We are developing a react.js application that we registered in azure portal. We use the react-microsoft-plugin package from npm to have the login button using our company credentials. This works well
We added App roles in the App Registrations page of azure, just like this :
We also assigned these roles correctly in the Enterprise application -> Users and groups page in Azure.
When we login using the React microsoft login button, we receive a token that contains a lot of stuff, among which the name, the mail, the job of the user. We would like to get the App role as well but we can't figure how. We read this Add app roles to your application and receive them in the token microsoft documentation but it's not too clear for me how we can actually get the user's role in the received token directly.
What is the process to follow so we get the user's app roles in the token ?
Related
I've been poking around MS Graph OAuth2 consent and access token for the enterprise Azure app that had been created along the way. Basically, I'm confused why when I delete the app, I'm still able to obtain the access token ?
When I decrypt and check the claims, it is referencing the name and object id of the deleted app, but it has no roles, and can't be used to access any resources, which makes sense. But still, I'm confused why is being issued for the app that doesn't exist any more ? For example, if I open the app and select to disable login for users, access token is no longer issued - but deleting the whole app does not behave in the same way.
While working with applications in Azure AD, you should be aware of few things like:
App Registrations is where you register an application and configure the details like API permissions, client secrets, client certificates, token claims, app roles etc....
Enterprise Applications are list of service principals that are associated with applications in App Registrations which defines who and what resources the application can access.
When an app is registered in Azure AD, it's corresponding service principal will be created with same name and same App ID in Enterprise Applications blade automatically.
Please note that, whatever changes you do to service principal will directly affect the registered application and vice versa.
I tried to reproduce the same in my environment and got the below results:
I have registered an application in Azure AD and granted permissions like this:
Go to Azure Active Directory -> App Registrations -> Your App -> API Permissions
I generated an access token using client credentials flow, and I can see the roles claim in decoded token like below:
Now, I deleted the Enterprise Application of same name and App ID like below:
Go to Azure Active Directory -> Enterprise Applications -> Your Application -> Properties -> Delete
After deleting that Enterprise App, I'm still able to generate the access token and can't find roles claim now like below:
As the service principal of the application is deleted, you cannot access the other resources which removes permissions from token.
Please note that,
If you delete the application in App Registration first instead of Enterprise App, it will automatically delete the associated service principal (Enterprise App) too along with it.
Then you cannot even generate the access token as it gives Unauthorized client - Application not found error. Unable to generate access tokens is similar to disabling login for users.
Reference:
Apps & service principals in Azure AD | Microsoft Docs
A customer changed to Azure AD, so we have to update our app accordingly. Unfortunately we don't have either access to the customers's Azure AD administration portal, nor do we have user credentials to test our app. We only know that ...
All starts here: https://myapplications.microsoft.com
Browser login consists of (1. dialog) email address, (2. dialog) password, (3. dialog) OTP token entry (OTP sent via SMS). Microsoft Authenticator works as well.
When through the authentication process, the page with the Azure applications appears. In our app, we'd like to avoid this page showing up, since the app should take over after the OTP token is entered in Microsoft Graph API (= authentication is completed). So authentication webview should close by itself after authentication is finished.
We read a lot about MSAL the last days, but since we have to code blindly (no sample login credentials/OTP available, no Azure AD administration access), it's kind of fishing in the dark.
We used this page as starting point: https://github.com/AzureAD/microsoft-authentication-library-for-objc
We use Xcode 13.4.1 with Swift.
By using Safari Web Inspector on the concerned Azure AD application, we populated the required MSAL constants as follows:
let kClientID = "2793995e-0a7d-40d7-bd35-6968ba142197" // probably not correct, see (a.) below
let kGraphEndpoint = "https://graph.microsoft.com/" // not found in Web Inspector data, but most MSAL code uses it
let kAuthority = "https://login.microsoftonline.com/common/" // found in Web Inspector data
let kRedirectUri = "https://myapplications.microsoft.com" // the URL after authentication is complete
let kScopes: [String] = ["User.Read"] // not found in Web Inspector data, but most MSAL code uses it
Questions/Problems:
https://myapplications.microsoft.com always shows the client_id 2793995e-0a7d-40d7-bd35-6968ba142197. As far as we understood, every Azure AD application has it's own client_id, hence 2793... cannot be correct since it's "generic". If the client_id is not correct, can we find the correct one using the concerned Azure AD application Safari Web Inspector data?
Above constants seem to work, but when our testers login, the last page showing all Azure AD applications remains open. Some sample MSAL test code from Github however close Microsoft Graph API after credentials were entered. Is this closure of the authentication webview triggered by the server (Azure AD setting) or the client?
After testers logged in through the app, then suspended the app (via App Switcher), then opened the app again - the complete Graph API login was required again. Silent login (aquireTokenSilently) didn't work. When using Safari, silent login works however. What could be wrong?
Does the Safari Web Inspector data tell us what the product bundle identifer is (which we need for msauth.$(PRODUCT_BUNDLE_IDENTIFIER) as redirect URI)?
So basically, we'd like to ...
avoid the Graph API portal page, which shows up after authentication is done
remain logged in after app returns from suspended (acquireTokenSilently())
use Authenticator if installed on the device
We've never worked with Azure AD before.
Any hint about mistakes/misunderstandings would help.
Many thanks!
----- UPDATE (27.07.2022) -----
As a reminder ... we neither have access to the Azure AD portal, nor do we have test credentials (username, password, SMS code [OTP]).
After lots of testing and simulating, still no success.
Using Safari, the flow for a regular user looks like this:
https://myapplications.microsoft.com
The authentication starts with the entry of the organization specific email address.
Azure detects this organization, checks the existence of the email address and asks fro the password.
Next, Azure either sends an SMS code or triggers the broker (Microsoft Authenticator). It's device configuration specific which one is used.
The page with the Azure AD applications opens.
On iOS/macOS (Xcode, our application), the above flow is similar. MSAL debug messages reveal however that no token is sent. acquireToken() only completes after the webview is cancelled (MSAL error -50005). It seems that a Web application doesn't require a token ?!
Now ... in our (iOS) app, we only would like to get the token in order to access the Web application with our (iOS) app (using the Bearer inside the URL request).
How can we get a token for an Web application without redirecting to that page at the same time (which doesn't return a token)?
Does Azure AD allow access to that Web application using the gained token?
A server side (Azure AD) solution would be an redirect_uri entry in the Authentication section (MY_BUNDLE_ID). But we have to do without.
You don't need to target the MyApps app (2793995e-0a7d-40d7-bd35-6968ba142197). You should target your own Azure AD App registration. For more information please take a look to MSAL iOS Swift Microsoft Graph API Sample.
I have an already deployed application on azure app service which uses azure AD for authentication and authorization.
Unfortunately the developer who worked on it is no longer available
i got access to all Azure resources and source code but i cant figure out how can i add my azure account as one of the users to the app (i can login but its an empty view for me unlike what it used to be with the developer access).
Also i find the app registered on Azure AD and i am an owner there but still with no right access.
When i try to login localy from the frontend it say
Selected user account does not exist in tenant 'Default Directory' and
cannot access the application '[some numbers] in that tenant. The
account needs to be added as an external user in the tenant first. Please use a
different account.
Would appreciate any help and many thanks in advance.
I can login but it’s an empty view for me unlike what it used to be
with the developer access
This is because your backend application is enabled with Azure AD Authentication.
After you sign in to your front-end application, you still can't access the data from the back-end app, because the back-end app now requires Azure Active Directory sign-in from the front-end app
To access the application, follow the below steps:
Grant the front-end access to the back end
Configure App Service to return a usable token
Use the token in your code
You can refer Enable authentication and authorization for front-end app in Authenticate users E2E - Azure App Service | Microsoft Docs for the detailed steps
I have my website integrated with Live SDK applications to allow customers to login to their MSN, Hotmail, Outlook, etc. email accounts and invite friends to my website by reading the contacts. This used to work properly but now it's not working anymore.
When I use the App ID / Client ID from the old Application Registration Portal (https://apps.dev.microsoft.com) I get the following message when I try to login using my Microsoft account.
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
I see from the Application Registration Portal that I can now use Azure to manage my App Registrations, so I basically setup the same app under Azure with the following criteria.
Authentication: Selected Web and setup the same Redirect URI I was using previously when this was working.
API Permissions: I added "Microsoft Graph" with email, Contacts.Read, openid, profile, and User.Read.
And when I try to login to my Microsoft account using my Azure app Client ID / App ID I get the following message.
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Should I try making this work using Azure instead of Application Registration Portal credentials? If so, why is it saying "unauthorized_client" when I try to login?
Thank you!
Register your Azure AD app as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
Unable to authorize multiple users for a BOT within the same organization using Azure AD authentication
Following are the steps we tried.
1. Created an office 365 organization, so as to be the admin of the Azure AD
Registered the Azure AD app thru app registrations on Azure in the same Org, and then assigned the permissions to the app to read emails and calendar, by following the URL - https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=csharp%2Cbot-msgraph-auth
Then created the web app bot under azure
Then under [OAuth Connection Settings] settings of the bot added the Azure AD app details, first added as Azure AD V1.0 with as per the recommendation in the URL of Microsoft
Used the standard template code of the project - BotAuthenticaionMSGraph from the Github sample code repository - https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
In the sample code, we just need to edit the appsettings.json file to add the [ConnectionName, MicrosoftAppId, MicrosoftAppPassword]
Then published the local bot code to the app service of the web app bot on Azure
Tested the Bot Auth on the [Test in Web Chat] on Azure -- It works for my Azure AD
Then enabled the Directline Channel for bot and distributed bot to other users of the same organization
The issue is here - when the other user opens the bot, they can see the emails and calendar of the admin user who has already logged in initially. So when the other user logs off and logs in thru his AD credential, then only his emails and calendar data is available since then.
Issue - So, at a given point of time only one user's o365 data is visible globally on the bot chat, and not individual user's data who logs in for that session. The AD token is not per user session but instead its a universal token across for all the conversations.
When I use the Azure AD V2, I get the bad request while trying to login.
Please help. Thanks.
https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
used the BotAuthenticaionMSGraph project
Expected is, every user should be able to log in individually, and only his data shud be visible on the bot conversation distinctively.
I have tested the sample code and it works fine for both Azure AD V1 and V2.
I followed Azure AD v2 to configure it. Don't forget to enter Mail.Read Mail.Send openid profile User.Read User.ReadBasic.All for Scopes. It's different from Azure AD V1. Otherwise, it will return 400 bad request while trying to login.
I didn't reproduce the first issue. Could you tell where the other user opens the bot? From "Test in Web Chat"?
Update
You need to be aware that your are dealing with two user identities:
The user’s identity in a channel.
The user’s identity in an identity provider that the bot is
interested in.
See Security considerations. When a bot asks user A in a channel to sign-in to an identity provider P, the sign-in process must assure that user A is the one that signs into P. If another user B is allowed to sign-in, then user A would have access to user B’s resource through the bot.
To enable the protection, you need to configure trusted Origins and tamper-proof user IDs.
You can refer to the sample code.
And this blog Using WebChat with Azure Bot Service’s Authentication provides more detailed infomration.