I am attempting to implement Interactive Browser Credential with Azure Identity (JS) in my app so that users can authenticate to their own Azure accounts for my dev tool. I got advice that app registration in Azure AD would be required on a Reddit thread (https://www.reddit.com/r/AZURE/comments/smcl15/azure_identity_sdk_js_how_to_authenticate_to/). I have now done so.
I have registered localhost:8083 and localhost:8085 as redirect URIs and selected the option to allow Account in any organizational directory. However, I am still getting the error "You can't sign in here with a personal account. Use your work or school account instead." Every answer(Access with personal account to multi-tenant application AAD) I have read on the topic says that I need to set "signInAudience": "AzureADandPersonalMicrosoftAccount" in the manifest. However, that is how my manifest already is and has been since the beginning. How do I fix the error?
This error may occur in one of the below two scenarios.
1. Resource being different from client application
Please ensure the request resource is added to the applications required API permissions and the resource API has been consented to .Resource for which you want an access token, you can pass either the Resource URI of a Web APP, or the client Id of the target Web API. It's important to note that the token contains the resource as requested (audience).
If you have a permission something like user_impersonation, try by giving scope as https://management.azure.com/user_impersonation
Please check if you need to add api version as query string as per Azure REST API reference documentation | Microsoft Docs.
Make sure you see the app in the app registrations >all applications blade while Searching for the appId present in the error provided.
2: Resource and client is the same app registration
In app registrations ,after exposing the api and adding permissions and scope, Ensure the app has been consented to permission.
For example:
Related
I created an application named MyApp in my Tenant A with multitenant access. Also, I didn't add any API permissions to it in Azure Portal. I also removed default User.Read permission.
After that, I implement a backend project with using msal4j library. In backend code, I sent harcoded scope Directory.ReadWrite.All.
After that, I run the backend project. The project showed Microsoft sign in pop up in the browser. I provided the credentials of admin of another tenant named B(Tenant B have 16 users). After the successful sign in, the Permission Requested pop-up showed, It was written a description about the Directory.ReadWrite.All. This was normal since I was add Directory.ReadWrite.All as a scope in my backend code.
After approving that requested permission as an admin of Tenant B. I can list the 16 users of the Tenant B with GET /users endpoint of the Microsoft Graph API. So, the MyApp which was created in Tenant A could access the users of Tenant B.
However, how it was possible? Because I didn't add any API permission to my MyApp in the Azure Portal. You can see above screnshot that is empty. I expected to get an error like "Insufficient privilege" when accessing the GET /users endpoint. But I didn't. I can successfully access the all 16 users although I didn't add the Directory.ReadWrite.All API permission in the Azure Portal into MyApp.
If sending Directory.ReadWrite.All as scope from backend project is enough to access to GET /users endpoint. Why we want to use API permissions in the Azure Portal?
The Azure portal permissions are what we call static permissions.
You use them with the ".default" special scope, e.g. https://graph.microsoft.com/.default.
When you specify a scope in the authentication request, that is a dynamic permission.
It is a feature of the newer v2 endpoint that allows you to request the needed permissions at runtime instead of ahead of time.
It's pretty nice for multi-tenant apps since updating permissions can be done more easily, and you can implement optional features better (that require additional permissions).
Docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent and https://learn.microsoft.com/en-us/azure/active-directory/develop/consent-framework
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!
Now I have one App in Azure active directory1, and a web api in Azure active directory2. My aim is to allow users in AAD1 and AAD2 can both login the App.
So far I've enabled App and Api as multi-tenant, added each other in the manifest as known client application.
The things I've not finished yet: add one as a custom domain into the other, add permissions btw api and app, and I met some problems on these two.
Right now my error msg is:
An error has occurred while authorizing access via Authorization Server: unauthorized_client AADSTS65005: Invalid > resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration.
When I tried to give the access in the api, in the required permission list, I didn't see the web app (which is in the other directory). How should I do with it?
If I move both App and Api under the same directory, is there anyway that allows users from the other directory to login?
In order for you to see the Web API in Tenant 1 as an option for "Required Permission List", you need to provision the service principal for the Web API into Tenant 1.
You can do this a number of ways, but the easiest way may be to simply sign into the Web API by generating a Login URL. Once you login, using a user from Tenant 1, the service principal will be provisioned in the tenant, and then be an option available to select.
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<appid>&response_type=code&redirect_uri=<replyurl>&resource=<resource>&prompt=consent
The other option might be to use AAD PowerShell to create a service principal based off your Web API App Id:
New-AzureADServicePrincipal
New-AzureADServicePrincipal -AccountEnabled $true -AppId $MyApp.AppId -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}
Once you have successfully put the service principal on your required permissions, the error message you described above should go away.
In addition to Shawn Tabrizi's answer, you can also specify your API as a known client application of the App.
So in your App's manifest:
"knownClientApplications": [
"your-api-client-id"
]
Then if you try to authenticate to the App, it can do consent for the API as well at the same time.
We have an Azure resource app whose APIs we want to expose for access by a client app on Azure. The two apps are on different tenants. The users accessing the APIs (Office 365 account holders) are on different tenants.
The whole set up works when we manually provision a service principal on the tenant that is trying to authenticate from the client app against the resource app. By that I mean they are able to log in using their Office 365 account and are shown the consent screen.
If we do not provision a service principal on the AAD tenant of the user trying to authenticate, we get this error:
AADSTS65005 - The app needs access to a service <service> that your
organization org.onmicrosoft.com has not subscribed to or enabled. Contact
your IT Admin to review the configuration of your service subscriptions.
It is not feasible for us to provision a service principal on every tenant that is accessing our app (resource app). Is there something we are missing? Are we using the right flow?
You can find help for your scenario here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent. (Scroll down to Multiple tiers in multiple tenants)
In the case of an API built by an
organization other than Microsoft, the developer of the API needs to
provide a way for their customers to consent the application into
their customers' tenants.
The recommended design is for the 3rd party
developer to build the API such that it can also function as a web
client to implement sign-up:
Follow the earlier sections to ensure
the API implements the multi-tenant application registration/code
requirements
In addition to exposing the API's scopes/roles, ensure
the registration includes the "Sign in and read user profile" Azure AD
permission (provided by default)
Implement a sign-in/sign-up page in
the web client, following the admin consent guidance discussed earlier
Once the user consents to the application, the service principal and
consent delegation links are created in their tenant, and the native
application can get tokens for the API
Basically, all of the parts that your app needs must be present as service principals in the customer's tenant. This is a requirement of AAD.
The only way for that to happen is for an admin to go through consent for the API and app separately, since they are registered in different tenants.
If they were registered in the same tenant, you could use the knownClientApplications property in the manifest to allow consenting to both at the same time.
In my case, I am exposing my own API and trying to access this API from my other Application (Client Credentials mode), I removed the default permission on both of the app(consuming app and api app) - "Azure Active Directory Graph-> User. Read" since I thought I don't need that but that caused this problem "The app needs access to a service .... that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service+subscriptions.
I got the clue from the answer of #juunas - point 2. Thx Juunas
I've utilized the Partner Center REST API to provision tenants with orders/subscriptions. Now I want to start configuring the domains and users for the tenant I just created. My first step was to get a list of users using the Graph API https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations as a test expecting to see the admin account. If I pass in the domain of the reseller account in the request URL, it shows me the reseller users. But when I put in the domain of the account I just provisioned, I get Invalid domain name in the request url. I'm using the resellers AD token to do this. I'm confused as it gives me the option to specify a domain, but I can only access my own.
What credentials am I supposed to be using here? I tried to use the user/pass that was generated for the admin account from the provision, but I get unauthorized_client when trying to get an AD token from the Graph API.
It is hard to directly address your issues here since they are a little broad, and I would need more specific details about the various tenants you are working with, how your app is provisioned, permissions your app has etc...
However I think there a few principals you can follow which may help you debug your issues.
All AAD Authentication happens within the context of a specific tenant. This means whenever you get an access token for a resource, the scope of that token is limited to the boundaries of the tenant.
To authenticate with a client application in the context of a tenant, you must have the app registered in the tenant you are trying to access (line of business application / single tenant) or you have to make the app multi-tenant, in which case your app should be able to function in the context of any tenant... if the right provisioning has occurred.
Every tenant where your app is trying to function must have a service principal for the application provisioned in the tenant. This service principal represents your application's identity in the context of that tenant, and acts as a place to store the permission your application has in the context of that tenant. Most normally, this service principal gets provisioned into a tenant after a user from that tenant has consented to use the app as a part of the login experience.
If you are trying to use user context (authorization code grant flow) to retrieve details about a tenant, you must ensure that that user is present in the directory you are trying to query. For example a user U can exist in their home tenant T1. If you try to query another tenant T2 using that user account, you will get any number of errors describing that the user account does not exist etc. You can remedy this by creating a guest account for U in T2, in which case there will be a brand new user object created in T2 which links to the original user object in T1. None the less, the user object should always be present in the tenant you are trying to query.
If you are trying to sign into an application with a user account that is in T1 and T2, you need to be sure to specify the tenant you want to actually get the token for. By default, if you use the common endpoint, you will get a token for the users home tenant. However, it is perfectly valid to get a token for the secondary tenant, as long as you specify that to our Token Service when making the request.
Finally the client application you use to make these requests needs to have the right permissions to the Graph API if you want to make specific calls to the Graph API. Every tenant needs to individually consent to the application in their tenant context in order to provision the correct permissions to their application.
With those principals in mind:
The error you are getting with "unauthorized_client" seems to be an issue with application provisioning in the secondary tenant. Please make sure to first login to the application with a user from the secondary tenant, and make sure that user has the correct permissions to consent to your app (a tenant admin is best here).
For the second issue with "Invalid domain name in the request url" please try using some hints here.
Specifically this:
By using the myOrganization alias. This alias is only available when using OAuth Authorization Code Grant type (3-legged) authentication; that is, when using a delegated permission scope. The alias is not case sensitive. It replaces the object ID or tenant domain in the URL. When the alias is used, Graph API derives the tenant from the claims presented in the token attached to the request. The following URL shows how to address the users resource collection of a tenant using this alias:
https://graph.windows.net/myorganization/users?api-version=1.6.
I hope this puts you on the correct path to resolve most of your issues.
There are issues with sandbox accounts and Azure. Access to the Azure Management Portal for the sandbox isn't straightforward and at this time does not work properly. I had to create a free Azure account with my hotmail account, then link AD from the new account to my sandbox AD to bypass the bug. When adding a new directory to the new Azure account, select "Use existing directory", sign out, then sign into the sandbox account you want to link it to. Then create your app from the new account.
After getting my app setup properly and new credentials, I had to enable pre-consent with the instructions listed at the end of: https://github.com/Microsoft/Partner-Center-Explorer
Lastly, I had to login to the Graph API with the customers ID, but with the resellers credentials.
The scenarios on the Partner Center SDK website include a section "Manage user accounts and assign licenses" under the "Manage customer accounts" section.
These samples include creating users and assigning licenses and a link to a console test app.
As an aside, a new version of the Partner Center SDK has just become available here. It was released on July 5th. While there is no official change history that I can find, I can see that it includes some new classes such as CustomerUser. You may find it easier to use that library rather than hitting the REST API (depending on how much work you've already done).