I could not connect to Exchange Online, I get the below error while connecting
Error Acquiring Token:
System.Exception: In the case of a Federated user(that is owned by a federated IdP, as opposed to a managed user owned in an Azure AD tenant)
ID3242: The security token could not be authenticated or authorized.The user does not exist or has entered the wrong pas
swordInnerException : Federated service
PowerShell Code
$AppCredential= New-Object System.Management.Automation.PSCredential(<UPN>,<Token>)
Connect-ExchangeOnline -Credential $AppCredential
Reference
https://o365reports.com/2020/07/04/modern-auth-and-unattended-scripts-in-exchange-online-powershell-v2/
Connect to Exchange Online using App-only authentication Feature is not available in EXO V2.
Delegation is not possible with app-only authentication. The Secure App Model allows for unattended scripting in delegation scenarios.
Delegation is not supported in this Feature.
Note: Decrease your EXO V2 into V1 then you can use the same scripts to connect the Exchange Online using APP-only Authentication.. But This way is not recommended.
Refer here
Related
I have a need to add/remove/edit Azure B2C users from an Azure Powershell Function.
I cannot find any way to connect to the MS Graph for the B2C directory without an interactive logon.
I have successfully connected a function to my main AzureAD directory using a Managed Service Identity. However, such cannot be used to access B2C (from what i have researched).
Given that MS Graph requires modern authentication (OAuth tokens) i don't think i can use a simple username/password combo and tests have shown such to not work from an Azure Function.
I've also tried to use a certificate, but i receive an error with Connect-MgGraph of 'certificate does not have a private key'. I uploaded a *.cer file of my certificate to the app registration that i tied to the Azure Function...but a *.cer file will only contain the public key.
My research on this also shows that certificate based authentication with Connect-MgGraph only allows for pulling a certificate from the windows 'user' certificate store which doesn't exist in an Azure Function (at least from what i have seen).
Locally, i can do what i need in a normal powershell window with the B2C directory using Connect-MgGraph -TenantID 'MyB2CTenantNameHere.onmicrosoft.com' and after the interactive logon i can list and manage B2C user accounts.
I also tried getting an access token first using Get-AzAccessToken...but that also doesn't seem to work the way i need.
I tried to get a token specific to my B2C tenant using Get-AzAccessToken -TenantID $IDofMyB2CTenant -ResourceUrl 'https://graph.microsoft.com', which succeeds and allows the graph connection, but it ends up connecting to the AzureAD directory and not to the B2C (even though i provide the B2C identity).
Lastly, it seems that Connect-MgGraph with a combination of -TenantID and -AccessToken are not allowed (errors thrown stating as much) and are mutually exclusive.
I'm choosing to use the MS Graph because Microsoft has stated that the AzureAD powershell modules are out of support and will be disabled soon.
Maybe this just isn't possible from an Azure Function??
Has anyone been able to do this?
Thanks for any suggestions or guidance!
I got myself a bearer token by calling https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with the scope https://{tenantName}.sharepoint.com/.default
It's a token for a registered app in Azure AD.
When I use that token to make an API call like https://infoinnobake.sharepoint.com/_api/search/query?querytext='contentclass:STS_Site contentclass:SP.Webb'&selectproperties='Title,Path'&rowlimit=500
I only reveice 401 Unsupported app only token.
can some explain why? Is it possible to access the sharepoint online API with an registered App on Azure AD?
Follow this guide right here:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
you need to create a certificate and upload the certificate to the registered app. Than you can use the API or the SharepointClient in various programming languages
We had a similar issue (with slightly different error message: 'Token type is not allowed') when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:
Set-SPOTenant -DisableCustomAppAuthentication $false
Source:
https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed
https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists
Furthermore:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Azure Access Control (ACS), a service of Azure Active Directory (Azure
AD), has been retired on November 7, 2018. This retirement does not
impact the SharePoint Add-in model, which uses the
https://accounts.accesscontrol.windows.net hostname (which is not
impacted by this retirement). For more information, see Impact of
Azure Access Control retirement for SharePoint Add-ins. For new
tenants, apps using an ACS app-only access token is disabled by
default. We recommend using the Azure AD app-only model which is
modern and more secure. But you can change the behavior by running
‘set-spotenant -DisableCustomAppAuthentication $false' (needs the
latest SharePoint admin PowerShell).
More details:
https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5
We would like our customers to be able to authenticate using either personal or work accounts. We have set up a seperate AD in Azure to which customers are invited which should grant them access to our application.
In the ASP.NET Core application https://login.microsoftonline.com/{myTenantID}/v2.0 is used as authentication endpoint. A client id and secret from an application registered in the preview app registration through the portal is provided with the request. Authenticating our work accounts works smoothly, but when attempting to authenticate most personal accounts an error message is returned: An error was encountered while handling the remote login. AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
Should it not be possible to authenticate a MSA using a tenant-specific endpoint (only /common)?
Similar problem: Azure AD B2B Authentication error for users with custom domains - AADSTS65005: Using application 'My Application' is currently not supported
Also, this comment points out that authenticating MSAs in multi-tenant apps will not work, however, ours should be sigle-tenant:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims/issues/10#issuecomment-145125080
You need to use common endpoint if you are targeting both B2C and B2B using v2 endpoint for both work and personal emails to be able to call Azure AD protected endpoints.
I've a silly doubt related to Azure AD authentication and Office 365 provider hosted app/add-in authentication.As mainly there are two authentication ways for Azure AD resource access
Authorization Grant flow ( user based /delegated permission )
Client Credential flow (app-only /admin consent)
Which of above is used by provider hosted add-in for Authorization/Authentication?
If none of the above,then what kind of flow it uses to authorize/authenticate users against Azure AD?
Under the permission section of provider hosted add-in ,there is a check box for app only.Is it same as Client Credential flow app-only or related to Azure AD app-only grant flow by any other way?
I am configuring a POC for SharePoint with authentication to third party account provider and running into several issues and following the documentation provided by microsoft at http://technet.microsoft.com/en-us/library/cc731443(v=ws.10).aspx. Most of the documentation which I have seen are for ADFS 2.0 RTW
The issue is when I am a trying to the access the SharePoint site, I get redirected to the account provider ADFS site with NTLM prompt pop up. Once when I enter my credentials I get the following error
The token request for application with URL "https://spadfsweb.spdev.com/_layouts/Authenticate.aspx?Source=/" cannot be fulfilled because the URL does not identify any known trusting application.
Here is my setup
ADFS account provider (ADFS Role and DC are in separate machines)
Windows 2008 R2
ADFS role added
Has the following parameters for the ADFS
token signing certificate "sts.adfsaccount.spaccount.com"
Federation Service URI
urn:federation:accountprovider
Federation service endpoint url
https://sts.adfsaccount.spaccount.com/adfs/ls/
Exported the token signing certificate and imported that in resource partner ADFS
ADFS Resource Partner (ADFS role and DC are in separate machines)
Windows 2008 R2
ADFS role added
Has the following parameters for the ADFS
Token signing certificate "sts.staging.spresource.com"
Federation Service URI
urn:federation:resourceprovider
Federation service endpoint url
https://sts.staging.spresource.com/adfs/ls/
Has the following trusted application which is sharepoint
https://spadfsweb.spdev.com/_trust/, I have all sort of the combination like below
https://spadfsweb.spdev.com
https://spadfsweb.spdev.com/_layouts
Exported the token signing certificate and imported that into account partner ADFS
And below is the steps how I have configured the SharePoint site
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Data\Certs\stsadfsaccount_exporttokensign.cer")
New-SPTrustedRootAuthority -Name "Account Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "Staging Provider"-Description "User account domain from adfs to provide authenitcation" -Realm "urn:federation:resourceprovider" -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://sts.adfsaccount.spaccount.com/adfs/ls/" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
---SharePoint has the uri of resource provider, signing certificate of the account partner and adfs url of the account partner
Please let me know if I am doing something wrong.
Thanks
Deepak
You seem to suggest you're using ADFS 1.0. And indeed, if you followed http://technet.microsoft.com/en-us/library/cc731443%28v=ws.10%29.aspx as you say, then you've configured ADFS 1.0, as opposed to the successor AD FS 2.0. In my opinion any new deployment should be using AD FS 2.0.
Your error message is described on the ADFS 1.0 troubleshooting page; quoting:
Condition: server error
Error: The token request for application with URL https://... cannot be fulfilled because the URL does not identify any known trusting application
Solution: This error is returned by the resource Federation Service when the application URL does not identify any known application. Make sure that the application has been added to the trust policy for the Federation Service. For more information about how to do this, see Complete the Add Applications Wizard.
For a claims-aware application, verify that the return URL is typed correctly in the application’s web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service.
For a Windows NT token-based application, verify that the return URL is typed correctly on the ADFS Web Agent tab of IIS and that it matches the application URL in the trust policy of the Federation Service.
Also, in case you don't know already, for ADFS 1.0 Microsoft created the ADFS Diagnostic Tool; see this blog post to download. This tool might prove useful in tracking down this specific problem.
Hope this helps...