Include the EmployeeID as claims in tokens in Azure AD - azure

I need to add the employeeid as claim notification in token, I used the tutorial of this link:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#include-the-employeeid-and-tenantcountry-as-claims-in-tokens
I did all steps, but my token is not returning the employeeid:
I did this configuration with graph api, where I create the policy and bind it with the service principal:
If I check this configuration, it seems to be correct:
I have followed all the steps correctly, and I can't include the employeeid in the token, what is happening? thanks.

Assuming this is an access token you are requesting, you could check two things:1.The claims mapping policy should be attached to the resource (api) service principal/application id for which you are requesting the access token 2. You need to update the application manifest as mentioned towards the end of the document you shared.

I tried to reproduce in my environment getting the employeeid successfully
Make sure you have choose your Application object ID
For your Reference :
https://s4erka.wordpress.com/2020/08/06/azuread-claim-mapping-policy/

Related

Customize token in Azure AD

I am trying to customize id token in Azure AD ..
I did the following steps :
1-Registered Azure AD application
2-Post extension:
https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties
Payload : {"name":"test","dataType":"string","targetObjects":["User"]}
3-Create claim Mapping Policy
https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Payload
{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}
4-Post service principal
https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref
Payload : {"#odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}
5- I patched a user
https: // graph.microsoft.com/v1.0/users/usreID
{"extension_Application (client)ID_test":"test"}
6- I edited the Mainifest
See Mainifest
6- I tired to get the ID token for the user I patched in step 5
https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token
with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)
7- I decoded the token , I don't see "test" as part of the token
Not sure what I am missing here to customize the token
Screenshot to show that I am missing token configuration in the blade
Missing token configuration in the blade
Screenshot to show that I can't find permission : Directory.AccessAsUser.All
missing API permission
Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.
Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.
Also please check with optional claims set in manifest .
Then check in token configuration, if it is valid claim.
References :
Emitting claims with data from directory schema extension attributes created for an application using Graph
azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application
Edit:update 13/4/2022
Like you said in comments:
Like the Most obvious difference now ( Token configuration is not
available and api permssion for Directory.AccessAsUser.All is not
there)
I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.
I had all those features as i was using organizational Azure AD premium 2 licensed tenant.
But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.
Then i realized its license is azure ad free account.
So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .
Also you can check the ongoing issue here
Q&A missing-features-in-my-azure-ad-tenant.
active-directory-optionalclaims-example

SecurityTokenInvalidSignatureException: IDX10511

Looking for some answer. First time using Azure AD for authentication on ASP.Net Core and we have registered the app on azure for both my local and Dev-Server. Its working running on my laptop but after deploying to Dev server and changing the Client ID Value, it keeps giving me this error
*SecurityTokenInvalidSignatureException: IDX10511: Signature validation failed. Keys tried: 'System.Text.StringBuilder'.
kid: 'System.String'.
Exceptions caught:
'System.Text.StringBuilder'.
token: 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken'.
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(string token, TokenValidationParameters validationParameters)
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()*
Thank you in advance.
Danny
Thank you #User 45323833 posting your suggestion as an answer to help other community members.
" Solution from Microsoft: This problem caused due to your app registration:
May you have defined a scope from Graph API: User.Read User.ReadBasic.All Mail.Read
If a scope will be set from Graph API, the token can just be validated from Graph!
You can see that in jwt.io. If the aud is like "00000003-0000-0000-c000-000000000000" the token is from Graph.
To solve the problem please follow the below steps :
To protect our own custom API, you have to register an application to represent it on Azure AD and obtain an access_token/id_token for it.
Section - Expose an API: Create a new scope: name = access_as_user
Section - API permissions: Add a new permission for your registered application and your scope access_as_user
Section - Manifest: Change entry "accessTokenAcceptedVersion" from null to 2
Check the new token from azure with jwt.io. If the aud is equal the registered application id the token can be successfully validated."
For more information please refer this GitHub issue IDX10511: Signature validation failed. Keys tried: & Microsoft Documentation: Azure AD authentication with ASP.Net core web application

Using Quarkus OpenId Connect and Azure b2c

I'm building a backend-service that provides an API using Quarkus and I need to validate the incoming requests.
By default, quarkus uses keycload, but I want to validate with azure b2c.
At the moment I have the following configs:
quarkus.oidc.auth-server-url=https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}
quarkus.oidc.application.application-type=service
quarkus.http.auth.permission.authenticated.paths=/hello/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.log.category."io.quarkus.oidc".level= DEBUG
And as an example:
#Path("/hello")
public class GreetingResource {
#GET
#Produces(MediaType.TEXT_PLAIN)
#RolesAllowed("test")
public String hello() {
return "Hello RESTEasy";
}
But Quarkus keeps throwing the same error:
OIDC server is not available at the 'https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?p={policy}'
Am I doing something wrong?
Thanks in advance!
Policy name for Azure AD B2C, format is like
quarkus.oidc.auth-server-url=https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
(or)
quarkus.oidc.auth-server-url=https://<tenant-name>.b2clogin.com/<tenant-id> /<policy-name>/oauth2/v2.0/authorize
The code in your Azure AD B2C-enabled applications and APIs may refer
to login.microsoftonline.com in several places. For example, your code
might have references to user flows and token endpoints. Update the
following to instead reference your-tenant-name.b2clogin.com:
Authorization endpoint
Token endpoint
Token issuer
Please do check this MS docs for more information on the same.
2.
OIDC service application needs to know OpenId Connect provider’s token,
By default they are discovered by adding a /.well-known/openid-configuration path to the configured quarkus.oidc.auth-server-url.
Ex: https://{tenant-name}.b2clogin.com/{tenant-id}/.well-known/openid-configuration?p={policy-name}
By default, the iss claim value is compared to the issuer property which may have been discovered in the well-known provider configuration. But if quarkus.oidc.token.issuer property is set then the iss claim value is compared to it instead.
References:
quarkus/issues
security-openid-connect

Authenticate for Azure REST API without login

I have a backend process that doesn't directly interact with the user. I want to access reservations associated with my Azure account but I'm having trouble with the authentication step. I was following the guide here and I managed to get the authentication request to work by calling
https://login.microsoftonline.com/{tenant-ID}/oauth2/token
as a POST with the following x-www-form-urlencoded body:
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=http://myapp42
However, when I attempt to call:
https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
with the bearer token I received during the authentication step, I get the following error message:
The access token has been obtained for wrong audience or resource 'http://myapp42'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/', 'https://management.core.windows.net', 'https://management.azure.com/', 'https://management.azure.com'
However, if I modify the resource on the request to be one of these, http://management.core.windows.net/ for instance, the authentication then fails with:
AADSTS500011: The resource principal named https%3A%2F%2Fmanagement.core.windows.net%2F was not found in the tenant named {tenant-ID}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b54cedea-3804-41cf-bd27-fcf0ed1c4700\r\nCorrelation ID: 2371d375-6c89-4f05-83c9-c4629b3340a8\r\nTimestamp: 2020-02-05 01:59:57Z
How do I authenticate so that I can then get my reservations without having to login?
Update:
The service principal has both the Owner and Contributor roles assigned.
Update 2:
Thanks to #Jim Xu, I was realized that I needed to refrain from url-encoding the URL. That allowed me to get the access token with a value of https://management.azure.com/ for the resource field. However, at this point, when I attempt to call the REST API with the resulting bearer token, I get the following error:
The client '{Object-ID}' with object id '{Object-ID}' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/reservations/read' over scope '/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}' or the scope is invalid. If access was recently granted, please refresh your credentials
Note: The object ID returned by this error is the one associated with the service principal.
Update 3:
I checked the reservation and it seems that the principal does not have a role in that reservation's access control. However, I also cannot assign the principal a role because it does not show when I search for principals during the role-assigning process.
If you want to call Azure Rest API to get the information of reservation Orders, you need to assign Owner\Contributor for the service principal.(the action needs Microsoft.Capacity/reservationOrders/read permission).
The steps are as below
Get access token
POST : https://login.microsoftonline.com/{tenant-ID}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=https://management.azure.com/ or https://management.core.windows.net
Call the api
GET : https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
Authorization: Bearer <token>
For more details, please refer to the issue and the issue
update
If you have assigned role but you still cannot get access token, please try to encode your url.

Is there an API to get the tenant ID for a give name?

If i have a tenant name such as "contoso.onmicrosoft.com" can i get the tenantID using an API call?
I have already checked the API for Microsoft.Azure.Management.ResourceGroup
You can simply call https://login.microsoftonline.com/tenantDomain/.well-known/openid-configuration and get the tenant id from there. Just parse the JSON it returns and get the tenant id from it - for example from issuer.
Full info can be found here.
The call doesn't have to be authenticated so it is very simple to call.
You can get the name of the tenant you are logged into by calling
https://management.azure.com/tenants?$skiptoken={skiptoken}&api-version={api-version}
see here for details
This will give you a list of all tenants that you authorized for.
This is actually listed under 'Tenants' rather than resource groups.
Te easiest way to get tenantID is to find it in Azure portal. Please click -> APPLICATION -> VIEW ENDPOINT. like the following screenshot:
If you want to use C# to get the tenant ID from the name. Please try to get the JWT token first (use the user under the "contoso.onmicrosoft.com" to sign in). The JWT token will contain tid. "tid" means tenant id. Refer to this article for more details.
Then we can use the following code to get the tenant id:
var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "tid").Value;

Resources