We are using API key to call custom API from B2C custom policy as part of seamless migration. We are looking for automated way to rotate policy key.
I have tried following C# code using graph client and its updating new key but wanted to know if there is PS command to perform similar kind of operation?
C# code:
var result = graphClient.TrustFramework.KeySets["B2C_1A_keyset"]
.UploadSecret(use, k, nbf, exp)
.Request()
.PostAsync().Result;
if (result != null)
Console.WriteLine("Updated policy key secret");
Follow this guidance on best practices Policy key management with Azure AD B2C.
Use any sample that does REST API calls via C# and follow these two docs to call the correct Microsoft Graph endpoint:
Keysets
Policy keys
Related
I am trying to use List SignIns API to get a list of sign-ins for my Service Principal however the API is not returning any results when I try to filter the results by Service Principal id and/or Service Principal Application Id. If I remove the filter, I am able to get the data.
Essentially I am trying to get the data shown in Azure Portal as shown in the screenshot below.
I have tried both Graph Explorer as well as Microsoft.Graph SDK (C#) and in both places I am not getting any result back.
Things I tried:
In Graph Explorer, I tried the following request URL: https://graph.microsoft.com/1.0/auditLogs/signIns?$filter=id eq 'my-service-principal-id' and that did not give any results back.
I even tried https://graph.microsoft.com/beta/auditLogs/signIns?$filter=appId eq 'my-application-id' and still no results.
I tried with both beta and 1.0 version numbers and same results.
I checked the Azure Portal network request in browser and noticed that instead of using graph.microsoft.com, it is using graph.windows.net and is sending the following request:
https://graph.windows.net/tenant-id/activities/getSummarizedServicePrincipalSignIns(aggregationWindow='1d')?$filter=(createdDateTime ge 2021-04-21T13:03:32.608Z and createdDateTime lt 2021-04-28T13:03:32.608Z and (appId eq 'my-application-id' or contains(tolower(appDisplayName), 'my-application-id')))&$top=50&$orderby=createdDateTime desc&source=kds
I also read the documentation for List SignIns API and following caught my eye:
Retrieve the Azure AD user sign-ins for your tenant. Sign-ins that are
interactive in nature (where a username/password is passed as part of
auth token) and successful federated sign-ins are currently included
in the sign-in logs.
I am not sure if what I am trying to accomplish is even possible with Graph API considering I am not getting any results back and Azure Portal is not even using Graph API to get this data.
Any insights into this will be highly appreciated.
This is possible using the 'beta' endpoint - but at this point it only seems to include 'interactive' sign-ins by default. If you add a filter on signInEventTypes it can return other types too:
So for 'User sign-ins (non-interactive)':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'nonInteractiveUser')
For 'Service principal sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'servicePrincipal')
For 'Managed identity sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'managedIdentity')
For all sign ins (let me know if there's a more concise way!
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'interactiveUser' or t eq 'nonInteractiveUser' or t eq 'servicePrincipal' or t eq 'managedIdentity')
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#return-log-data-with-microsoft-graph
Beta API has ServicePrincipalId and ServicePrincipalName, you can filter based on these attributes. This link lists the supported Attributes in $filter. This API supports $filter, $skiptoken and $Top.How ever do note Beta API are subjected to change.
https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http#attributes-supported-by-filter-parameter
Here's a blog about graph.windows.net and graph.microsoft.com
https://developer.microsoft.com/en-us/identity/blogs/microsoft-graph-or-azure-ad-graph/
I would need to start an Azure Data Factory pipeline from REST API as per https://learn.microsoft.com/en-us/rest/api/datafactory/pipelines/createrun#code-try-0
I have created an AAD app, and given it the Azure Service Management API Permission. However when the client through the OAuth2 Implicit flow receives an id_token and invokes that API to start a pipeline I get
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "The access token is invalid."
}
}
Am i using proper API pemrission? thanks.
If you just want to use OAuth2 flow to get the token to call the REST API, the client credentials flow is more suitable than the Implicit flow in this case.
Please follow the steps below.
1.Get values for signing in and create a new application secret.
2.Navigate to the data factory -> Access control (IAM) -> Add -> add your AD App as an RBAC role e.g. Contributor, Owner, Data Factory Contributor, details follow this.
3.In the postman, follow the screenshot below, fix the request body got from step 1, then use the token to call REST API, it will work fine.
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
client_id=<client_id>
&scope=https://management.azure.com/.default
&client_secret=<client_secret>
&grant_type=client_credentials
I cant test it right now but I would assume that having Data Factory Contributor should be enough for this.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#data-factory-contributor
Setting up a custom policy in Azure AD B2C to connect to an ADFS Identity Provider. This requires a SAML metadata endpoint as specified in the documentation at the link below.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp#configure-an-adfs-relying-party-trust
The error being encountered is:
AADB2C90022: Unable to return metadata for the policy [my-policy] in tenant [my-tenant].onmicrosoft.com.
and is being encountered when I go to the endpoint:
https://login.microsoftonline.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have tried making the request from the b2clogin.com endpoint with the same result as above.
E.g. https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have also tried using my tenantId GUID in place of [my-tenant].onmicrosoft.com which resulted in the exact same result.
E.g. https://login.microsoftonline.com/te/[my-tenant-id]/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
Re-visit the process by which you created the certificate, uploaded it to your 'Policy Keys' and referenced it in your custom policy files.
My scenario was similar, I had the same error and no output via Application Insights / Journey Recorder.
I had tried to avoid using 'makecert.exe' and instead used another SSC generation tool. This simply did not work, I think because the private key was not being incorporated in the certificate file.
This guide has been invaluable, see also this test facility
How can I update the SignInName of an existing user in Azure AD using Microsoft Graph or Azure AD Graph Client.
Thanks!
Looks like it won't be possible to update SignInName through either Microsoft Graph API or Azure Graph API. It may be worth a try using PowerShell if that fits your use case (again this may or may not work). Details about each one below..
Update User SignInName using Microsoft Graph API
This isn't possible because SignInNames collection isn't even
available as part of the user entity in Microsoft Graph yet.
Here is a GitHub issue thread on this topic, look towards the end.
Add signInNames property to User. #91
Update User SignInName using Azure AD Graph API
You would be able to set the User SignInNames collection only at the time of creation of user. See the documentation mentions only POST and GET (no PATCH)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
Update User SignInName using PowerShell
This may work out, but I'm not sure about it. Then again, you asked specifically for Microsoft Graph or Azure AD Graph API so your scenario may not be suited for PowerShell.
Set-AzureADUser
You can PATCH the signInNames using the Azure AD Graph API (graph.windows.net) as an update.
PATCH https://graph.windows.net/{tenantId}/users/{userId}?api-version=1.6
Content-Type: application/json
BODY:
{
"givenName": "James Wood",
"signInNames": [
{
"type": "userName",
"value": "jamesWoodUserName"
}
]
}
Or just use GraphBeta sdk.
https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet
> Install-Package Microsoft.Graph.Beta
var users = await graphClient.Users.Request().GetAsync().ConfigureAwait(false);
The email is then under "Identities"
debug-watch
I'm trying the sample code NativeClient-Headless-DotNet.sln against my B2C tenant.
When I attempt to execute the command:
result = authContext.AcquireTokenAsync(todoListResourceId, clientId, uc).Result;
using an existing username and password, I get this exception:
InnerException = {"unknown_user_type: Unknown User Type"}
As far as I know, I've set-up all the values correctly in Web and App config (I'm using the same values that I use in my Graph API project, which works OK).
Any ideas why this should happen?
Are accounts created with:
userType.type = "userName";
found by this method?
Currently, Azure AD B2C doesn't have any direct support for this.
However, work to support for the Resource Owner Password Credentials flow in Azure AD B2C is in-progress.
This new feature will enable a desktop application to collect a user credential and POST it to the B2C tenant for validation.