I am trying to customize id token in Azure AD ..
I did the following steps :
1-Registered Azure AD application
2-Post extension:
https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties
Payload : {"name":"test","dataType":"string","targetObjects":["User"]}
3-Create claim Mapping Policy
https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Payload
{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}
4-Post service principal
https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref
Payload : {"#odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}
5- I patched a user
https: // graph.microsoft.com/v1.0/users/usreID
{"extension_Application (client)ID_test":"test"}
6- I edited the Mainifest
See Mainifest
6- I tired to get the ID token for the user I patched in step 5
https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token
with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)
7- I decoded the token , I don't see "test" as part of the token
Not sure what I am missing here to customize the token
Screenshot to show that I am missing token configuration in the blade
Missing token configuration in the blade
Screenshot to show that I can't find permission : Directory.AccessAsUser.All
missing API permission
Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.
Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.
Also please check with optional claims set in manifest .
Then check in token configuration, if it is valid claim.
References :
Emitting claims with data from directory schema extension attributes created for an application using Graph
azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application
Edit:update 13/4/2022
Like you said in comments:
Like the Most obvious difference now ( Token configuration is not
available and api permssion for Directory.AccessAsUser.All is not
there)
I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.
I had all those features as i was using organizational Azure AD premium 2 licensed tenant.
But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.
Then i realized its license is azure ad free account.
So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .
Also you can check the ongoing issue here
Q&A missing-features-in-my-azure-ad-tenant.
active-directory-optionalclaims-example
Related
I need to add the employeeid as claim notification in token, I used the tutorial of this link:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#include-the-employeeid-and-tenantcountry-as-claims-in-tokens
I did all steps, but my token is not returning the employeeid:
I did this configuration with graph api, where I create the policy and bind it with the service principal:
If I check this configuration, it seems to be correct:
I have followed all the steps correctly, and I can't include the employeeid in the token, what is happening? thanks.
Assuming this is an access token you are requesting, you could check two things:1.The claims mapping policy should be attached to the resource (api) service principal/application id for which you are requesting the access token 2. You need to update the application manifest as mentioned towards the end of the document you shared.
I tried to reproduce in my environment getting the employeeid successfully
Make sure you have choose your Application object ID
For your Reference :
https://s4erka.wordpress.com/2020/08/06/azuread-claim-mapping-policy/
I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1
I'm building a CLI app for provisioning Azure resources. Previously I was using the authorization code flow with the resource set to https://management.azure.com/. Now, I would like to switch to using the RFC 8628 device authorization grant type (Azure documentation). I can successfully login with scopes like openid profile. However, when I use a scope like https://management.azure.com I get an error:
{
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid https://management.azure.com/ is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.\r\n[..]",
"error_codes": [70011],
}
I'm sending a POST request with a body like client_id=<client-id>&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default to https://login.microsoftonline.com/<tenant>/oauth2/v2.0/devicecode. With these scopes, I can login just fine, but any subsequent requests to Azure resource management APIs (for example, to DELETE a resource group) will fail with 401 Unauthorized.
If you want to use the device code flow to access the azure resources, please follow the steps as below.
1.Navigate to your AD App in the Azure Active Directory in the portal -> API permissions -> Add a permission -> select Azure Service Management API -> select the user_impersonation.
2.Navigate to the subscription in the portal -> Access control (IAM), make sure your user account used to login has a role e.g. Contributor in the subscription. If not, please add the user as a role in the subscription, follow this doc.
3.In the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/devicecode
Request Body:
client_id=<client-id>
scope=https://management.azure.com/user_impersonation
In the browser, navigate to the https://microsoft.com/devicelogin, input the code and login your user account, the app will let you consent the permission, click the Accept.
4.After login successfully, in the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Request Body:
grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: <client-id>
device_code: <device_code in the screenshot of step 3>
5.Use the access_token in step 4 to call Azure REST API, e.g. Resource Groups - List, it works fine.
For more details, you could refer to - Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
Besides, to consent the permission successfully in step 3, make sure the setting below( Azure AD -> Enterprise applications -> User settings -> Users can consent to apps accessing company data on their behalf) in your tenant is set to Yes, otherwise, you need to let your admin click the Grant admin consent for xxxx button in step 1.
I want to make multi-tenant application on https://apps.dev.microsoft.com.
This work fine with single tenant but
My process for making multi-tenant app ----
LogIn with Other Tenant and appear consent window and got code successfully which code I passed for getting token
Token successfully generated:
Call graph API for office 365
But error genrate --
"We do not recognize this tenant ID 21f3be0a-xx-4b7f-ab05-xxxxx6. Please double-check the tenant ID and try again.
]2
When access data for office 365 report why this tenant id not recognized error raised?
Need to edit in manifest ?
My App on https://apps.dev.microsoft.com. Have Three 3 Microsoft Graph Permissions
Delegated Permissions - user.read , Reports.Read.All (Admin Only)
You can check whether a tenant is valid or invalid using the Well Known OpenId Configuration endpoint:
https://login.microsoftonline.com/<tenant>/.well-known/openid-configuration
Doing this for your tenant id gives this result:
https://login.microsoftonline.com/21f3be0a-713c-4b7f-ab75-3cc5ca25846/.well-known/openid-configuration
error: "invalid_tenant"
error_description: "AADSTS90002: Tenant
21f3be0a-713c-4b7f-ab75-3cc5ca25846 not found. This may happen if
there are no active subscriptions for the tenant. Check with your
subscription administrator.\r\nTrace ID:
bdd561b1-bc36-44ce-b3ab-33e53fda0100\r\nCorrelation ID:
c6ce0c0d-6550-4f5f-a398-a82f085e28c1\r\nTimestamp: 2017-11-01
17:38:31Z"
So simply stated, the tenant id that you are using is not valid for the AAD Worldwide endpoint.
Is it possible you are getting a token for a different instance of AAD? Can you share the contents of your Access Token (removing any sensitive details)?
I did some mistakes thats why this Error raised then need not do anything becoz this Portal app by default Multitenant and send request to common platform ..
Login with other tenant get code
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=XXXXX-XXX
&response_type=code
&redirect_uri=http://localhost:49876
&response_mode=query
&scope=Reports.Read.All
&prompt=consent
&state=12345
then get token
https://login.microsoftonline.com/common/oauth2/token
client_id =XXX
scope =
code= which you get
grant_type=
client_secret=
after get token use for Graph API & get office365 data for -https://graph.microsoft.com/beta/reports/getMailboxUsageMailboxCounts(period='D7')
I have followed the Getting Started workflow here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-get-started-custom
I followed it from scratch, twice, and have both times when trying to sign in with the sign-in & sign-up custom policy I am prompted with 'Your password is incorrect'. How can I properly authenticate?
Things that are working:
When I do signup the user journey completes, and the user is added to the directory
Using built in policies I can sign in and sign up
Using built in policies I can sign in with a user who I used the custom policy to sign up for
Using Application Insights I can see the following errors. (some sanitation applied)
"ValidationRequest":{
"ContentType":"Unspecified",
"Created":"2017-10-06T17:19:34.3995426Z",
"Key":"ValidationRequest",
"Persistent":true,
"Value":"client_id=55555555-5555-5555-5555-555555555555&resource=cccccccc-cccc-cccc-cccc-cccccccccccc&username=MYUSERNAME&password=PASSWORDIENTEREDONSCREEN&grant_type=password&scope=openid&nca=1;1;login-NonInteractive;False"
},
"ValidationResponse":{
"ContentType":"Json",
"Created":"2017-10-06T17:19:34.3995426Z",
"Key":"ValidationResponse",
"Persistent":true,
"Value":"{\"error\":\"invalid_client\",\"error_description\":\"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.\\r\\nTrace ID: 55555555-cccc-cccc-cccc-555555555555\\r\\nCorrelation ID: 77777777-7777-7777-7777-777777777777\\r\\nTimestamp: 2017-10-06 17:19:33Z\",\"error_codes\":[70002],\"timestamp\":\"2017-10-06 17:19:33Z\",\"trace_id\":\"55555555-cccc-cccc-cccc-555555555555\",\"correlation_id\":\"77777777-7777-7777-7777-777777777777\"};1;login-NonInteractive;False"
},
The important bit seems to be:
"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion"
Also later it says:
"Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown."
Some things I've double checked:
In my Identity Experience Framework > Policy Keys, I have the following 4 keys after following the steps in the guide:
B2C_1A_AdminClientEncryptionKeyContainer
B2C_1A_FacebookSecret
B2C_1A_TokenEncryptionKeyContainer
B2C_1A_TokenSigningKeyContainer
In the regular AAD > App registrations, I have the applications:
IdentityExperienceFramework
ProxyIdentityExperienceFramework
And ProxyIdentityExperienceFramework has delegated Access IdentityExperienceFramework permissions from IdentityExperienceFramework.
And I've hit Grant permissions for both apps.
Both application Ids were properly substituted in the TrustFrameworkExtensions.xml, two places each
Any help is much appreciated. Thank you.
Your ProxyIdentityExperienceFramework app was incorrectly created as a Web App/API. You need to recreate it as a Native app. Make sure you don't forget to update the client_ids in your base policy to the new ProxyIdentityExperienceFramework accordingly.
The error AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion occurs when you try to obtain a token using a client_id for an application that was registered as a Web App/API but are not providing the required client_secret. In the case of Native app, there is no client_secret required.
When sign in, Azure AD B2C's trust framework (the thing that executes custom policies) internally attempts to obtain a token for the IdentityExperienceFramework app (Web API) using the ProxyIdentityExperienceFramework app (Native app). If you incorrectly create the latter as a Web App/API, B2C's policy engine will fail to obtain the token which manifests itself as a Your password is incorrect error message to the user.