I am trying to upload a few custom policies(base, extension and RP) to Azure B2C using github actions that would use an azure service principal(client id and secret), tenant id and subscription id. I have used this github action:
https://github.com/marketplace/actions/deploy-azure-ad-b2c-trustframework-policy
When the action executes in my pipeline, I get this error:
Action failed: client_secret_basic client authentication method requires a client_secret
The github secrets section of the repository has CLIENT_SECRET defined like this:
There is another variable called AZURE_CREDENTIALS that has a JSON like this:
{
"clientId": "my-clientId",
"clientSecret": "my-clientSecret",
"tenantId": "my-tenantId",
"subscriptionId": "my-subscriptionId"
}
Any clues on what I am missing? Appreciate your responses.
The solution is available here: https://learn.microsoft.com/en-us/answers/questions/77725/azure-ad-b2c-uploading-custom-policies-via-github.html
Related
My subscription has preview feature enabled.
I created application in Microsoft Azure.
To access claims preview feature of application edited the URL by adding '?feature.claimseditorpreview=true'
Also added some custom claims to 'Claims (preview)'.
Now I would like to access the preview feature of application's claim using REST api.
I tried to reproduce the same in my environment and got the below results:
You can retrieve the list of claims mapping policy that is applied to a Service Principal/Azure AD Enterprise Application.
To create claims mapping policy, please try the below query in Microsoft Graph Explorer:
POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
"displayName": "Test Claims Policy",
"isOrganizationDefault": false
}
Claims mapping policy will be created like below:
To assign the created policy to a Service principal, execute the below query:
POST https://graph.microsoft.com/v1.0/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/PolicyID"
}
A response of 204 will be returned if successful:
To retrieve the claims mapping policy, switch to beta:
GET https://graph.microsoft.com/beta/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies
Unfortunately, listing Attributes & Claims for an Azure Service Principal is not possible.
Please refer this MsDoc which describes the possible methods on Azure Service Principal.
I would need to start an Azure Data Factory pipeline from REST API as per https://learn.microsoft.com/en-us/rest/api/datafactory/pipelines/createrun#code-try-0
I have created an AAD app, and given it the Azure Service Management API Permission. However when the client through the OAuth2 Implicit flow receives an id_token and invokes that API to start a pipeline I get
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "The access token is invalid."
}
}
Am i using proper API pemrission? thanks.
If you just want to use OAuth2 flow to get the token to call the REST API, the client credentials flow is more suitable than the Implicit flow in this case.
Please follow the steps below.
1.Get values for signing in and create a new application secret.
2.Navigate to the data factory -> Access control (IAM) -> Add -> add your AD App as an RBAC role e.g. Contributor, Owner, Data Factory Contributor, details follow this.
3.In the postman, follow the screenshot below, fix the request body got from step 1, then use the token to call REST API, it will work fine.
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
client_id=<client_id>
&scope=https://management.azure.com/.default
&client_secret=<client_secret>
&grant_type=client_credentials
I cant test it right now but I would assume that having Data Factory Contributor should be enough for this.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#data-factory-contributor
I have an Azure AD app and I am trying to add custom claims to a JWT. I'm using the claims mapping feature in Azure for my specific app, and updated the app manifest in the Azure Portal to include the optional claims. However, when I log in and view the decoded access token, the claim is not present in the token. I haven't found much documentation relating to using extension attributes as claims, but from what I've found it should follow the same patterns, but it is not working as expected.
How do I add a custom claim, sourced from a custom property in the user object in AD, to a JWT when the user logs in?
Thanks in advance!
Steps to re-create
Use the Azure AD Graph API to register a directory extension
Request:
POST https://graph.windows.net/mytenant.onmicrosoft.com/applications/<application-object-id>/extensionProperties?api-version=1.5
Body:
{
"name": "customUserRoles",
"dataType": "String",
"targetObjects": ["User"]
}
Write a value to the extension for a specific AD user
Request:
PATCH https://graph.windows.net/mytenant.onmicrosoft.com/users/user123#mytenant.onmicrosoft.com?api-version=1.5
Body:
{
"extension_<appId>_customUserRoles": "My Custom Role 1, Another Role 2"
}
In PowerShell, I installed the Azure AD module: Install-Module -Name AzureADPreview
Create an Azure AD policy
New-AzureADPolicy -Definition #('{"ClaimsMappingPolicy":{"Version": 1, "IncludeBasicClaimSet": "true", "
ClaimsSchema": [ { "Source": "user", "ID": "extension_<appId>_customUserRoles", "JwtClaimType": "customUserRoles" } ] } }') -DisplayName "customUserRoles" -Type "ClaimsMappingPolicy"
Add the policy to the service principal
Add-AzureADServicePrincipalPolicy -Id <service-principla-id> -RefObjectId <azure-ad-policy-id>
In the Azure Portal, navigate to Azure AD -> App Registrations -> My App -> Manifest
Update the following properties
{
...
"acceptMappedClaims: true,
"optionalClaims": {
"idToken": [
{
"name": "extension_<appId>_customUserRoles",
"source": "user",
"essential": false,
}
],
"accessToken": [
{
"name": "extension_<appId>_customUserRoles",
"source": "user",
"essential": false,
}
],
"samlToken": []
}
}
Save the file
Navigate to https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/authorize?client_id=<appId>&response_type=token&resource=https://mytenant.sharepoint.com and login with Azure AD user account user123#mytenant.onmicrosoft.com
In the URL, copy the value of the access_token parameter
Navigate to https://jwt.ms and paste the access token in the text area
In the decoded token section, the custom claim customUserRoles is not present
My expectation is I should see a new claim called customUserRoles or extn.customUserRoles in the decoded token.
What steps am I missing? I haven't gotten any errors throughout this process, but it doesn't appear to be working as the documentation suggests.
Reference Material
I have read through Microsoft's documentation on these topics:
Optional Claims: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Claims Mapping: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
I have also read through various forum posts and blog articles relating to this:
https://devonblog.com/cloud/azure-ad-adding-employeeid-claims-in-azure-ad-jwt-token/
http://www.redbaronofazure.com/?p=7566
https://social.msdn.microsoft.com/Forums/en-US/3e5114b6-24d6-4c60-b72b-b4c90baeecac/access-token-missing-optional-claims-that-are-schema-extensions-implicit-grant-flow
https://social.msdn.microsoft.com/Forums/en-US/dbeeed63-8d3f-4c27-b416-431f9fe6c729/providing-directory-extension-optional-claims-and-returning-value-within-token?forum=WindowsAzureAD
Based on this official doc :
Access tokens are always generated using the manifest of the resource,
not the client. So in the request
...scope=https://graph.microsoft.com/user.read... the resource is
Graph. Thus, the access token is created using the Graph manifest, not
the client's manifest. Changing the manifest for your application will
never cause tokens for Graph to look different. In order to validate
that your accessToken changes are in effect, request a token for your
application, not another app.
And based on your requirement , it is impossible if you want to make some change on an access token which resource is sharepoint online which is a multi-tenant app created and managed by MSFT.
For this doc , I also did some research for you . And the same , you should have control of the service side app so that you can make that happen.
This is my policy role assignment command :
$nsp = New-AzureADPolicy -Definition #('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"mailnickname","JwtClaimType":"testclaim"}]}}') -DisplayName "StanCustomCliamDemo_surname" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -RefObjectId $nsp.Id -Id '<obj id of service side app>'
Token result :
What's more , pls note that extension_<appId>_customUserRoles is not a valid user source ID . For all valid user source ID , pls refer to here .
Hope it helps .
I have a Web API project hosted in Azure as web app with Managed Service identity enabled (so I don't need an app registration, right?):
Now I need to obtain a token to access my API so that I can use it in POSTMAN:
az login
az account get-access-token --resource "https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52"
which gives me
Get Token request returned http error: 400
and server response:
{"error":"invalid_resource","error_description":"AADSTS50001: The
application named
https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52
was not found in the tenant named
xxxxxxxx-xxxx-xxxx-af31-xxxxxxxxxx. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You might have sent your
authentication request to the wrong tenant.
I get the same error if I try to use object id 63d571cf-79bf-405d-8304-a31fb64cb953 instead of app id as part of resource uri.
What am I doing wrong?
What am I doing wrong?
az account get-access-token is used to get token to access the Azure resource. We could get more information from this document.
--resource
Azure resource endpoints. Default to Azure Resource Manager Use 'az cloud show' command for other Azure resources.
The resoure should be in the following endpoints. And default resource is https://management.azure.com/
"endpoints": {
"activeDirectory": "https://login.microsoftonline.com",
"activeDirectoryDataLakeResourceId": "https://datalake.azure.net/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"activeDirectoryResourceId": "https://management.core.windows.net/",
"batchResourceId": "https://batch.core.windows.net/",
"gallery": "https://gallery.azure.com/",
"management": "https://management.core.windows.net/",
"resourceManager": "https://management.azure.com/",
"sqlManagement": "https://management.core.windows.net:8443/",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
}
Based on my understanding, the command no relationship with your API access.
For more information about MSI and how to protect an API by using OAuth 2.0 with Azure Active Directory, please refer to this tutorial and this tutorial.
The resource URI does not contain your Application Id nor Object Id.
It is a separate identifier that you can find from the App Registration's Properties under App ID URI.
And since this is an MSI-generated service principal, there is no app. I think you have to register an app in this case.
I'm querying the Microsoft Graph using a service app as described in this article: http://graph.microsoft.io/en-us/docs/authorization/app_only
I'm successfully able to make the POST request to the tenant-specific URL and get the JSON response specified:
{
"token_type": "Bearer",
"expires_in": "3599",
"scope": "User.Read",
"expires_on": "1449685363",
"not_before": "1449681463",
"resource": "https://graph.microsoft.com",
"access_token": "<token>"
}
except the "scope" parameter is missing. I have all "Office 365 Exchange Online" "Application Permissions" checked in my AD configuration panel. When using the returned token against the Graph API, I'm able to successfully call https://graph.microsoft.com/v1.0/users/ but no other endpoints.
I just had this issue and wanted to elaborate on the answer marked as correct since it is the correct answer but an incomplete solution. If there are no scope parameters, it means that your app is registered, however the admin has not consented to the app accessing your AD instance. Once you register your app, you have to build and go to the following URL to authorize the app (with admin account, of course):
GET https://login.microsoftonline.com/{TenantID}/adminconsent?
client_id=<APP ID>
&state=<This is optional for your app to use>
&redirect_uri=<ReturnURL>
TenantID: comes from Azure portal - if you click on the Help icon in the upper right and then choose 'Show Diagnostics' you can find the tenant id in the diagnostic JSON.
AppID: comes from the Azure portal - when you register your app, you go to the management console and cut/paste
This article has a TON of useful info for people trying to do graph integration.
You need to select the application scopes from the list available in the Microsoft Graph service then have the admin consent