I have been following the Microsoft tutorial/guide for setting up SSO between two Azure bots which is found here: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-sso?view=azure-bot-service-4.0&tabs=csharp%2Ceml. I am doing all of the bot testing in the latest version of the Bot Framework Emulator with ngrok.
I have managed to get this working correctly via Azure AD (AAD), however as part of a proof-of-concept, I want to get this working via Azure B2C. Unfortunately, there doesn't seem to be much documentation around about how to set something like this up with B2C, and so far I have not been able to get it working. I have left everything set up the same as was asked in that tutorial/demo where possible (see section below for highlighted differences).
Currently, I am able to log into each bot individually via the above tutorial/demo, but when the SSO is attempted into the skill (child) bot, (via watching the traffic in Fiddler) I see that an error of "consent required" is returned. This tells me there must be some sort of relationship/configuration breakdown between the two bots which is preventing the SSO from succeeded. As mentioned, once this fails, I then get the option in the demo to manually log into the skill bot, which does succeed.
The main differences in terms of configuration capability in AAD vs B2C seem to be:
When configuring the Azure AD app registration for the skill (child) bot, you do not have the capability to set an Authorized client application. Also on this screen, you do not have the option to set the consent for both Admins and users, therefore the consent is set to Admins only
When setting up the API permissions, the delegated permissions available for the Microsoft Graph API are much more limited (only offering openid and profile whereas in the tutorial above more permissions has been asked for)
Thus far I have tried the following to get it to work:
In the app registration for the skill bot, in the API permissions section, I added an API which points to the app registration for my main (root) bot
Manually modified the Manifest for both app registrations changing oauth2Permissions.type from Admin to User to try and relax the scope added in the Expose an API screen (as changing this does change the 'who can consent' column from 'Admins Only' to 'Admins and Users'
Different tenant combinations for the app registration (note that both app registrations are current set up as multi-tenant)
Other things of note:
For the OAuth connection strings, these are set up the same way as the tutorial/demo above, including the Token Exchange URL just pointing to the skill bot scope
I am working under the assumption here that if Azure AD works, then B2C should equally be able to work without any code changes to the demo project, except for different values in the appsettings.json files for each of the two bots.
I am also assuming that B2C SSO in this way is actually a supported feature - there doesn't seem to be a definitive answer either way.
Can someone please provide some suggestions for why this may not be working and what may be required in order to get it working? If I haven't provided sufficient information in any area, let me know and I would be more than happy to provide it.
Many thanks!
Related
How do I create a service account, grant the necessary permissions, and use the Azure billing APIs (usage and rate card) from the server-side of a website?
I'm looking to show expected bill on 6/7/2018 is $123.45 on an internal dashboard, mirroring the data in the billing usage graph on the Azure portal.
https://github.com/Azure-Samples/billing-dotnet-usage-api and https://github.com/Azure-Samples/billing-dotnet-ratecard-api are the samples all posts reference. The setup for each references the legacy Azure portal, and the setup instructions make assumptions I don't understand. I've not found any more recent setup instructions for using the billing APIs. In all my experiments, I've received an OAuth token, but I receive 401 Unauthorized responses when calling the actual API. (Obviously I shouldn't include my guids in this question.)
The samples identify that when creating the app, I must choose a "native application", but Scott Allen notes that "native application" requires a live OAuthed user, but my users don't have permission to the Azure portal, so I must pre-authenticate with configured settings. He recommends "Web apps / API".
The samples are vague in the permissions required. They note I should "make sure the sample app will have permissions to access the Windows Azure Service Management APIs", but from the new portal, I don't find Windows Azure Service Management APIs nor any other permissions that sound like Billing management.
When crafting the AAD App in the portal, and when starting https://github.com/Azure-Samples/billing-dotnet-usage-api/blob/master/ConsoleApp-Billing-Usage/ConsoleProj/Program.cs, each references settings such as "Client ID" and "DirectoryId" that are named differently in different places. Though I feel confident in my mapping guesses, the sample doesn't work for me, so I'm confident I've done it wrong.
I've even tried making requests directly to the REST endpoint at https://management.azure.com/subscriptions/{subscription-Id}/providers/Microsoft.Commerce/UsageAggregates?api-version={api-version}&reportedStartTime={dateTimeOffset-value}&reportedEndTime={dateTimeOffset-value}&aggregationGranularity={granularity-value}&showDetails={showdetail-boolean-Value}&continuationToken={token-value} passing in the OAuth token without success.
What did I do wrong here? How do I configure an AAD app to use the Billing APIs using pre-configured auth and subscription settings to show Azure usage details on a web page?
According to the error log, it seems you don't give your app correct subscription role. You could check this link:Assign application to role.
Note: You could give your app Owner role.
You also check this link:Authentication flow for native application to API.
Also, you also could create a web app. But you need use different way to get the token, see different check this link.
I have recently been going through the guides at https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi to try and setup a B2C system with multiple applications in one tenant, so we could use Single Sign On, utilising the Keep Me Signed In custom policy featured in the Identity Experience Framework guide and the relevant samples for that. I use the following sample for this: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
However, none of these seem to be working how I need it to. If I run Contoso App and API 1 and sign in, Contoso App and Api 2 (which are part of the same tenant and run the same policies) does not pick up the SSO and asks me to sign in. This happens when I use the default signinorsignup policy (without any changes to SSO settings) or the custom keepmesignedin policy.
If I close App 1 and re open it, I am again asked to sign in (keep me signed in has been totally forgotten about).
I have not changed any code in the sample other than in the web configs to change the corresponding tenants, client ids etc.
Any thoughts?
We have a multi-tenant single page app (and backend) that uses Azure AD for authenticating users. We'd like do queries to customer's Azure AD for retrieving groups but make it an opt-in behavior for customers (tenants). The reasoning behind that is that not all customers necessary need the functionality and would rather not grant us access to their AAD unnecessarily.
Is there some way of implementing this with Azure AD?
I've been trying to test with different OAuth /authorize calls with resource IDs and scopes but mostly I end up with "AADSTS65001: The user or administrator has not consented to use the application with ID ''. Send an interactive authorization request for this user and resource." error. Configuring the web app or backend to require the permission would surely fix the error but that will also make the approval of it mandatory for all users of the app.
Is there a way of using the authorize/consent API to request access to a new application on-demand?
An ugly work-around that should work would be to have 2 client IDs and 2 backend IDs with different permissions but ADAL.js doesn't seem to be designed to work with multiple Client IDs (it's singleton, for starters). Also Application Permissions should of course work but I'm not sure how much of those are required to search for groups.
Is there a way of using the authorize/consent API to request access to
a new application on-demand?
Do take a look at Azure AD v2.0. With their incremental & dynamic consent model, it is possible to do so though I am not sure if this specific functionality (managing groups) is available there.
I had a discussion with Azure AD team member recently about this (as we are also facing the same problem) and he suggested that we take a look at this.
Essentially the way things work in Azure AD v2.0 is that you start with basic set of permissions (like sign in, read profile etc.). Then when some tenant need specific permission, you essentially ask them to grant those permissions to your application at that time only. What this means is that different users in your application have granted different permissions to your application.
If you are using MSAL, and looking for a way to dynamically change your scopes before authenticating, have a look at this: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#msalguard---dynamic-auth-request
More here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#platformbrowserdynamic
I have added a Web Application in the Microsoft Application Registration Portal. I can view this app in old azure portal. When I try to configure this app as multi tenant and set the Sign-on URL and the App ID URI values, an error pops up saying one of the values is invalid and the save fails. I can connect to this application using OAUTH and get the required refresh and access tokens. Using these tokens in the graph API I can get mails,contacts and calendar events from my office 365 account. But this happens only for a single tenant. I need to able to do this for multiple tenants and so I want to set this app as multi-tenant. If I create the application in Azure AD itself then I am able to set all the values but I cannot connect to this app using OAUTH as the authentication fails with error message saying
error=unauthorized_client&error_description=AADSTS70001%3a+Application+%2791470123-7e7e-4139-9922-ac95b0a6b383%27+is+not+supported+for+this+API+version.
.I went through a few links like here , here and here but until now I haven't been able to find a solution. I am re-posting this as suggested here. Can anyone suggest what I must do to get through this ?
All applications created through the App Registration Portal have the Multi-Tenant flag set to True by default.
The issues you are facing here are likely due to the fact that the App Registration Portal created our new V2 Applications, while our old portals use our V1 Applications. As a result, switching between portals and trying to make configuration changes, you will likely run into issues where our app model has changed, and certain properties exist in one place, and not another.
Finally it is important to note that we now have a V2 endpoint as well, which lines up with our V2 applications. You need to make sure you are using the right kind of application for the right endpoint.
Let me know if this helps!
I'm developing an application that incorporates the Skype for Business Online Web SDK. I've noticed that it is not possible to access information about the signed in user's Skype account/profile (via Skype's mePerson object).
The only way that I see to do this now is by having yourself as a contact and accessing information about that account/profile, via the Skype person object. This doesn't seem possible to me as it isn't feasible to set a requirement upon every client using my application to have themselves added as a contact on Skype for Business.
This issue is related to the one posted here, on the GitHub Skype Web SDK Samples page: https://github.com/OfficeDev/skype-web-sdk-samples/issues/1
My question: Are there plans to add the User.ReadWrite Permissions in Azure AD for an application extending Skype for Business? Or, is there a known workaround to retrieve the signed in user's profile/account information, which includes status, activity, or avatar/avatarUrl?
I've also posted this on the Microsoft Azure forums:
https://social.msdn.microsoft.com/Forums/azure/en-US/27d6ebdc-f023-4829-96dd-eefb9e1aaeaf/userreadwrite-permissions-in-azure-ad?forum=SkypeWebSDK
However, I've had no response so I'm also posting here in hopes of anybody having any input. Thank you in advance.
As you might have noticed from the issue link in GitHub, the permissions for the information you're trying to grab have been turned on in Azure AD.
You can plug in your Azure AD settings into the Interactive Web SDK to see it in action: https://ucwa.skype.com/websdk
Before you sign in, you'll need to do the following in the Azure AD management console:
Update your app to use the permissions in the image
Change your app's reply URL to this: https://ucwa.skype.com/websdk
Make sure you turn on OAuth implicit flow by modifying your app's manifest. Steps here https://msdn.microsoft.com/en-us/library/office/mt622687%28v=office.16%29.aspx?f=255&MSPPError=-2147217396 under "Configure your app for OAuth implicit grant flow"
Paste your app's Azure client ID into the "Client id" field on https://ucwa.skype.com/websdk
After you sign in, you'll notice one of the examples in the left hand navigation will let you view the signed-in user's presence, ID, etc.
I've also created a forked version of the Web SDK samples that you can easily update with your own Azure AD settings and deploy to your localhost. You might find this more useful for playing around than the hosted Interactive Web SDK.
https://github.com/tamhinsf/skype-web-sdk-samples