I am using ADAL on Android and I access my devices via the Graph API after enrolling them via Intune Company Portal app.
I can obtain the list of devices via
https://graph.microsoft.com/v1.0/me/registeredDevices
Is there a way to somehow identify the current device I used for making the API call and match it to one of the devices from the response?
In Intune Company Portal I can clearly see which device I am currently using. Is this possible using Graph API somehow? Thanks!
No. AFAIK this is not supported at current version of Microsoft Graph. If you require this feature, you can submit the feedback from this link.
Related
Is there a "best" way of achieving this?
Basically I want to leverage my company's Azure AD tenant to build a fully featured internal application. Using Microsoft Graph, I can retrieve users via their identifier guids, and use the identifiers as foreign keys for various tables in our on premises database, instead of having a dedicated User table, which would need to be populated and synced up with the AD. There are many other prospective uses for Graph, but leveraging users is the priority right now.
A large chunk of my application is built already. I am able to lock down my client app using the package react-aad-msal, requiring users to authenticate through single-sign-on. I have also successfully been able to pass that token back to the protected .NET Core API, accessing various endpoints as the authenticated user.
From here, I am not sure how I can develop the calls to Microsoft Graph. At which point should I make the connection? Should the client application connect to both the on-prem API, as well as Graph? Or should it only connect to the on-prem, which would then connect to Graph? Curious to know the pros and cons of either method.
I've also heard tell that Microsoft is working on their own package: #azure/msal-react, and that react-aad-msal should no longer be used (as it only supports msal 1.0 and not 2.0. I have no idea which version is better for my needs). While msal-react is still in development, apparently I should be using #azure/msal-browser. But I cannot find a good example of a react app using msal-browser to authenticate.
Here is a Sample on how to use MSAL with React to call Microsoft Graph.
The only different in your case will be that instead of calling Microsoft Graph, you will call your own API.
Bottomline is - there is no direct integration package yet for react. Which can also be read from the official statement on the msal-js repo:
After our current libraries are up to standards, we will begin
balancing new feature requests, with new platforms such as react and
node.js.
You can also use .net core instead. Please go through the sample here which can help.
many endpoints in the MS Graph beta API do not support the application permission type, meaning they can only be invoked under a user identity. I would like to have a headless service/daemon running that operates under its own app identity, and is able to do stuff with the graph API
For example remote locking a managed device.
I would like to know, if MS plans to add this feature in the near future.
I recommend visiting the UserVoice and adding your suggestions.
I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH
I need to create a (demo) application for Google Glass with a simple user interaction: insert a card on Glass and get a response back to the application.
I think this can be done by using the Mirror API.
This application is not a web application so I think I need to use a service account.
I have created an API project on the Google APIs console https://code.google.com/apis/console/ and enabled the Google Mirror API.
After that I created a new client ID with application type "service account" (calls Google APIs on behalf of your application instead of an end-user; more info at https://developers.google.com/accounts/docs/OAuth2#serviceaccount).
The result is a client id, email address and public key fingerprint and a P12 key with password.
The problem is that I cannot find an example how to do the service account authentication and for example a card insert.
Any ideas? The used programming language is less important...
See also Can I use OAUTH2 Service Accounts with Glass Mirror API? but unfortunately without an answer.
Edit:
From the answer below I understand I cannot use the service account for this.
Is it then correct that I always need a web application where Google Glass has a callback url so data can be send from Glass to the application?
We develop a Warehouse Management System where the operator in the warehouse uses a voice client (like http://www.epf-gmbh.de/bilderorg/talkman_joe.jpg) that communicates with the server. The server sends commands to the client and the operator can send voice commands back to the server.
For demo purposes I would like to replace the voice client with Google Glass.
Edit 2:
Something like this: http://youtu.be/kbcskj4yAvo
You cannot do timeline operations with a service account. Most Mirror API operations (on the Timeline, Contacts, and Subscriptions) require a user's account since these operations must be done on behalf of the user in order to correctly identify which Glass will be used.
Update:
Your followup questions don't exactly relate to the authentication question, and they may be better asked in a new question, but two quick points:
Yes, when working with the Mirror API if you want to get information from Glass into your server you'll need a webapp which can take callbacks. You'll be registering this as part of a Subscription.
The example you pointed at uses the GDK, not the Mirror API.
I've researched a ton and can't seem to find a solution for how to limit access to a secure mobile website to ONLY PREVIOUSLY REGISTERED devices.
I already have a secure login in-place, but we must also insure that ONLY registered devices access the site. We cannot have users sharing login information with others and allowing others to login and use the protected information.
Is there anyway to do this?
I've looked at trying to acquire the devices MAC address using JavaScript, PHP, or something similar, but this doesn't seem to be an option.
MAC addresses can be spoofed, so use something else such as REST-based authentication.
You can't do that because websites usually register users as opposed to their mobile devices as nothing can be truly unique about a physical device but the information it carries. The proper way of doing client based (as opposed to user based) authentication is to use a client certificate.
If you just want to simplify the sign-in experience for your users on mobile device you may want to take a look at this.