure AD V2.0 doesn't support the Partner API(See Restrictions on services and APIs) when you integrated the web API with third-party application using MSAL(Azure AD V2.0 endpoint) .
One way is using the on-behalf-flow. Here third-party application initially acquires the access token to call the web API. This web API acquire the token for Partner Center API and calls it using on-behalf-flow with that token. This solution uses the Azure AD endpoint instead of v2.0( register the app on Azure portal).
Other References:
asp.net web api - Azure Active Directory Verify Access Token in Web
Api outside of Azure - Stack Overflow
Authentication vs. authorization
I have a WPF desktop app which connects to an Azure registered app. Within that registered app I have created App roles. Then, within an Azure Enterprise App, I add a user with one of the app roles created in the app registration. However, I can't figure out how to use this app role. I can't seem to access the role from the JWT token returned during authentication nor can I seem to use the role to modify access in Azure.
How can I use the app role to modify access?
Firstly, your WPF app doesn't call any APIs (official API or you own Web API) based on your description.
And you define the app role in the app registration which represents your WPF app. We can call it client-side app although there is no service-side app here.
So in this case, the app role should exist in the id token (not access token).
You need to parse the id token in your code and find the app roles and then verify them.
There is another situation where you are actually calling some kind of API, but you did not mention it in the post.
In this case I think you want to get and verify the app role from access token. We need to define the app role in the app registration which represents the service-side app.
There again are two situations.
One is that you are calling an official API, such as the Microsoft Graph API. This situation will not allow you to set the app role on the service side because we do not have the permission to change the official Microsoft Graph app registration. You need to take advantage of app roles from id token as introduced above. But usually we don't control the permissions like this because Microsoft Graph has its own permission control method.
The second is that you are calling your own Web API hosted on Azure. We call it AAD protected Web API. In this case you need to create an app registration which represents your Web API by following Protected web API: App registration and define the app role in this app registration and assign the app role in enterprise application which is associated with this app registration.
After that you can get the app roles in access token and verify them by following Protected web API: Verify scopes and app roles.
Although I have explained all these situations, this may not solve your issue.
It looks like your situation is the first one. You can first decode your id token in https://jwt.ms to determine whether app roles exist.
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
This is my scenario: Client Windows Forms app authenticates with Azure AD and uses the access token to access several web api services. Until now, I was using the endpoint 1 and using the Azure portal to register both apps. It seems like there's a new way now, but I'm a little lost here.
For starters, it seems like both apps (client and server) can be registered in the same app in the new apps portal (https://apps.dev.microsoft.com). I do see a place to add platforms and I have added entries for the native and web api. But where do I go from here? For instance, in the azure portal, I must configure the client app in order for it to call the web api services. How do I that here?
Is there a complete sample for this scenario like the one we have to ADAL (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples#native-application-to-web-api)?
Thanks,
Regards,
Luis
Please firstly refer to this document to know what's different about the v2.0 endpoint .When you build applications that integrate with Azure Active Directory, you need to decide whether the v2.0 endpoint and authentication protocols meet your needs. Please see the limitations of azure ad v2.0, such as you can use the v2.0 endpoint to build a Web API that is secured with OAuth 2.0. However, that Web API can receive tokens only from an application that has the same Application ID .
The v2.0 endpoint does not support SAML or WS-Federation; it only supports Open ID Connect and OAuth 2.0 ,To better understand the scope of protocol functionality supported in the v2.0 endpoint, read through OpenID Connect and OAuth 2.0 protocol reference.
You could refer to document how to call a web API from a .NET web app with Azure AD V2.0 (using MSAL to acquire and use access tokens), and here is the code sample on Github . The document includes how to add basic sign-in to a web app or how to properly secure a web API in azure ad v2.0 .