Microsoft-graph-api, SSO and ADAL mobile sdk - mobile

I have developed few iOS/Android app using Azure Ad SDK 'ADAL'.
The app works properly for SSO feature and other login mechanisms. However now I want to add 'new contact' using Azure ad access token. But I came to know that Azure ad graph is no longer supported hence latest Microsoft Graph is suggested sdk for the same.
My issue is: The most important feature according to me is the Single Sign-On feature with respect to mobile apps SDK Azure ad SDK offers API for most convenient login user experience. Thus you are free to pick account from Authenticator app (if present) or any other app in the device which is already logged in.
But Microsoft Graph SDK does not support Authenticator app available on the mobile phone. And prompts user a Login screen though he has already logged in to other app having outlook/Microsoft login
Please help me with some more information on this use case so that I can migrate to Microsoft graph from Azure Ad app.
I have a huge tradeoff as follow
1. Azure ad supports SSO but does not support Latest Graph features like: Adding new contact in 'My Contacts'
2. Microsoft Graph being Latest library/SDK has all features EXCEPT SSO.
Please provide me answers for these question of any suggestion if I am missing anything.

The Graph SDKs do not contain any helpers for authentication/authorization. For that you need to use either ADAL or MSAL to acquire tokens to use with Microsoft Graph (to instantiate a GraphClient object). Please take a look at some of our Microsoft Graph samples. [NOTE the Azure AD Graph SDK also relied on ADAL or other mechanisms to acquire tokens and does not do this for you]. Here are the iOS samples: https://github.com/search?q=ios+sample+user:microsoftgraph&type=Repositories
Also Azure AD Graph does not support personal contacts - this is ONLY supported by Microsoft Graph.
If you want to see an integrated client library, where token acquisition is implicitly taken care of as part of GraphClient instantiation then please post a request on UserVoice for this feature.
Hope this helps,

Related

AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'

I followed this article to implment OAuth flow with the following authority url
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d8e21783-5956-4bef-80ae-fdd636006223&prompt=login&response_type=code&response_mode=query&redirect_uri=xxxxx&scope=offline_access+user.read+files.readwrite.all&state=xxxxx
The page provides two sign-in ways:
With email address.
Without entering the email address.
You can see this screenshot, green line is the first option and orange line is the second.
Both of the two login ways supports 「Windows Hello Face」 and 「Security Key」 (Passwordless)
However, the authorization will fail if I choose the second sign-in way.
AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'.
Does this mean Microsoft OAuth flow not supporting the second sign-in way?
PS: The ancient authority URL (ref) supports the second sign-in
way.
GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
This approach is no longer recommended.
Use your personal Microsoft account to get access to Azure and all
consumer-oriented Microsoft products and cloud services, such as
Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft
365. Sign up your organization - Azure Active Directory - Microsoft Entra | Microsoft Docs
Note: Usually approach using the Azure AD v2.0 endpoint is recommended. However, some enterprise scenarios may require using the original Azure AD endpoint.
Please check this Microsoft Docs on Error AADSTS50020 to check for relatable cause to troubleshoot.
References:
Get OneDrive data in UWP using Microsoft (Live) Accounts and Azure
AD - DEV Community
Authorization and sign-in for OneDrive in Microsoft Graph
You can raise a support request.

ADAL and MSAL confusion

My References
According to this,
Starting June 30th, 2020 we will no longer add any new features to
Azure Active Directory Authentication Library (ADAL) and Azure AD
Graph. We will continue to provide technical support and security
updates but we will no longer provide feature updates. Applications
will need to be upgraded to Microsoft Authentication Library (MSAL)
and Microsoft Graph. Learn more
And this,
Starting June 30th, 2022, we will end support for ADAL and Azure AD
Graph and will no longer provide technical support or security
updates. Apps using Azure AD Graph after this time will no longer
receive responses from the Azure AD Graph endpoint. Apps using ADAL on
existing OS versions will continue to work after this time but will
not get any technical support or security updates.
and this link,
using Microsoft.IdentityModel.Clients.ActiveDirectory; // ADAL
using Microsoft.Identity.Client; // MSAL
ADAL should be replaced by MSAL. However, my project does not reference either of the above libraries.
These are the references I have in my project.
Microsoft.IdentityModel.JsonWebTokens
Microsoft.IdentityModel.Protocols.OpenIdConnect
Microsoft.IdentityModel.Tokens
Microsoft.Owin
Microsoft.Owin.Security
Microsoft.Owin.Security.Cookies
Microsoft.Owin.Security.OpenIdConnect
Owin
Questions
The more I read about this topic the more I get confused because one minute I'm under the impression that ADAL is only authorization and not authentication and the next minute I see it referred to as ADAL Authentication. I just want to know if I need to update my authentication code for it to continue working.
Since my project does not reference Microsoft.IdentityModel.Clients.ActiveDirectory and only uses Azure AD for authentication and not authorization, does this mean this change will not affect me?
ADAL and MSAL are only for authorization and not authentication correct? If this is the case, why do they reference MSAL and Microsoft Graph, what is the difference?
Since you did not use either of the libraries(Microsoft.IdentityModel.Clients.ActiveDirectory and Microsoft.Identity.Client) and you only use Azure AD for authentication, so I don't think this change will affect your project.
For your question about why they reference MSAL and Microsoft Graph but not ADAL and Azure AD Graph. In fact, the two are similar and changes are minor. You can refer to this document to know the differences between them.
The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to June 30, 2023. Ref to the ADAL to MSAL Migration Document here

What is the currently working and correct way to set up an Azure Application that allows MSA signin?

Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.

Office Add-In SSO with an AAD v1 app registration

I am developing a office add-in.
This office Add-In is supposed to retrieve the term store from SharePoint.
By following this tutorial:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-aspnet
I managed to get an access token to be used for Graph api. However the Graph does not expose any way of getting the term store. Is there a way we can generate an access token to be used with SharePoint and maintain the SSO?
It might be possible by registering an Azure AD v1 app but I could not find any documentation describing that.
I have a similar requirement, but in my research I wasn't able to find a good solution for this scenario.
I think it is probably possible to use a provider hosted SharePoint add-in. And then use the Authorization Code flow for obtaining an access token. Since the SharePoint add-in is trusted it will not require user login.
Of course this does mean the add-in needs to be deployed in SharePoint. If your Office add-in is distributed through the store this isn't really a great solution.
Hopefully there are other ways of achieving the same.
You could call SharePoint Online APIs (via REST or CSOM) with Azure Active Directory Apps. To call APIs secured by Azure AD, your app must acquire an access token from Azure Active Directory.
Please first refer to this document for integrating applications with Azure Active Directory. Then use Azure Active Directory Authentication Library (ADAL) to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls.

Accessing Office Graph apis with Sharepoint Online login?

We've been running an Angular app in a custom masterpage during the last year, using the Sharepoint REST api to retrieve user properties, data from lists etc., which has been working fine. As the application is hosted on Sharepoint Online, accessing the page requires a login thus making the request digest available so further authentication is not necessary.
Now however, we want to start using some of the functionality in the Microsoft Graph API. From what I can gather this requires OAuth2 authentication against the Azure Active Directory, involving among other things a redirect to the AAD login page.
Does this mean I have to:
1) Login via the organizations (standard Microsoft) login page to access the Sharepoint Online site.
2) Redirect to the Azure AD login page and back again?
Or can I leverage the login that the user already did when logging into Sharepoint Online?
Sorry if the question is a bit vague, we are all still very new to this.
When registering your application on Azure AD you will give the app access to Files/Sharepoint REST api and Microsoft Graph API. See this picture the app has access to several apis (Exchange, Graph and AD) you must add sharepoint APIs in your case.
Regarding the authentication, I am afraid that the Sharepoint model does not provide a token that will enable you to request the Graph API see this. You will have two authentications, one to access the Sharepoint site, as you said, and the other "within" the sharepoint iframed add-in to log into your AAD's registered app. This will be an OAUTH process through login.microsoft.com. Have a look at my Outlook add-in Keluro Mail Team on the Office store, I think it is similar to what you want to achieve.
You can use the same token from graph.microsoft.com. I have a sample using Asp.Net Core 1.0 and the.Net ADAL but the same authentication flow is used when using ASP.NET 4.6. Just make your auth request against ms graph on startup then acquire access token to auth against SharePoint.
https://github.com/edrohler/com.ericrohler
Hope this helps.

Resources