I have Azure Functions which i want to authenticate using access token.
I have following things set up
Azure App which is being used by Angular SPA to authenticate user
Access token which is used to invoke graph APIs, Permissions are set in Azure app (point 1)
Azure Function which is having http triggers (APIs) which are being used by SPA
Currently, APIs are anonymous and can be invoked from anywhere. i want to secure these apis using access token which is being used by graph api (point 2)
I think the best approach for me is AAD multi tenant authentication. However, When i click on "Authentication (classic)" it gives me This app is configured using the new authentication experience. Click here to access Authentication (preview).
Also, if i keep authenticated with following options, i get "You do not have permission to view this directory or page." error
Most of the articles which i find online are talking about AAD. for me that option is not enabled.
I have tried following articles to make it work but somehow its not happening. can anyone suggest. how can i achieve this.
https://medium.com/medialesson/protecting-azure-function-apps-with-azure-ad-authentication-authorization-fd167ce4fe33
https://medium.com/geekculture/easyauth-in-functions-app-with-azure-active-directory-29c01cad8477
is there something i need to do in my existing Azure app to make it work ?
Per my understanding, your Azure function is protected by AAD using Authentication(Easy auth). And now, your angular SPA would like to access this function. Pls follow the steps below:
Go to Azure AD => App registrations => The App you created to protect your Azure function=> Expose an API to add a scope, for instance, access_as_user so that your SPA could require an access token for this scope:
Got to Azure AD => App registrations => The App you created for your SPA app=> API permissions => Add a permission => My APIs to grant the scope we just created:
Click the grant admin consent button to finish the process.
In your SPA app, use MsalService to acquire an access token with scope: api://<your azure function app id>/access_as_user, by this token, you can access your Azure function. For a quick test, I just test it in post man and it works perfectly:
Not use this access token
Bring this access token
UPDATE
Basically, your app request diagram as below:
SPA (request with access token)==> Easy Auth of Azure function (valideate token,if pass,goes into Azure function code logic,if not, return 401)==> code logic of Azure function (obo flow to get access token for Graph API) ==> call Microsoft Graph API
By now, we have finished steps 1 and 2: get access token for easy auth and pass easy auth goes into Azure function code logic.
So in the Azure function code logic, we need to do 2 things:
Get the access token in the request header
Use the access token and OBO flow to exchange a new access token for Microsoft Graph API. Just refer to request below to use OBO flow to exchange an access token for Microsoft Graph API:
BTW, pls make sure that your Azure function app has been granted with permission user.read and Calendars.Read:
So that you can get a new access token to call Microsoft Graph API:
May be this will help someone, I have tried using above suggestions but could not achieve 😠instead i am using Key for each Azure function. and storing those keys in azure Key/Vault and retrieving those keys within App settings of the application using managed identity. This may be not be the ideal situation but i think it will do for me at the moment. I really hope MS will improve their documentation some day along with sample code/steps
Related
I have configured Azure Function with Azure AD auth, follow this doc - Enable Azure Active Directory in your App Service app.
After the configuration, it will add the function app url e.g. https://appname.azurewebsites.net to the Allowed Token Audiences like below automatically, then we can easily use the client credential flow to get the token to call the e.g. http trigger in my function app.
If I add the Azure AD Graph resource url https://graph.windows.net to the Allowed Token Audiences, I can also use this flow to get the token to call my function.
But if I add the Microsoft Graph resource url https://graph.microsoft.com and get the token to call the function, I will get the error.
You do not have permission to view this directory or page.
How to solve this issue? Is this correct usage of Allowed Token Audiences? If not, why the https://graph.windows.net work fine?
Any ideas are appreciated.
Can you please check in your app registration in azure AD under api permissions if Microsoft graph has been added ? If not please add it as a delegated permission and give it a try.
According to the document you need to provide Application ID URI in Allowed Token Audiences. Please refer to the document
If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. The configured Client ID is always implicitly considered to be an allowed audience.
I've been searching for a couple days, and I can't seem to find a straightforward guide on how to set up Authorization (AuthZ) between an AAD App and my AAD Web API set up in App Service. I've tried things like this official guide, but I can't seem to get calls with a Bearer token from the client app to work.
Has anyone done this successfully? Is there a step by step guide out there that could help?
Please let me know if there are any questions!
To implement your requirements, you need to expose an api in your AAD Web API first.
Then go to your AAD App which used to request the token, add the permission to it.
Click "Grant admin consent for *" button.
After that, we can request the access token successfully (below I provide a sample use password flow for your reference)
In your Web API app, you need to parse the access token and get the scope permission from the access token. And then determine whether the request has permission.
I'm trying to register an application in Azure programmatically. Most examples are targeting use of Azure Portal, which doesn't meet my requirements. Other examples assume that I have a registered app already and hold a bearer token to use for this operation. Again that doesn't meet my requirements.
In my scenario. I'm an Azure AD administrator, and I want to programmatically register my first application, without going to the Azure Portal. Since this is easily done via portal, I was hoping to do this in code as well (http/C# preferred). And as a step 2, Add permissions and Grant admin consent - again programmatically.
Eventually, I'm using the registered app's ClientId and ClientSecret to retrieve the bearer token and then query Graph API. (This part is working fine, when I make the app registration manually via Azure Portal)
I hope this makes sense.
You can use the Microsoft Graph API.
The API to use to create an app is: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_post_applications
To grant permission you can refer here
I have an AspNetCore 2.0 MVC web API secured by an Azure Active Directory B2C tenant. I have been able to use Postman to test the API end points by following this SO posting: Request Access Token in Postman for Azure AD B2C (in particular, the Microsoft documented steps referenced in SpottedMahn's comments:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi#use-postman-to-get-a-token-and-test-the-api )
Now, I am working on a serverless version of the above - the app is pretty much identical expect that the endpoints have been implemented by Azure functions in an Azure Functions App
The Functions App has Authentication on, Log in with Azure Active Directory and the following settings:
This is how i have set up the Application in the Azure B2C tenant:
If I access the functions endpoint via a browser, I get successfully routed to the Azure AD B2C login page and can log in, then see the results from the API endpoint. So I'm pretty confident all is good w.r.t. the Azure AD B2C <-> Function App configuration.
However, I can't use the Request Access Token technique linked above to get a token and inspect the endpoint in Postman
If I take the token obtained after authentication (for example by using fiddler and observing the id_token being returned), and in Postman I choose Bearer authentication and supply that id_token, then Postman successfully hits my endpoint. However, if I follow the steps in the linked document above, I do get the "login" popup and then do get a valid [looking] token, but when I click Use Token and run the request, I get
You do not have permission to view this directory or page.
I'd really like to be able to request an access token from postman just like I can with my aspnetcore 2.0 app (really just for the consistency so I don't have to remember lots of different techniques). Is that possible for Azure Function Apps and if so, any clues what I'm doing wrong in the above?
Ah I stumbled upon it. I fixed it by adding the Postman API client id (note: the postman API client id, not the postman App client id) [those references will make sense in the context of the Microsoft how-to linked above], under "ALLOWED TOKEN AUDIENCES" (visible in screenshot in question above).
I've created a sample MVC app using VS 2015 and used Azure AD Auth wizard. When I launch this web application, it asked me to register app with Azure AD (first time only) and then userid/password. I have entered Office 365/Azure AD account and successfully logged in. Everything is working perfectly fine and at the top right, I can see Hello "myname".
Now I tried to make REST call to Office 365 using RestSharp. It is giving me 403 error (access denied).
When I tried to use graph api url https://graph.windows.net/testname.com/groups?api-version=1.6, I am getting error unauthorized access.
Here is my test code with graph API call:
string url = "https://graph.windows.net/testname.com/groups?api-version=1.6";
var client = new RestClient(url);
client.ClearHandlers();
var jsonDeserializer = new JsonDeserializer();
client.AddHandler("application/json", jsonDeserializer);
var request = new RestRequest(Method.GET);
var queryResult = client.Execute(request);
I am using same code with O365 REST url for Office 365 call.
Why I am getting access denied in both cases if my app is already authenticated against Azure AD which is the base authentication. Also Request.IsAuthenticated is always true.
Isn't a single identity provider (AAD) used for Azure, Office 365 and related resources?
It's possible your app isn't configured to call the /groups endpoint of graph. While the end user is authenticated and you have gotten tokens for the Azure AD Graph (graph.windows.net), this access token needs to have a certain set of permissions to call the endpoints.
To configure these graph permissions, you can go to the Azure Portal, select Azure Active Directory, then App Registrations, and finally Required Permissions. The resource your calling is Windows Azure Active Directory and then you can look through the list of scopes for what you want to call.
Another great resource I'll recommend is the Azure AD Graph Explorer. This can help understand the type of data the graph can provide.
Edit: Checkout comments for answer. OP had used the OpenID Connect middleware (OWIN) and needed help getting an access token for a resource. In order to do this, you must use a combination of OWIN + ADAL. OWIN gets an auth code, and ADAL can exchange this auth code for an access token.