I'm working on Client Credential Flow to authenticate two applications but I want to add some information in access token. Can we customize claim and include it in access token ?
I tried to reproduce the same in my environment to create the custom claim in Azure AD
Please follow the below steps to get the access token
You can get the Object ID of Service Principal ID like below
Azure Portal>Azure Active Directory>Enterprise Application>Select your application
(https://i.imgur.com/gmfUAmg.png)
Change the value in manifest like below
(https://i.imgur.com/sJvFNT4.png)
Create the policy using powershell like below
$Policy = New-AzureADPolicy -Definition #('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"customvalue","JwtClaimType":"customclaim"}]}}') -DisplayName "Demo123" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -RefObjectId $Policy.Id -Id '<Service Principle ID>'
(https://i.imgur.com/x3Sb6ON.png)
Generate the code and copy the code to generate the token via postman
https://login.microsoftonline.com/Tenant ID/v2.0/authorize?
&client_id=Client ID&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
(https://i.imgur.com/0z2JLSz.png)
Kindly change the value in Postman to generate the Token
(https://i.imgur.com/PGMyUqA.png)
copy the Access token value without quotes from postman
(https://i.imgur.com/ttYp6XW.png)
Decode the same access token value in jwt.ms
(https://i.imgur.com/J2TF0sB.png)
Related
I understand the process of assigning Microsoft Graph permissions to a service principal. I can take the object id of the Microsoft Graph app, then use the https://graph.microsoft.com/v1.0/servicePrincipals/<id>/appRoleAssignedTo MSGraph endpoint, like described here.
My question is: can I do the same with a regular user? That is, when calling appRoleAssignedTo, specify the object id of a user in the principalId field. Can a regular user have application permissions (like MSGraph permissions), and how do I use them afterwards?
I tried to do the above and assign the RoleManagement.ReadWrite.Directory to a user. Then I logged in with az login and ran az account get-access-token --resource-type ms-graph.
With this token I tried to do an operation that requires the RoleManagement.ReadWrite.Directory permission, like assigning a role to another user, but it fails with Insufficient privileges to complete the operation..
Users can request the scope they need when using Connect-MgGraph, for example:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
Which is the recommended approach, as it means that for that session they will only have access to the scopes that are necessary rather than any they've previously requested
I tried to reproduce the same in my environment and got the same error as below:
Note that: Microsoft Graph API permissions can be assigned only to Service principals not users directly.
When I tried to Connect-MgGraph as a normal user, I got the error like below:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
I created an Azure AD Application and granted API permission as below:
I generated access token by using below parameters:
GET https://login.microsoftonline.com/1810a95e-99f3-46e0-84e8-8a2aee05d830/oauth2/v2.0/token
client_id:ClientID
client_secret:*****
scope:RoleManagement.ReadWrite.Directory
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
By using the above access token, I am able to assign directory role to the user successfully as below:
POST https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=88d8e3e3-8f55-4a1e-953a-9b9898b8876b/members/$ref
Content-type: application/json
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/UserID"
}
Reference:
Add graph api permission to user account by Harpreet Singh Matharoo
we are using Azure ADB2C with grant type as client credentials. We are sharing clientid, secret with customers to consume our APIs. We don't have any user flow created as it not required.
Is there anyway we can change the token lifetime to 15 min (default is 60min)
Based on your description, I understand that you are using AAD client credentials flow because B2C doesn't support client credentials flow.
If so, your customer doesn't use the B2C feature.
You can configure token lifetime policies for your AAD feature.
$policy = New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:15:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
What is the format of the url needed to delete an already registered device in azure IoT hub using device provisioning service...
I read this article but it throws me 404
https://learn.microsoft.com/en-us/rest/api/iot-dps/deletedeviceregistrationstate/deletedeviceregistrationstate
In the request header I added If-Match tag but do I need to add Authorization tag with the SaS token and if I need the SaS token will be the one which I used for registering device using Device Provisioning Service
if I need the SaS token will be the one which I used for registering
device using Device Provisioning Service
There are some steps that you need to follow to generate the access_token that will be used in the Authorization header of the request.
Prerequisites:
Install Python 2.7+
Install Azure CLI 2.0+
Login to CLI
Below are the steps:
Login with Azure CLI
az login
Set Active Subscription
az account set --subscription "your subscription name or id"
Create Service Principal
az ad sp create-for-rbac -n "your service principal name. Can be like 'jongpostman7'"
The output of above command will be something like below image.
Copy this output to a temp location, you will need the values in a minute.
Coming to the Postman request now. You need to first call the AAD Token request whose response will provide you with the access_token. This access token you can use in the DPS delete device request. The AAD request will be like below:-
POST https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Refer image below for the request body.
grant_type is client_credentials
client_id is the appId received in above command output
client_secret is the password received in above command output
tenant_id is the tenant received in above command output
resource is https://management.azure.com/
The response of above request will be like below:-
Now, you have the access_token that can be used in the DPS delete device REST API.
The Authorization header be like below:
Authorization: Bearer <access_token_received_above>
Reference link here.
I'm just wondering in this article https://learn.microsoft.com/en-us/rest/api/resources/tenants/list
there's a "try it" button once you click it, it will list all your tenant or directory.
then once you select any of the directory it will give you a bearer token.
.
The question is, is there's a way to get a bearer token thru API? Or get a bearer token that depends on the selected tenant? Thanks!
By the return token of that site, im passing it thru this api https://app.vssps.visualstudio.com/_apis/accounts to get all my organization base on the selected tenant.
If you want to work with the command in PowerShell, the Get-AzAccessToken cmdlet can fetch a token for you.
I tested the following script in PowerShell on Azure Cloud Shell:
$token = (Get-AzAccessToken -ResourceUrl 'https://management.azure.com').Token
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization","Bearer $token")
$url = "https://management.azure.com/tenants?api-version=2020-01-01"
# Send the request
Invoke-RestMethod $url -Method 'Get' -Headers $headers
You can get the access token (Bearer) via below API. Please refer the link.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Normally if you need to access any azure resource, then you have to create AAD app in that tenant in order to get the token. But your case, you have to get all Tenant details via REST api. So You can create the AAD app on of your tenant.
I need to access a Web API which is secured via Azure Active Directory. I followed this documentation https://msdn.microsoft.com/sv-se/library/azure/dn645542.aspx
The first steps were successful, but at the end I can't access the required resource.
What I did:
First I call this link
https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/authorize?response_type=code&client_id=3eec...32e5
and get redirected to the login portal.
After successful login I extract the code from redirected URL, which is something like this
https://localhost:8080/?code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA
Then I use this code to acquire an access token. The first problem is here. According to the documentation (link above) the resource is optional. But it doesn't work if I omit the resource (error=Resource identifier is not provided.), so I have to provide it. Secondly, if I put the APP ID URI of my application registered in Azure AD to the recourse parameter, I got another error ( The client '3eec...32e5' and resource 'myapp.azurewebsites.net' identify the same application.). Therefore I put the graph.windows.net for resource parameter.
curl -s -X POST https://login.microsoftonline.com/akeliusdev.onmicrosoft.com/oauth2/token
-d grant_type=authorization_code -d client_id=3eec...32e5
-d client_secret=F%2BfpjpR............Wi8%3D
-d code=AAABAAAAiL9Kn2Z27........RdzFpearqiAA -d resource=https://graph.windows.net
This way I could get an access token. But then I am not able to access the resource using the access token. I did it this way:
curl https://myapp.azurewebsites.net/data
--header "Authorization:eyJ0eXAiOiJKV1QiLCJhbGciOiJ.............4WYr6xn"
Could someone help me on this issue?
Thanks.
To do this as a service to service call, without user interaction, you can follow Service to Service Calls Using Client Credentials
You need to create an AAD application and credentials. i.e. a Service Principal.
then to get the access token you make a POST call to
https://login.windows.net/<tenant ID>/oauth2/token
with the following data
grant_type=client_credentials&client_id=$username&client_secret=$password&resource=$resource
Where $username is your HTTP://localhost/whatever identifier
$password is your service principal password
$resource is https://management.core.windows.net/ (this might be graph, try it and see)
The access token will be in the JSON response as 'access_token'
You then add a header of Authorization: Bearer $AccessToken and hopefully you should get access!