We're working on a SAAS application that has recently been configured to use Azure ADAL for authentication. If it matters, we're going the oauth2 route, with response_type: code.
However, when we're testing the application, if the browser has been signed into an Azure account that does not belong to the tenant acting as identity provider, the prompt for password is bypassed, and the login fails on the Azure screen, saying AADSTS50020 - user not found in tenant.
On the one hand, congratulations to Azure for finding an already signed in user! On the other hand, there is no recourse to elect to not use this signed in user; it does not give the user the chance to interject with credentials that work.
How can we prevent this?
The core issue is we don't want users, visiting our site and ready to sign in, to have to have already signed out of Azure before trying to log in with our site.
Thanks in advance.
Please refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code
You could find when requesting an authorization code during code flow , there is a Parameter :prompt indicates the type of user interaction that is required .
Valid values are:
login: The user should be prompted to reauthenticate.
select_account: The user is prompted to select an account, interrupting single sign on. The user may select an existing signed-in account, enter their credentials for a remembered account, or choose to use a different account altogether.
consent: User consent has been granted, but needs to be updated. The user should be prompted to consent.
admin_consent: An administrator should be prompted to consent on behalf of all users in their organization
You could use prompt=login forces the user to enter their credentials on that request, negating single-sign on
Related
The disturbing scenario is: users log out of the application but their session remains valid such that they are able to sign back in without reauthenticating. Is the below code snippet the portion of the code that needs to be configured for the B2C session behaviour?
app.UseRewriter(
new RewriteOptions().Add(
context =>
{
if (context.HttpContext.Request.Path == "/MicrosoftIdentity/Account/SignedOut")
{ context.HttpContext.Response.Redirect("/Home/Index"); }
}));
When you want to sign the user out of the application, it isn't enough
to clear the application's cookies or otherwise end the session with
the user. Redirect the user to Azure AD B2C to sign out. If you fail
to do so, the user might be able to reauthenticate to your application
without entering their credentials again
The logout endpoint can receive an optional post_logout_redirect_uri parameter in the query string, where you can specify another URL where your user will be finally redirected by B2C. That can be the address of any resource, e.g. you homepage or your own page showing a "You successfully logged out of our service" message to the user.
post_logout_redirect_uri - The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message.
For more details refer this document And also check with this SO Thread
I have to limit which users can access an Azure App. For now, only Global Admins can access using this link:
login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=client_id_goes_here&scope=user.read.all&response_type=code&redirect_uri=https://myredirectbacklink.com/aad/auth&response_mode=query&state=portal&prompt=consent
After redirect back I get Token using
https://login.microsoftonline.com/common/oauth2/v2.0/token and the query contains the same scope as the authorized link.
The flow of the app is the same as documented in Microsoft identity platform and OAuth 2.0 authorization code flow.
My problem is that client wants to allow Billing Admins to access their app. I went through all Graph Permission Scopes, but could not find any related to Billing Admin.
My knowledge of Microsoft's authorization is somewhat limited. I do know that limitations are done by scope. But if it's just link change or is it in Authentication App in Azure (there is one but I don't know how it's related to actual login permissions).
Should I look in a different direction or is it just simply changing the link? Microsoft's documentation didn't help a lot because it's mostly about calendars and other simple stuff.
Careful, requesting a permission that normally requires admin consent and causing the user consent prompt is not the proper way to ensure the user signing in is actually an admin. A non-admin user could simply modify the URL to scope=User.ReadBasic.All and remove prompt=consent. If the user is allowed to consent for User.ReadBasic.All (which is true in many organizations), they'd be able to continue the sign-in. (Or if the organization had granted admin consent for "User.Read.All", the non-admin user would only need to remove prompt=consent.)
If you need to ensure the user is an administrator, you need to explicitly check for directory role assignments.
You can choose from one of three different ways to do this:
You can configure your app to receive the wids claim, which will include the role template IDs of the directory roles for which the user has an active assignment. This is probably the simplest approach.
Using the Azure portal, you can do this under App registrations > (choose your app) > Token configuration > + Add groups claim. You must include "Directory roles" in your selection:
Another option is to a Microsoft Graph API request to check which of a given list of directory roles the user has been assigned:
POST https://graph.microsoft.com/v1.0/me/checkMemberObjects
Content-type: application/json
{
"ids": [
"fdd7a751-b60b-444a-984c-02652fe8fa1c",
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
}
A third option is to make a Microsoft Graph API request to list the directory role assignments granted to the user:
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments
?$filter=principalId eq '{id}'
All three of these approaches involve using directory role template IDs to identify the directory role you are checking for. They're all listed here: https://learn.microsoft.com/azure/active-directory/roles/permissions-reference
Some examples you may be interested in:
Application administrator: 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
Cloud application administrator: 158c047a-c907-4556-b7ef-446551a6b5f7
Global administrator: fdd7a751-b60b-444a-984c-02652fe8fa1c
Privileged role administrator: e8611ab8-c189-46e8-94e1-60213ab1f814
Billing administrator: b0f54661-2d74-4c50-afa3-1ec803f12efe
(I included the first four because those are the directory roles which would, by default, be allowed to grant consent for User.Read.All.)
If someone needs solution and uses php:
You can use https://github.com/microsoftgraph/msgraph-sdk-php
$accessToken = 'token from redirect back, called access_token';
$body = [
"ids" => [
"fdd7a751-b60b-444a-984c-02652fe8fa1c",
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
];
$graph = new Graph();
$graph->setAccessToken($accessToken);
$user = $graph->createRequest("post", "/me/checkMemberObjects")
->attachBody($body)
->execute();
I am using MS Graph in a desktop application so I am hosting a web browser in a form for the user to do their initial login. This all works fine and I can fully use MS Graph.
The problem I have is if we need to use an account of a different user there does not seem to be a way to reset the login. If you try to login again with the hosted web browser it will go right through and allow the same user.
The only way to reset it for another user seems to be to go into IE and delete the history/cache. Then the login screen will ask a user to login again. It seems a bit extreme to reset the cache.
So is this the only way to do this or is there something I can change in the MS Graph API call to tell it to reset?
You can force re-authentication by added prompt=login to the sign-in request:
Prompt (optional)
Indicates the type of user interaction that is required. The only valid values at this time are login, none, select_account, and consent.
prompt=login will force the user to enter their credentials on that request, negating single-sign on.
prompt=none is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an error.
prompt=select_account sends the user to an account picker where all of the accounts remembered in the session will appear.
prompt=consent will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.
I've set up IdenityServer4 to use AzureAD backend authentication. All's well and it works, but when trying a guest user account, it just seems to hang.
I've set the "signInAudience": "AzureADMyOrg" in the Manifest file for the authenticating app on AzureAD. Also I am using the tenant specific url for the Authority from IDS4. "https://login.microsoftonline.com/abc.onmicrosoft.com".
And I've added the Microsoft Account account as guest user to AzureAD.
PS:
Noticed that it gives and error page with:
This login.live.com page can’t be found
No webpage was found for the web address:
https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51487777-085c-4777-bf88-cf50c7257777&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2ffederation%2foauth2&state=rQIIAZ2Vuc7kABCDE59_ZnZmkGBBK0Q4wUocwv_4Pn6Job2... etc... &username=abc%40gmail.com
Notice the "https%3a%2f%2flogin.microsoftonline.com%2fcommon" in there... even though I've specified a tenant specific authority with IDS4...
Tried manually changing that part to "https%3a%2f%2flogin.microsoftonline.com%2fcontoso.onmicrosoft.com" and still gives same error. "This login.live.com page can’t be found".
The guest user email account is actually a gmail.com. But which has been added as guest user on AzureAD. When I look at the Identity for that guest user account, it is of type Microsoft Account. Do I need to add either gmail or Microsoft (live.com) as an additional authentication provider (in addition to AzureAD) to IDS4 for it to work..? –
is there any way (OIDC auth request parameter) that I could use to prevent AAD from doing account discovery when I send the user to my AAD tenant (not /common)? Currently, AAD displays a page asking for the user email (I presume in case the user is a B2B user in my directory) and only then sends the user to my ADFS (my federation service). I would like to be able to have the user only see ADFS.
#juunas' suggestion to use domain_hint= parameter and #Rohit's to remove login= parameter did the trick. Thanks!