Microsoft Graph Explorer consent screen is giving wrong scopes - active-directory

When I try to login for the first time with new user via active directory to graphexplorer.windowsazure.net I get following scopes:
In my apps.dev.microsoft.com I have following permissions:
Why am I getting only these two scopes in access token:

Apps registered via the Application Registration Portal use the Azure AD v2 endpoint which supports incremental consent.
This means that while your app registration determines which scopes can be requested, you still need to specify specific scopes when you make the authorize request. Also, you should avoid requesting all scopes up front, rather incrementally request scopes as needed in the context of specific operations. So start out with your authorize request as you have it, with no extra scopes but when you need to send an email on behalf of the user issue another authorize request like so:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
For more info on scopes in the v2.0 endpoint check out the Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint document.
For an example of an app that incrementally requests scopes, check out this Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect sample.

Also note that there 2 different Graph APIs:
Azure AD Graph (endpoint: graph.windows.net, explorer: https://graphexplorer.azurewebsites.net/)
Microsoft Graph (Endpoint: graph.microsoft.com, Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer)
From https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api:
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.

I'm not quite sure where that screen shot is coming from, but the URL you're going to is incorrect. The correct URL for Graph Explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.

Related

Office-Addin Single Sign On and API Scopes

The Office Addin for Excel provides the method:
OfficeRuntime.auth.getAccessToken(OfficeRuneTime.authOptions)
to call the Azure Active Directory, log in the user and gain access to the users profile. The method brings up a dialog box asking the users consent for the Office App to access their profile. The consent box also includes the grants to my Web App (Angular web site that runs in the Excel Taskpane) and includes the words "If you accept, will also have access to your user profile information"
All good. But my Web App communicates with my API, which requires an additional granting of consent for my API to access the users profile.
Is there any way to cause the dialog box invoked by 'getAcccessToken' to also grant permission to my API?
When I login using MSAL as a fallback method (not getAccessToken(), but using an excel dialog box with MSAL configured as per the various Microsoft Walkthoughts), the consent box DOES include both my WebApp and my WebAPI. And authentication works correctly.
I note that the Manifest file has a tag. I had hoped that adding the Scope to my API in here would cause the Office-Addin to request consent to it, but no banana, it does nothing.
Any Ideas?
I do note that getAccessToken() deliberately does not return an access token to MS Graph, with the Microsoft Documentation citing 'security concerns', and such access to Graph must be via Server Side Code using the On-Behalf-Of flow, perhaps similar reasoning does not permit me to gain consent to any API using getAccessToken(), but what then are these section in the manifest file for? I have really struggled to get SSO working with Office Addins, there are so many nuances and unexpected behaviours.
The getAccessToken method calls the Azure Active Directory V 2.0 endpoint to get an access token to your add-in's web application. That enables add-ins to identify users. Server-side code can use this token to access Microsoft Graph for the add-in's web application by using the "on behalf of" OAuth flow. This API requires a single sign-on configuration that bridges the add-in to an Azure application. Office users sign-in with Organizational Accounts and Microsoft Accounts. Microsoft Azure returns tokens intended for both user account types to access resources in the Microsoft Graph. Read more about that in the Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow article.
In answer to my own question,
It is NOT possible to cause the dialog box invoked by 'getAcccessToken' to also grant permission to my API
I have written a lengthy response to this in my answer to this question
Office-Addin MSAL Single Sign In SSO: How to Refresh the Access Token?

What's the correct Microsoft Graph API endpoint for promoting a subdomain to root in Azure AD? It exists in Azure AD Graph API, but that's deprecated

Background:
I want to add a subdomain to Azure AD so that users can have it as a UPN suffix. The parent domain is federated, but I don't want the child domain to be federated. The child domain inherits the authentication type of the parent, unless you use this one Azure Active Directory Graph API method to promote the subdomain to root. Then it can have it's own authentication type and settings applied.
Problem:
What's the correct Microsoft Graph API endpoint for promoting a subdomain to root? It exists in Azure AD Graph API, but that's deprecated:
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-verify-custom-subdomain
Use Microsoft Graph API to make this a root domain
Use the following command to promote the subdomain:
POST https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6
If I fill in {tenant_id} and fill in the subdomain I want to promote into Microsoft Graph Explorer, it fails with this:
"Your access token has expired. Please renew it before submitting the request."
I think that's because it's a Azure Active Directory Graph API call (graph.windows.net) instead of a Microsoft Graph API call. So the tokens have different audiences.
It sounds like the conversion process is this:
https://graph.windows.net/{tenant_id}/{resource}?{version}
https://graph.microsoft.com/{version}/{resource}
So I tried to run it like this:
https://graph.microsoft.com/v1.0/domains/child.mydomain.com/promote
But that fails with:
BadRequest
Resource not found for the segment 'promote'.
I did try to create an Application Registration in Azure and give it permission to Azure Active Directory Graph, but it's locked. It sounds like Microsoft is locking out new registrations to avoid people creating new Application that target it. It displays this warning message:
Azure Active Directory Graph will be deprecated in June 2022. We recommend using Microsoft Graph APIs for your application. If you are currently using Azure Active Directory Graph, please migrate to Microsoft Graph.
I have tested in my environment.
Use Microsoft Graph API to make this a root domain Use the following
command to promote the subdomain: POST
https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6
I tried this and I got the same error:
"Your access token has expired. Please renew it before submitting the request."
This is because we are trying to call Azure AD Graph API using Microsoft Graph API access token
Currently, there is no API request to promote the subdomain to root using Microsoft Graph API.
I tried the below request to promote the subdomain to root
PATCH https://graph.microsoft.com/v1.0/domains/child.mydomain.com
Body :
{
“isRoot” : true
}
But I got the below error:
So currently, we cannot promote the subdomain to root using Microsoft Graph API.
I used Azure AD Graph API and I am able to promote the subdomain to root in Azure AD.
I logged into Azure AD Graph Explorer
I ran the below request:
POST https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6

Can I use my personal (local) account to authenticate into Azure B2C React MSAL app?

I'm trying to use React and Azure B2C to sign-up a local account (using personal emails).
I'm able to sign-up and login using userflows, however, I cannot get active account information from MsGraph API.
GET https://graph.microsoft.com/v1.0/me 401 (Unauthorized)
Yes ,azure AD b2c supports authentication for personal accounts,
1.
Microsoft Graph supports optional query parameters that you can use to
specify and control the amount of data returned in a response. The
support for the exact query parameters varies from one API
operation to another, and depending on the API, can differ between the
v1.0 and beta endpoints.
Use query parameters to customize responses - Microsoft Graph | Microsoft Docs
Try with GET https://graph.microsoft.com/beta/me/
You can use use $select to control the properties returned,
Ex: /me?$select=displayName,jobTitle
2.
Do make sure to give required claims marked in application claims.
If you want to acquire a token for all the static scopes of a v1.0 application, append ".default" to the app ID URI of the API: app ID/.default
Calling the /me endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the /me endpoint.
Article says
Users cannot obtain tokens for Microsoft APIs (e.g. MS Graph API)
using delegated permissions. Applications can obtain tokens for
Microsoft APIs using application permissions (user management
scenarios).
Reference:
microsoft-graph-operations#user-flow-authentication-methods-beta

Get information about invitation of B2B user in Microsoft Graph

I'm trying to create an application in which I need to know whether user invited to Azure Active Directory accepted an invitation or not. I'm using microsoft graph SDK for C# to get information about users from AAD but I cannot find information about invitation status in the resulting user object. In particular, I want to get this piece of information from Azure:
Is there any way to get this info from C# using Microsoft Graph SDK or with direct graph query?
It seems microsoft graph api(v1.0) for get user doesn't have the field to show if the guest accept the inviatation. I checked the document of user properties and didn't find any property which matches "accept invitation". But I found there is a property externalUserState in microsoft graph api(beta version) which can meet your requirements. If you don't mind the stability, you can use the beta version of microsoft graph api. If you will use this api in production environment, I suggest you to use Azure AD graph api. Please refer to the steps below:
As a workaround, we can use Azure AD graph api instead of microsoft graph api. I found there is a property UserState in the response of Azure AD graph api. If we want to request this Azure AD graph api, we need to add the required permissions first.
Don't forget grant admin consent and then request the access token, please note that when request the access token for Azure AD graph, we need to change the scope from https://graph.microsoft.com/.default to https://graph.windows.net/.default.
Then use the access token to request the Azure AD graph api.
https://graph.windows.net/<tenant id>/users/<object id>?api-version=1.6
Get the response of the api and we can find there is a property userState in it. If the guest has accepted, this property will be "Accepted", if the guest hasn't accepted, this property will be "PendingAcceptance".
Hope it helps~

Lock Microsoft Graph access to only one domain

I have searched far and wide to find out how I can change the settings of my Microsoft Graph app so I only allow login from my own domain.
Since the login from Graph takes all Microsoft accounts i've been looking into different solutions, all from finding custom token endpoints to changing the application manifest.
In my manifest I can find this "signInAudience": "AzureADandPersonalMicrosoftAccount" - but I can't find in the documentation what other options there are.
also on this Microsoft page I can find this information
The overall solution comprises the following components:
Azure AD – If the Restrict-Access-To-Tenants: <permitted tenant list> is present, Azure AD only issues security tokens for the permitted tenants.
Is there any good guides online or anyone who knows how i can restrict access to people signing in either with #xxxxx.comonly or xxxxx.onmicrosoft.com accounts?
I think you're misunderstanding how Microsoft Graph works. It connects to the tenant/domain of the user authenticating. So if I authenticate with user#contoso.com, the application will only have access to the contoso.com tenant.
In terms of the authentication process itself, this is handled by Azure AD. Microsoft Graph simply accepts the token AAD returns. You can limit this process to users from a given tenant by changing the /Authorization and /Token URLs your app is using.
In most cases, apps use the /common tenant. When a user authenticates against /common, AAD handles discovering the user's actual tenant/domain and routes the request to that AAD instance for processing. These URLs look like this:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
If you want to limit authentication to a single tenant, you can skip the discovery process and force AAD/OAuth to authenticate against a single AAD tenant. Only users that exist in that tenant will be able to authenticate. This is done by swapping /common with tenant's id:
https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/xxxxx.onmicrosoft.com/oauth2/v2.0/token

Resources