I'm trying to connect to Azure Devops from within a Sharepoint web part.
I have added a couple of permission requests in package-solution.json:
"webApiPermissionRequests": [
{
"resource": "Windows Azure Active Directory",
"scope": "User.Read"
},
{
"resource": "Azure DevOps",
"scope": "user_impersonation"
},
{
"resource": "SharePoint Online Client Extensibility Web Application Principal",
"scope": "user_impersonation"
}
...
and use the AAD factory to call an Azure DevOps api, like so:
this.context.aadHttpClientFactory.getClient('499b84ac-1321-427f-aa17-267ca6975798').then((client: AadHttpClient) => {
client.get(`https://dev.azure.com/reinder0498/_apis/projects?api-version=6.0`, AadHttpClient.configurations.v1)
.then((response: HttpClientResponse) => {
console.log(response);
return response.json();
})
.then((projects: any): void => {
console.log(projects);
});
});
But then I get this error: "The user or administrator has not consented to use the application with ID '177c71fc-1022-4e3c-82cd-faa17d9864bf' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource."
I've looked at pending and approved requests in Sharepoint Admin center but could not see any requests coming in...
What else do I have to do to use the aadHttpClientFactory to connect to Azure DevOps API's?
update
If I browse to that Sharepoint Online Client app in AAD, the button to grant admin consent is disabled:
Was able to figure it out myself. The thing is that you need to run it inside your teams environment to have the approval request created in your Sharepoint environment.
I now have these permission requests configured:
{
"resource": "Azure DevOps",
"scope": "user_impersonation"
},
{
"resource": "Windows Azure Active Directory",
"scope": "User.Read"
}
I uploaded my web part to Sharepoint, synced it to Teams and then opened it inside Teams. At some point I got the error message about the consent and then afterwards I saw the approval request appear in Sharepoint Admin.
Once approved, my web part successfully connected to the DevOps REST API.
The error occurs for the application registered with Azure AD (Delegated Permissions), which requires either user or an administrator’s consent for the permissions it needs.
You need configure permissions in the azure portal for your application and or create a url and grant permissions first . Below is link on how too construct the url. You only need to do it once and can remove permissions when needed.
Grant tenant-wide admin consent to an application
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent
Also, here is a GitHub issue raised and solved regarding your setup.
SPFX USER
Related
I have created an App Registration that exposes an API and a scope.
I then create a frontend app/client with another App Registration and I can add my own API as delegated permission and ask Azure AD for a token to the API on behalf of me using normal OAuth flows.
Let's say a 3 client needs access to the API but not as a given user but as the application itself. In the UI of Azure AD, there are no "Application Permissions" for my own API when adding this 3rd API and try to give it access to an API. What is the equivalent of this and how do I set it up?
I have an older article that shows you how to do it through the manifest.
https://joonasw.net/view/defining-permissions-and-roles-in-aad
Currently there is no UI for defining app permissions, so you'll have to do it through the manifest or with PowerShell.
Essentially you need to define an appRole with an allowed member type of Application.
That is an app permission that can then be assigned to apps.
It will appear in the roles claim in the token.
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
I want to learn Azure directory services, so I created a free Microsoft Azure account to play around with Azure, and then I created a new App registration at portal.azure.com. So I have this registered application in Azure with a Client ID, Tenant ID, and even a Client Secret, because I want to learn API permissions with this app.
Now in the Microsoft Graph Explorer, I want to try using API methods like Get Application and List Applications.
However, if I log in and run the API to list my applications (GET https://graph.microsoft.com/beta/applications), the response has an empty array of applications.
Also if I try to GET the specific app that I registered in AD, I get a 404: Resource Not Found found error.
What am I doing wrong? How can I use the Graph Explorer with my test Azure account so my registered application can be retrieved and edited with Microsoft Graph APIs?
More Details Below
When I run GET https://graph.microsoft.com/beta/applications in Microsoft Graph Explorer, I expect a list of my applications, including the one app I registered in Azure. Instead, here is the response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
When I run GET https://graph.microsoft.com/beta/applications/{client-id}, with my registered app's client-id, I expect all the details of my registered app, but instead, the response is error 404:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "*****",<--I commented this out
"date": "2019-05-28T20:17:11"
}
}
}
If this were a permissions issue, I would expect unauthorized errors instead of "resource not found". I've tried adding Microsoft Graph permissions to my registered App (Directory.Read.All, Directory.ReadWrite.All), but this hasn't helped.
This is nothing to do with Azure free account. If you login in Graph Explorer using outlook account, it will identify this account as a personal account(with tenant outlook.com). That's why you can not find the applications you created in your tenant.
It is recommended to create a new user in your tenant to do the tests.
Here are the steps.
1.Click Azure Active Directory->Users->New User. The username should be something like username#{your tenant name}(XXX.onmicrosoft.com)
2.After the creation, add the roles for this user.
I'm struggling to determine the best route to authenticate using Azure Active Directory for my dotnet core web API.
Here is the situation:
An application created in Azure Active Directory that the Web API authenticates users. It has multiple application roles associated with it.
A daemon application that needs to authenticate to the Web API.
What is the best solution to solve the authentication situation? It's difficult to find clear documentation on how to actually solve this.
Thank you for your advice and help!
Your daemon app will need to use application permissions (app roles with member type = Application) to call the API.
You can see how to define those here: https://joonasw.net/view/defining-permissions-and-roles-in-aad.
For example, this is how one looks like in the manifest:
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
Then you assign the app permission to your daemon app.
After that it's a simple matter of authenticating with client credentials from the daemon app.
With ADAL.NET for example, you would acquire a token with ClientCredential + the resource URI of the API.
You can find the URI from your API's app registration (Properties blade, App ID URI).
You can then attach the resulting access token to HTTP requests and the API can find from the appid claim who the calling app is, and from the roles claim what app permissions they have.
I have a single page application (SPA) and an API. Both are secured using Azure Active Directory using role based access control (RBAC). I can login and viewview my SPA using ADAL. I can also login, call my API and see the role claims I have given myeself.
I want to call the API from the SPA. I have added the API delegated permissions to the SPA. I have also hit the 'Grant Permissions' button so I don't see a consent screen.
The problem is when the SPA calls the API, no role claims appear, so the API always returns a 403 Forbidden response. How can I solve this?
Update
This is the manifest for my API:
{
"appId": "[API Client ID]",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Read Device",
"id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
"isEnabled": true,
"description": "Can read a device.",
"value": "Device.Read.All"
}
],
...
}
In my SPA, I'm using ADAL and adal-angular like so:
var azureActiveDirectory = {
'instance': 'https://login.microsoftonline.com/',
'tenant': '[My Tenant ID]',
'clientId': '[SPA Client ID]',
'redirectUri': 'http://localhost:8080/',
'endpoints': {
'http://localhost:5000': '[API Client ID]'
}
adalAuthenticationServiceProvider.init(azureActiveDirectory, $httpProvider);
Apparently, roles in nested groups are not transitive i.e. If I am a member of Group 2, I do not have the Role granted to Group 1, even though Group 2 is a member of Group 2:
Group 1
Has a Role from Application 1
Has a Member called Group 2
This is absolutely unbelievable that such a feature has not been implemented. I've raised a suggestion on UserVoice. Please upvote the suggestion.
you should create the appRole in your API app, when your spa call API, it will get access token with the role in api app that the login user belongs to. so to make sure you create role and verify role in api app, not spa app.
I'm trying to update appRoles for an Azure AD application using GraphApi but get an error stating Authorization_RequestDenied with Insufficient privileges to complete the operation error.
I'm using PostMan to call Rest endpoint https://graph.windows.net//applications/d66c96ea-56fd-41c8-884b-fc0664792f7d?api-version=1.6
This is Body for may PATCH request:
{
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Writer has the ability to create tasks",
"displayName": "Writer",
"id": "66ea9f02-31b0-40b2-94fb-67a408bc10e3",
"isEnabled": true,
"value": "Writer"
}
]
}
I have added all permissions to Microsoft Graph and Windows Azure Active Directory from my AAD application.
I have 2 applications in AAD. One is called "PostMan" for PostMan OAuth2.0 so that I can get a bearer token. Another on is called "TaskTrackerApp" on which I'm trying to set appRoles via GraphApi.
Thanks for your help!
You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:
Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
What RequiredResourceAccess list you have configured on application "PostMan" and also the one who is making changes is he/she the owner of this application "TaskTrackerApp" or a global admin in the directory?
I hit this too this week. In my case trying to update the reply URLs. I cut down my request to eventually just trying to update the name of the app. Same thing, Insufficient privileges.
Eventually tracked it down to the fact that an application cannot update another app IF it is not an owner of the app. e.g. Azure Portal->App Registrations->(Select App to Update)->Settings->Owners.
In my case, in the "real world" case, the app I was trying to use to update was supposed to be the owner (because it was the app that created the updating app)
So in the OPs case the "PostMan" app would need to be listed as an owner of the "TaskTrackerApp"