I've built a .net core 7 web application.
It implements windows authentication, and works nicely on premise.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();
I've deployed to an azure app service, and I get got this error when I browse to the application:
InvalidOperationException: The Negotiate Authentication handler cannot
be used on a server that directly supports Windows Authentication.
Enable Windows Authentication for the server and the Negotiate
Authentication handler will defer to it.
So I added a Microsoft Azure AD identity provider, which created for me a new app registration. Now I can browse to the application, enter my credentials, but it once I do, I get another dialog saying "Approval required, enter justification". After I submit my request approval, I get an email saying my request was received. I don't know who gets the approval request, or why a request is being generated. We could have hundreds of employees using the application, and will eventually have dozens of applications, so an approval request might not be manageable. Can it be turned off, or am I implementing the authentication wrong in the first place?
Approval Request:
Email:
If you have the right premissions, you might be able to grant consent on behalf of all users yourself. This ensures that end users will not be required to consent when using the application. To do this, navigate to your App Registration Overview and click on 'Go to Enterprise applications'. From there, click on the Permissions in the left menu. At this page you can grant admin consent to all users.
These global settings can be changed, but only by an administrator. How you can do that is described in this article: https://intercom.help/eventtemple/en/articles/5152672-need-admin-approval-approval-required-when-connecting-outlook-office365
Related
I have a properly authenticating SAML service working with ADFS. When we switch on MFA - the SSO flow requests an access code from an Authenticator app. The only way this seems to work on a mobile device is to break out of the SSO app and go to the Authenticator app to retrieve a new code. Then the user has to return to the mobile app and manually punch it in. Is there an automation step or config setting somewhere that might make this flow more user friendly by automating the auth step within the existing SAML flow instead of having to break out of the app to retrieve the code ?
• Since, you have configured SAML SSO for ADFS with MFA, and selected ‘Microsoft Authenticator’ app as second factor authentication medium, in this process, you will have to enter the one-time passcode appearing in the app for 30 seconds in the authenticator app in the MFA authentication window. So, since this is not unlike OTP (One Time Passcode) which is received as a text message in your cell phone upon requesting for login through ADFS. As if it was a text message, it could be naturally copied by giving the app access to read text messages permission in ‘Apps and permissions’ section of the cell phone if it was Android. Similarly, I would suggest you to please give your app permission to read the data from Microsoft Authenticator app in your cell phone settings and accordingly test it.
• But as far as I know, your app may not have the configuration settings to do so as Microsoft Authenticator app is just an application that is installed from ‘Playstore’ unlike any other system app like text message, inbuilt app notification, etc. Thus, I would like to suggest you to please enable the setting ‘Draw over other apps’ for your app which requires authentication through ADFS for the Microsoft Authenticator app by modifying the ‘AndroidAppManifest.xml’ file which will make it possible to read the ‘One-time passcode’ generated in the Microsoft authenticator app and in effect will automate the two-factor authentication for your app login through ADFS.
Kindly refer to the link below for more information on modifying the ‘AndroidAppManifest.xml’ file: -
https://www.geeksforgeeks.org/how-to-draw-over-other-apps-in-android/#:~:text=In%20order%20to%20draw%20over,android.
Also, find the link below which states the configuration that needs to be done for enabling the Azure MFA as well as various prerequisites needed for that purpose: -
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa
A customer changed to Azure AD, so we have to update our app accordingly. Unfortunately we don't have either access to the customers's Azure AD administration portal, nor do we have user credentials to test our app. We only know that ...
All starts here: https://myapplications.microsoft.com
Browser login consists of (1. dialog) email address, (2. dialog) password, (3. dialog) OTP token entry (OTP sent via SMS). Microsoft Authenticator works as well.
When through the authentication process, the page with the Azure applications appears. In our app, we'd like to avoid this page showing up, since the app should take over after the OTP token is entered in Microsoft Graph API (= authentication is completed). So authentication webview should close by itself after authentication is finished.
We read a lot about MSAL the last days, but since we have to code blindly (no sample login credentials/OTP available, no Azure AD administration access), it's kind of fishing in the dark.
We used this page as starting point: https://github.com/AzureAD/microsoft-authentication-library-for-objc
We use Xcode 13.4.1 with Swift.
By using Safari Web Inspector on the concerned Azure AD application, we populated the required MSAL constants as follows:
let kClientID = "2793995e-0a7d-40d7-bd35-6968ba142197" // probably not correct, see (a.) below
let kGraphEndpoint = "https://graph.microsoft.com/" // not found in Web Inspector data, but most MSAL code uses it
let kAuthority = "https://login.microsoftonline.com/common/" // found in Web Inspector data
let kRedirectUri = "https://myapplications.microsoft.com" // the URL after authentication is complete
let kScopes: [String] = ["User.Read"] // not found in Web Inspector data, but most MSAL code uses it
Questions/Problems:
https://myapplications.microsoft.com always shows the client_id 2793995e-0a7d-40d7-bd35-6968ba142197. As far as we understood, every Azure AD application has it's own client_id, hence 2793... cannot be correct since it's "generic". If the client_id is not correct, can we find the correct one using the concerned Azure AD application Safari Web Inspector data?
Above constants seem to work, but when our testers login, the last page showing all Azure AD applications remains open. Some sample MSAL test code from Github however close Microsoft Graph API after credentials were entered. Is this closure of the authentication webview triggered by the server (Azure AD setting) or the client?
After testers logged in through the app, then suspended the app (via App Switcher), then opened the app again - the complete Graph API login was required again. Silent login (aquireTokenSilently) didn't work. When using Safari, silent login works however. What could be wrong?
Does the Safari Web Inspector data tell us what the product bundle identifer is (which we need for msauth.$(PRODUCT_BUNDLE_IDENTIFIER) as redirect URI)?
So basically, we'd like to ...
avoid the Graph API portal page, which shows up after authentication is done
remain logged in after app returns from suspended (acquireTokenSilently())
use Authenticator if installed on the device
We've never worked with Azure AD before.
Any hint about mistakes/misunderstandings would help.
Many thanks!
----- UPDATE (27.07.2022) -----
As a reminder ... we neither have access to the Azure AD portal, nor do we have test credentials (username, password, SMS code [OTP]).
After lots of testing and simulating, still no success.
Using Safari, the flow for a regular user looks like this:
https://myapplications.microsoft.com
The authentication starts with the entry of the organization specific email address.
Azure detects this organization, checks the existence of the email address and asks fro the password.
Next, Azure either sends an SMS code or triggers the broker (Microsoft Authenticator). It's device configuration specific which one is used.
The page with the Azure AD applications opens.
On iOS/macOS (Xcode, our application), the above flow is similar. MSAL debug messages reveal however that no token is sent. acquireToken() only completes after the webview is cancelled (MSAL error -50005). It seems that a Web application doesn't require a token ?!
Now ... in our (iOS) app, we only would like to get the token in order to access the Web application with our (iOS) app (using the Bearer inside the URL request).
How can we get a token for an Web application without redirecting to that page at the same time (which doesn't return a token)?
Does Azure AD allow access to that Web application using the gained token?
A server side (Azure AD) solution would be an redirect_uri entry in the Authentication section (MY_BUNDLE_ID). But we have to do without.
You don't need to target the MyApps app (2793995e-0a7d-40d7-bd35-6968ba142197). You should target your own Azure AD App registration. For more information please take a look to MSAL iOS Swift Microsoft Graph API Sample.
Here is a scenario, I have given Single Page Web Application(just HTML and CSS) to authenticate and authorize the users to access this application.
So I used .NET CORE and Azure AD to authenticate users through Visual Studio (Register the app to the Azure portal). The login works fine but when I tried to logout it logs me out from all other applications that are using the Azure AD login mechanism.
For Example: In my browser, if I open Outlook that uses Azure AD authentication and my.NET application, if I want to log out from my custom .NET application, it automatically logs me out from Outlook. Is there a way I can prevent this? I just want to log out from my .NET application, not from Outlook or other applications that are using Azure AD authentication.
For logout: I am using the link: /MicrosoftIdentity/Account/SignOut
Update: I haven't added the Azure AD as Connected Services on my .net app but once I added the azure ad on my .net app, the log out works perfectly for Google Chrome. (I can able to log out from the app without logging out from outlook) but when I tried the same thing with firefox(regular, developer) it logs me out of both application and outlook.
Looking at the network logs I found that after logout, firefox is calling https://outlook.office365.com/owa/auth/logoff.aspx?cmd=logoff&exlive=1&lgtype=1&sid=xxxxxxxxxx that logs me off from outlook but Chrome is not calling this URL.
Anything I can do to prevent this or should I have to contact Microsoft?
If you need to logout from the application only (which has a lot of security outcomes - eg. user clicks sign-in again and they will be signed in automatically), you can just sign out from the Cookie authentication scheme (which will result in the identity cookies being dropped), see: https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Controllers/AccountController.cs#L108 for the specific implementation by Microsoft in Microsoft.Identity.Web.
Simply create a sign-out endpoint in your controller and do something like:
return SignOut(
new AuthenticationProperties
{
RedirectUri = callbackUrl,
},
CookieAuthenticationDefaults.AuthenticationScheme
);
However, I urge you to reconsider doing this, Single-Sign-Out has really a lot of security benefits.
I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.
I have a following application architecture:
Angular 5 client
C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
Click Settings
Go to Required permissions
Click Add
Click Select an API
Select Microsoft Graph and click Select
Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph