We are using the client credentials flow in Azure AD to authenticate our API's when the caller is some type of daemon process. Our security policies dictate that we need to audit when access attempts fail. For the most part we have been able to accommodate most of the security departments requirements except for when the get token request fails. This could be due to a number of reasons such as an invalid client id, secret, or certificate. The endpoint we are using to request a token is https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.
I tried a few examples demonstrating passing invalid parameters to the access token request. I then checked the audit logs & sign-ins monitoring sections of our Azure AD tenant expecting to see some type of authorization denied message. To my surprise there was nothing.
I've tried searching client credentials flow auditing on Microsoft docs and on Google but I have not been able to find anything in regards to auditing failed access token requests.
Is there somewhere in the portal we can view when the access token request does not return a bearer token?
AFAIK, Azure AD doesn't put access token requests in the logs. You could add the content of access token requests when calling the endpoint in your code.
Audit logs: The audit logs activity report gives you access to the history of every task that's performed in your tenant. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
Sign-in logs: With the sign-in activity report, you can determine who performed the tasks that are reported in the audit logs.
I found the answer. Should anyone need this in the future Azure logs Success & Failure access token requests in the "Service principle sign-ins" section.
Click here for screen cap of logging location
Related
I have a c# service, the service is running somewhere in the azure cloud without an user interface. some specific events should trigger new messages to a team channel.
According to this documentation, the Create Message https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http is only supported by delegated account, not by the application tokens.
How can i create a delegated token for my service application without specific user account and without a login interface in the cloud?
Which Authentication Provider is the right one? https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=CS
As you mentioned in the question : chatMessage , supports only the Delegated Permission type.
What exactly is Delegated Permission Type?
A permission which specify scope-based access using delegated authorization from the signed-in.
The reason on the emphasis of the above point is being that - for Delegated permission we would need the context of a user account
Coming back to your questions :
How can i create a delegated token for my service application without specific user account
You can obtain a token without a specific user account but this will not help your cause.In order to overcome this, I would suggest a creation of service account - this account has permission over the teams.Part 2 of this questions suggests which provider can help without the login prompt.
The steps include :
Register your app.
Configure permissions for Microsoft Graph on your app.
Get administrator consent.
Get an access token.
Use the access token to call Microsoft Graph.
Detailing of the steps is included in the article here : https://learn.microsoft.com/en-us/graph/auth-v2-service
without a login interface in the cloud
Now you could use the below option :
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials
In this provider, you will be passing the creds of the service account.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<YOUR CLIENT ID>
&scope=user.read%20openid%20profile%20offline_access
&username=<YOUR USERNAME>
&password=<YOUR PASSWORD>
&grant_type=password
You can generate the token for your service account by above request and application can consume the chatMessage API.
Business Requirement:
We want to replace our Skype meeting URL with Teams meeting on our production system(within a ABAP daemon service without user integration). So I am trying to integrate with Teams using Microsoft Graph API to be able to generate one online meetings. Then this online meeting URL will send to our customer with a mail.
Target Graph API: For MS Graph API V1.0 verion, I think this in only one option Create onlineMeeting.(Graph API with /beta version is not a good option for production usage).
According the MS Graph documentation V1.0 Create onlineMeeting, this API only support permissions with Delegate type. I think we could only use use username/password authentication flow. Correct me if I'm wrong.
Issues: I'm trying to get token with user and password as describe with ROPC Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials, use following API to test it with my corporate mail.
POST /{{TennatId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id={{ClientId}}&client_secret={{ClientSecret}}&scope=https://graph.microsoft.com/onlineMeetings.ReadWrite&userName=MyCorporateMail#org.com&password=MyPassword
But, it will always get invalid_grant response: AADSTS50126: Error validating credentials due to invalid username or password.
I don't know why it cannot get token response with my corporate(work) mail/account **#sap.com, I'm sure my password and other parameters are correct.
And if I use a new-test-user sapse#wardsap.onmicrosoft.com which is created by Azure Active Directory, I'll get token successfully. This user doesn't need Two-Step authentication when login to Azure. But this user does have Teams/OnlineMeeting license, so it couldn't generate onlineMeeting.
My Question:
Will it possible caused by MFA configuration from my org? Because I noticed that every time I login to https://aad.portal.azure.com/, it has second authentication step, verify with my Phone message.
If yes, will it be possible to disable MFA to some test/dev account forever? Where should we config it? Within MS Azure or some where else? Who should I get support from?
For this Create onlineMeeting API, do we have other authentication flow for this Delegate permission type for a back-end daemon service?
Thanks and Best Regards,
Ward
MFA will definitely prevent you from using this authentication flow.
The Resource Owner Password Credentials flow and its use are discouraged.
There are many flows which are more secure, and usually you can use ones like authorization code flow to achieve what you want.
MFA is configured by your organization, you'll need to contact your IT about that.
But I would not recommend disabling MFA for this.
A back-end daemon application needs to either use application permissions or a refresh token.
If the API in question does not support application permissions, you can acquire a refresh token for a user through the authorization code flow, store it securely, and use it whenever you need a new token.
If you do this, be sure to overwrite the old refresh token with the new one that you get when you ask for an access token.
The following page shows how can I purge Application Insights data -
https://learn.microsoft.com/en-us/rest/api/application-insights/components/purge
I tried following it but it doesn't mention how to use authentication and I am getting the following error in response -
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed. The 'Authorization' header is missing."
}
Can someone please guide me how do use the authentication header?
As per joy said in comment, just go to the website, and click "try it" -> log use your credential, then you can see the token:
On the page you linked to, scroll all the way up in the menu and find 'Getting started with REST'. When you click that and scroll the page, you find Register your client application with Azure AD.
Most Azure services (such as Azure Resource Manager providers and the classic deployment model) require your client code to authenticate with valid credentials before you can call the service's API. Authentication is coordinated between the various actors by Azure AD, and provides your client with an access token as proof of the authentication. The token is then sent to the Azure service in the HTTP Authorization header of subsequent REST API requests. The token's claims also provide information to the service, allowing it to validate the client and perform any required authorization.
Long story short:
Register your client application with Azure AD
Create the request
Acquire an access token
Assemble the request message
Send the request
Process the response message
You need authorization header to be added in your request to purge the azure application insights data. Refer for more details and step by step guide - https://sanganakauthority.blogspot.com/2019/06/how-to-delete-or-purge-azure.html
We've migrated to a new tenant where I work. As such we are trying to re-add our applications into Azure AD. We have a documented process that has worked in the past in order to add applications for our MVC and WebAPI projects. However, we've been getting errors when attempting to query the Graph API. In the example application we've used the code from here to create a custom authorize attribute that allows us to group based authentication. After debugging the /Utilities/GraphHelper.cs we've determined that the application is getting a Status Error of 403 with a message that states: "Insufficient privileges to complete the operation."
After doing a bit of research I was able to replicate the Authentication process in Fiddler.
Action Method: POST
URL: https://login.windows.net/[tennantName]/oauth2/token?api-version=1.0
Header Block:
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 180
Expect: 100-continue
Connection: Keep-Alive
RequestBody:
grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=[clientId]&client_secret=[urlencoded client secret]
I get back a token from this request and then attempt to query the federated directory from the graphapi again with fiddler:
Action Method: GET
URL: https://graph.windows.net/[federated domain]/directoryObjects/{group-guid}
Header Block:
Content-Type: application/json
Host: graph.windows.net
Authorization: Bearer [token from login response]
I receive and 403 response with the body:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
In Azure Active Directory, Under App Registrations for this application the manifest has been modified by a user with Company Admin Role for:
"groupMembershipClaims": "SecurityGroup", ...
"oauth2AllowImplicitFlow": true,
An Application Key was generated that is used for fetching a token to access the graph API.
Under Required Permissions for Application Permissions Read directory data, and Read all hidden memberships were checked by a user with Company Admin Role.
I'm out of ideas everything should be working.
I called MSFT support for Azure, apparently there is an issue with portal.azure.com assigning permissions. I was able to resolve this by going to the classic portal and getting the permissions reassigned.
Access that a client app has to the AAD Graph API is dependent on the permissions you have registered on your application.
Note that there is a section in the app registration process called "permissions to other applications" where you will need to specify the Graph API as a resource you want to call, and you must specify with what level of permissions you need to call that API.
Read more here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/
On your web client application’s configuration page in the Azure classic portal, set the permissions your application requires by using the drop-down menus in the Permissions to other applications control.
You can read more about the various scopes/permissions that the Graph API exposes here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Selecting these permissions are the first step, but it is not quite enough to actually get your app the right access it needs. The step you are missing is consent. Every application needs some level of user consent in order to access their tenant's data via the Graph API. Even if your application is doing App Only Flows (acting as a Daemon Service using the Client Credential Flow), you will still need the initial permissions to be consented to by the admin of the tenant where you want to get access to the data. This means the first time you want to use the application, you will have to trigger an interactive login experience. This process may happen 'automagically' when you use the "management.windowsazure.com" portal if you are an Admin configuring the app, since they automatically consent to the app on your behalf, however in all other scenarios you will have to follow the normal process of obtaining user consent yourself.
Once you have correctly configured your app with the right permission scopes, and have obtained consent, you should see in your access tokens 'scopes' or 'role' claims which represent the permissions your application is authorized for.
Using this knowledge, I hope you will be able to resolve the issue you are facing.
I'm using Azure App Service with authentication using Google and Microsoft account.
I can access mysite/.auth/me, without an issue upon login in.
But to refresh token, /.auth/refresh is returning me following exception.
You do not have permission to view this directory or page.
Not sure what access to be granted here in Azure blade.
The error message is actually a bit misleading. It's not that you don't have permission to access the API, but rather there are probably no refresh tokens in your token store. The way to acquire refresh tokens during user login is a little different for each provider. More details here:
https://cgillum.tech/2016/03/07/app-service-token-store/
In order for this to work, the token store must contain refresh tokens for your provider. If you’re not familiar with how to do this, here are some hints:
Google: Append an "access_type=offline" query string parameter to your /.auth/login API call (if using the Mobile Apps SDK, you can add this to one of the LogicAsync overloads).
Microsoft Account: Select the wl.offline_access scope in the Azure management portal.
Azure AD: This is a little complex right now, but take a look at my next post on enabling Graph API access. Follow the setup steps and this will also enable you to get refresh tokens for Azure AD (you can omit the Read directory data and the resource=… parts if they don’t apply to you). The plan is to simplify this in the future.