I'm trying to implement Microsoft Azures Address Validation.
I get it to work using the implicit OAuth v2 but I would like to implement this as a service.
I have added Client Sercets and tried using that method but I don't get an Auth Token back.
Am I not implementing the Auth Service correctly?
Can this API be used with our actual user logging in each time?
Micorsoft Azure Address Validation
[Azure app registration](https://i.stack.imgur.com/ck9oW.png)
[PostMan Auth](https://i.stack.imgur.com/pkERQ.png)
[Token Response](https://i.stack.imgur.com/czeQa.png)
Thanks for the Help.
I tried to reproduce the same in my environment and got the results successfully like below:
I created Azure AD Application and added API permissions:
I generated the access token by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://management.azure.com/.default
grant_type:client_credentials
To validate the address, I used below query:
POST https://management.azure.com/providers/Microsoft.Billing/validateAddress?api-version=2019-10-01-preview
{
"addressLine1": "55 110th Ave NE",
"city": "bellevue",
"region": "wa",
"postalCode": "98004",
"country": "us"
}
In Authorization tab, paste the access token like below:
Reference:
Address - Validate - REST API (Azure Billing)
Related
I'm trying to query application insights via their REST API. I'm stuck on getting a token.
I have created an API key using the API Access blade in Azure Application Insights:
That gives you an Application ID and an API Key.
I have populated postman with the following:
url: https://login.microsoftonline.com/<Our Tenant ID>/oauth2/token
tenant: <Our Tenant ID>
client_id: <The Application ID from the API Access screen>
scope: https://api.applicationinsights.io/.default
client_secret: <The API Key from the API Access screen>
grant_type: client_credentials
All of this is taken from their documentation page here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
The error is as follows:
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier '<application ID from API Access screen>' was not found in the directory '<My Company Name>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 57f78a92-fe94-40e3-a183-e3002be32801\r\nCorrelation ID: 0ab8e3ec-655d-44aa-93fa-4d3941862d11\r\nTimestamp: 2022-11-30 15:04:20Z",
I checked with the Azure Admin for our company and I'm definitely sending this to the right tenant. Also he created another key for me so it's not that either.
Thanks.
I tried to reproduce the same in my environment and got below results:
I created an API key from API Access blade in Azure Application Insights like below:
When I tried to acquire the token via Postman with below parameters, I got same error as below:
POST https://login.microsoftonline.com/<TenantID>/oauth2/token
client_id: <Application ID from API Access screen>
grant_type:client_credentials
client_secret: <API Key from API Access screen>
scope: https://api.applicationinsights.io/.default
Response:
There is no need to generate token separately if you want to query Application insights using API key.
Without including token, you can directly query Application insights by including x-api-key header like below:
GET https://api.applicationinsights.io/v1/apps/{Application ID from API Access screen}/metadata
x-api-key: <API Key from API Access screen>
Response:
The process you are currently following works only if you want to authenticate your API via Azure AD. In that case, you can generate the access token by granting required roles and scopes to registered Azure AD application.
But if your requirement is using API key, you can run any query by simply including x-api-key header for Authorization purpose.
I am trying to register an application on the azure ad using the Graph API calls.
I am using the postman to hit the APIs and I have admin access in Azure.
So Far I have tried the following things:
I registered an application manually on Azure AD using this doc- https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token. (I gave all the required permissions to my application)
I am fetching the token using the service to service call client credentials- https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.
After getting the token I pass it in the Authorization and hit the MS graph Create Application endpoint. https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http.
But In the postman, I am not getting any response body. I have checked my Azure Tenant but I am not able to find any newly Registered App.
For Token service(Get)
Endpoint- https://login.microsoftonline.com/{my-tenant-id}/oauth2/token
body-
grant_type:client_credentials
client_id:{app-id}
scope:https://graph.microsoft.com/.default
client_secret:{secret}
//resource:https://graph.microsoft.com
Response success(200) with token
For Create App(POST)
https://graph.microsoft.com/v1.0/applications
body: {
"displayName": "Created with MS Graph API"
}
Authorization: Bearer {token}
Response: Nothing is showing in response
Response from API
You can register the application using the Create Application API
POST https://graph.microsoft.com/beta/applications
You need to have enough permissions first to be able to register an application with Azure AD. This sample shows how to register and create an application to target the Graph API. https://github.com/microsoftgraph/aspnet-snippets-sample
I found the solution, In the API Header, I was specifying the Content-Length= 67 which was not required. Now I am able to get the Success response.
https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
If we look at the MS documentation, They have provided the below example
POST https://graph.microsoft.com/v1.0/applications
Content-type: application/json
Content-length: 67
{
"displayName": "Display name"
}
We don't need to pass the Content-Length in headers.
I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online
How do you get the authentication contact info from azure ad b2c with the microsoft graph, I am looking to retrieve the email address.
I checked the documentation on Microsoft Graph API and could find no mention of how to get the Authentication Contact Info besides using PowerShell (learn.microsoft.com/en-za/azure/active-directory/authentication/…)
Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
Register a new application (client_id)
Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
Create a private key (client_secret) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}
As you mentioned it seems that there is no microsoft Graph API could get the authentication Contact Info Email.
But we could get that information with following API, I capture it with browser. It seems a litte hack.
Get https://main.iam.ad.ext.azure.com/api/UserDetails/{userId}
About how to get the access token, please refer to this blog.
Note: I don't find this API in the Azure official document. Please don't use it for product, you could use it for test.
We have an O365 tenant, everything is configured out of the box. The tenant is placed in the German cloud and not in global (office.de).
We also developed an Office Add-in that authorize access to sharepoint using OAuth 2.0.
First, we initiate a request for a code to this url:
http://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=client_id&redirect_uri=redirect_uri&state=state
and we get all values back including the code.
Then, we initiate a request for the Discovery Service to discover the services using this url:
https://login.windows.net/common/oauth2/token?client_id=client_id&redirect_uri=redirect_uri&resource=https://api.office.com/discovery/&grant_type=authorization_code&code=code
In the global cloud everything is ok and we get the list of services we need but in the German cloud we get the following error:
{
"error": "invalid_grant",
"error_description": "AADSTS90051: Invalid Delegation Token. Invalid national Cloud ID (1) is specified.\r\nTrace ID: 52f8aa2b-9f98-4ba6-b778-c0ba484a3c00\r\nCorrelation ID: 67100192-82c8-41ea-a5ca-fd9872caaf2e\r\nTimestamp: 2018-02-08 06:31:18Z",
"error_codes": [
90051
],
"timestamp": "2018-02-08 06:31:18Z",
"trace_id": "52f8aa2b-9f98-4ba6-b778-c0ba484a3c00",
"correlation_id": "67100192-82c8-41ea-a5ca-fd9872caaf2e"
}
The same error occurs when we try to change the url to https://login.windows.de/common/oauth2/token
I think that you can use client crendetials flow to achieve that:
1.Request the access token for the Office Discovery service API:
POST https://login.microsoftonline.de/{{yourtenantId}}/oauth2/token?client_id={{client_id}}&client_secret={{client_secret}}&grant_type=client_credentials&resource=https://api.office.com/discovery/
2.Use the access token in the head and use the Office Discovery API:
Additional: If you want to get id_token and use it, try to use https://login.microsoftonline.de as the AAD Athorization endpoint in your request. I didn't test, but it should work.
Hope this helps!