I have a file>new .net core web app which is using Azure AD for authentication which works fine out of the box.
I have a requirement to create some auth policies so I have the following code which check the groups in the users claims and sets up an "Admin" policy which I can use on my endpoints.
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireClaim("groups", "XXXXX"));
});
This works fine too. The problem is once the user is logged in, how can I:-
Revoke access if I needed to? (e.g. a user is removed from AD or has his access revoked)
Refresh the auth so that if there has been any change in claims, roles, groups etc, it is detected.
I took a look at https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access but it doesn't give much. It actually says "It's possible that the app may never send the user back to Azure AD as long as the session token is valid."
How is the best way to handle this?
To summarize the comments and post as an answer:
As I said in the comments, if you need to revoke a user's access rights, then you can do this by revoking the user refresh token. After revoking the user's permissions in Azure, then revoke the refresh token and redirect the user to the login page.
After the user is authenticated, he will receive the access token and the refresh token.
First, you need to revoke the user's refresh token. The lifetime of the refresh token is 90 days by default, so you need to revoke it during its lifetime. You can use AAD Power Shell:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
But as far as I know, the access token cannot be revoked. The default expiration time of the access token is 1 hour. After 1 hour, the user will automatically lose access to AAD.
If you want to terminate user access immediately after the user permissions is revoked, you can try the continuous access evaluation provided by Microsoft, which helps ensure invalidation of access tokens in near real time. However, as the documentation says, this may cause security issues, so I think it is not the best method.
So I think the best way is: just revoke the refresh token, and then wait 1 hour for the access token to expire, the user will automatically lose access to AAD. Then refresh the authentication and redirect the user to the login page.
Related
We have register new app in Azure AD use clientid and client secret to login and check other user details but now we removed all permission for the clientid and check using postman as well as from application,but its still login to app and able to get the other users details using https://graph.microsoft.com/v1.0/users for users and https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token for token. Question is how user is getting the access when all permission already revoked?
Even you revoked all permissions, please try resetting the signInSessionsValidFromDateTime user property to current date-time.
This must be performed by user or administrator.
By doing this, it deletes all the session cookies stored in user's browser that removes all the refresh tokens issued to application for a user.
Please ensure to have User.ReadWrite.All, Directory.ReadWrite.All permissions.
To revoke sign-in sessions from Microsoft graph explorer, try using the below query,
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions (Or)
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.
Please find below links if they are helpful.
References:
user: revokeSignInSessions - Microsoft Docs
App can still get data via Microsoft Graph API after user revoke permission from My Apps Portal
We are using Azure Active Directory B2C to authenticate users into our app, we use a user flow to let the user enter their credentials. after receiving the access token from azure we generate an app token that contain app related information.
we recently added the keep me sing in feature but it seems that there is no way to know in the response if the user has checked it or not? even the returned access token still expires after 60 minutes. this causes a problem for us since our app logs-out the user automatically after the token time's out. but if the user choose to stay signed in we want to stop this behaver. SO how can we tell if the user checked the keep me signed in?
I've read a lot in Microsoft docs and searched a lot with no luck to find a way!
the one thing I found was a KMSI attribute but it can only be added in custom policy's. witch is kinda hard to do now.. is there a way to get such an indicator from the user flow?
You can get the KMSI Boolean in the token using custom policies and claims resolvers.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
However, this shouldn’t be needed in your scenario. When access token expires, the refresh token is used to redeem a new access token. If the refresh token is expired, then the B2C cookie is used to perform single sign on via the B2C login page.
The user is only logged out if all of the above are expired/invalidated.
More to read here What does KMSI in Azure B2C actually DO?
TLDR:
is it possible to have guest account, like guest#organization.onmicrosoft.com, at company's MS Office 365 cloud that will have "read" permission to organization's users calendars and events with constant access token? By constant access token I mean that I sign in once for this guest user and receive constant access token from Azure AD (like application access authentication but as guest account).
I have my own company's MS Office 365 account with some users in it. There is one global administrator account and few regular users.
There is second company, let's call it XYZ, with their own MSO365 account with many of administrators and users. Big company.
Now I'm writing simple app where I need to have access to read XYZ company's users calendars and events. I have list of required users in my app with proper MSO365 ID's.
I think that 'read' privilege is enough since we can send invitation for events through ordinary email message.
My App will read user events through MS Graph API etc. with some logic and realease it (send invitations for events etc.) with CRON jobs.
And here is my problem with authentication.
I don't want to have "application access" Azure AD privileges at my App. I know the XYZ company security policy won't apply it since "application access" gives access to all accounts at organization. Application access means that XYZ company's global administrator apply application privileges for my App by single sign in into Azure AD. If he do so i have Access token which i can use for API calls at my app withoud need of additional authentication.
I can't use "user access" Azure AD authentication neither.
Due to my CRON jobs and API calls which fire then.
User access means that user need sign in at Azure AD login service what gives me Access token and Refresh token for API calls. Those tokens are 1 hour lifetime.
So I though about: if there is possibility to have a guest account at XYZ company's MSO365 that would let me use authentication mechanism like the "application access"?
By this I mean that XYZ company's global Admin creates me a guest account like guest#xyz.onmicrosoft.com which will have access to read users calendar and events. What is more I need this account to have constant access token which I can use in my cron job's api calls with no need to sign in at Azure AD.
The question is: is it possible? If so how to do it?
The only way there (AFAIK) is to use refresh tokens.
Application-level access is more robust but requires organization-wide access.
So you use delegated access (user access), store refresh tokens somewhere.
You can use those tokens basically indefinitely,
however certain events can expire the refresh token.
It doesn't happen often, but it can happen.
In that case you would need the user to login again so you can get a new refresh token.
You should also store the new refresh token that you get when you acquire tokens using a refresh token.
This new token can overwrite the old token for that user.
And of course keep in mind refresh tokens are user-specific so you gotta store one for each user.
This is the approach that one of our bigger apps takes.
If we fail to acquire a token in the background process,
that user gets a flag set on them that their token does not work,
and they'll get a notification that they need to re-authenticate for the feature to start working again.
I need to write a backend app to read & write one company emailbox.
I have registered Active Directory Application and granted Delegated permissions (read and write to user mailbox).
Question is how to get the token needed for authenticate the graph api calls(for example ListMessages).
From the document I coundn't find any working example for backend app aquiring token and make api calls.
There are two endpoint versions:
Azure AD and Azure AD v2.0 endpoints;
And two authentication method:
1. Get access on behalf of a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
2. Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
What shoud I use ? Really confused.
Thanks all.
According to your description, I assume you want to get an access token without user login page.
Based on my test, we can get an access token that run as a background services or daemons.
It requires administrator to grant the access permission once, then user will not see login popup window anymore.
For more detail, we can refer to this official document.
Sounds like you are looking for Resource Owner Password Credentials grant flow.
However its usage is not recommended.
It does not work in these scenarios:
User has MFA
User password has expired
User is federated (MS account/Google/on-prem AD)
The only scenario that I can think of where this flow is okay is integration tests of APIs where you need to test scenarios where you call your API on behalf of a user.
Here is a better way to do what you want:
Require an application permission to access user emails and have the admin grant it. Now you can use client credentials grant flow to get a token anytime you need one.
Use delegated permissions, have the user sign in once with Authorization Code grant flow. Then exchange the code for an access token and a refresh token. Store at least the refresh token somewhere secure. Use refresh token whenever you need a new token.
The first approach is more reliable but requires broader permissions.
The second has tighter security (only users who have authorized access can have their email read), but has slightly less reliability.
Refresh tokens can be invalidated, in which case you'll need the user to login again.
I don't know if there is a solution to revoke a refresh token when :
- a user reset its own password with the reset password policy ?
- a user change its own password with a specific form based on Graph API ?
I think it must be implemented for security reason but I don't if it's possible for now and if not when will it be available ?
Thanks in advance
I found a similar questions to your question Costs of B2C and Refresh tokens.
The essential part of the answer from the other question is:
The log out the web application won’t revoke the token. Azure AD doesn’t support revoking the token at present. However, we can clear the token cache if you doesn’t want users to user the token.
I did some own tests using the Azure AD Graph API and was unable to get the refresh token to expire, even when resetting the password of the user accessing the resources.
As far as I know, there doesn't seem to be any way to expire the token at the moment, except for contacting Azure support and having them expire the token.