Fetching groups/users from Azure application - azure

I'm developing a system where user can give access for fetching users/groups from his/her azure account.
I did following:
Create B2C tenant (Initially tried B2B)
Create enterprise application
Set "AzureADandPersonalMicrosoftAccount" for "signInAudience"
Provide group.readAll, user.readAll, offline_access etc permissions
Then ask for adminconsent using
https://login.microsoftonline.com/common/adminconsent?client_id=xxxx&state=state&redirect_uri=url
After response in redirect_uri, I'm accessing "client_credentials" using client secret, which returns token.
Using that token, I'm fetching groups & users for that account using graph API.
Doc:
https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
Everything is working fine for my account. But if I trying with other personal user (which I haven't added as guest user in my tenant), then it returns error.
User account is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization
Try signing out and signing back in with an organizational account.
I have tried through another account, which is also in azure and has few users in his account.
So Azure don't allow to fetch users/groups from any account which has users in his azure account?
Help me to find out if I missed something.
Thanks in advance!

As mentioned in the documents for both Users and groups for fetching the list of them is not supported for personal Microsoft accounts.
Hope this helps.

Related

Does Resource Owner Password Credentials (ROPC) work with "ad hoc" users?

I'm trying to wrap my head around the limitations of the ROPC authentication flow.
If I set up an Azure app, can I then sign in any user that has an Office 365 account using the ROPC flow, or do I need to add the user to my Azure app first?
In this documentation, Microsoft says that
ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook.
I'm not sure what they mean by "local accounts"? Is that an account that has already been added as a user to my Azure app?
A local account is an account that was originally created in that AAD tenant.
Any invited guest user does not count.
Though I have heard ROPC sometimes working with AD users who have been synced (which are technically not local users), but that depended on the setup.

Lost access to application when user was deleted

We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).

Make Microsoft-Graph API calls without registering the app

This is NOT a code related question. But a question on auth while accessing Microsoft Graph.
I have a small nodeJS code that will access my own files on one drive and pull some data from an excel spreadsheet. This app is just my own, for automating a task. Is it possible for nodeJS code to access Microsoft Graph APIs without having to register this app and get admin approval?
I have a work account. My admin would not approve an app that is not going to help my organization.
It's determined by what kind of your account.
If your account is a work/school account, which is managed by your organization, you must register the application/create servicePrincipal in your organization tenant to call Microsoft Graph API. Because all company data, including your account data, is managed by your organization, not yourself.
If your account is a personal account, Microsoft Live Account, you can use Microsoft app registration portal for personal identity platform: https://apps.dev.microsoft.com/. It's managed by your own personal account.

Can't create an AD account because the directory is federated (AADB2B_0001)

We're trying to invite users (including those from different ADs) to ours in order to give them access to our enterprise app. We are using the AD to manage the app's users and permissions.
We send them an email to join our AD as a guest user.
However, when they already have an Azure AD account connected to a local AD (that's federated), we don't have the permission to create an account on our side.
There are a few articles on this problem including (resending invites till it works, asking them to add our organization to trusted, and creating our own account for them)
https://techcommunity.microsoft.com/t5/Microsoft-Teams/Invitation-redemption-failed-AADB2B-0001/td-p/292175
http://answers.flyppdevportal.com/MVC/Post/Thread/d9c92fea-a554-4c7a-91af-30016aa35111?category=windowsazuread
Our objective is to use their AD sign in for our apps as well. Is there an easy way, such as copying their AD profile or sending them a link that they have to simply click "Yes" without having to do much IT work on their side? Thank you!
Here's an example from a different post:
They have a local ad and an azure ad setup, but the specific user I was trying to invite doesn't have an account in their azure ad.
We can't create an azure ad account for them
They have to give the user an azure ad account

Pre-register users with Azure AD B2C

I would like to pre-register a limited number of users which can use my application.
This are the requirements:
Users should be able to reset their password on their own
No other users than the preregistered users can sign up
Ideally, the user can choose the login email address by himself (no #app.onmicrosoft.com login).
Now I'm having trouble to have all requirements fullfilled together.
I was able to preregister #app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on #app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.
Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?
I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.
Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.
Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.
Any advice? What do I miss?
You can implement the activation/invitation scenario that is described here and implemented here.
This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.
This redemption link directs the new user to the Password Reset policy.
Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.
We hope to add this capability as soon as we can to Microsoft Graph.
Hope this helps,

Resources