I have been able to create Azure Functions App to manage Azure B2C Users. I can create new users, and update profiles flawlessly using the client_credentials Flow. However, when I change the password using a PATCH request with body:
{
passwordProfile: {
password: 'password-value',
forceChangePasswordNextSignIn: false
},
passwordPolicies: "DisablePasswordExpiration"
}
I get this error:
{code: 'Authorization_RequestDenied', message: 'Insufficient privileges to complete the operation.'}
I have done some research on this, and figured out that updating password requires Delegated Permission "Directory.AccessAsUser.All". From the Front End Application, I am signing in using the B2CLogin Flow, therefore the access token is not compatible with Graph API. Also, "Directory.AccessAsUser.All" does not exist at the Application level in the B2C application. Therefore, I cant use the Patch Request with the client_credentials Flow as well. According to some suggestions, the process can be done by Azure AD PowerShell by assigning "Company Administrator" Role. But, I have not found a solution to reset password through the Azure Function. A step-by-step solution(if it exists) would be really helpful for me as I am relatively new to Azure Services.
The easiest way is to assign the Global Admin role to the service principal on Azure portal.
Go to Azure Portal - Azure Active Directory - Roles and administrators.
Search for "Global admin" and select it.
Click on +Add assignments. And then search for your service principal.
Please note that "Applications are allowed for active assignments only.".
So after clicking on "Next>", select "Active" for the Assignment type.
After the assignment is finished, you are able to update the password using client_credentials flow.
Add-AzureADDirectoryRoleMember which is mentioned by #Jas Suri can also do the same thing.
Related
I'd like to use Microsoft Graph Explorer to work with my Azure AD B2C Tenant.
Initially, all I want to do is retrieve a Custom Attribute that I've assigned to an application registration. The custom attribute will store the UserAppPermission value, a 'role' replacement for B2C since it doesn't natively support them.
Can I get a second set of eyes on my process? I'd like to make sure I'm reading this properly.
First goal: Get a list of applications registered to my B2C Tenant. Reasoning is... if the app registration doesn't appear then future queries are unlikely to be successful.
Resource#1 "Manage Azure AD B2C with Microsoft Graph" (Note B2C in the title)
(1) I registered an application in my B2C tenant with permissions in excess of the minimum, checked this process twice: Register a Microsoft Graph application (Note B2C in the opening paragraph, and throughout the document).
(1a) Uncertain if the Azure portal was being buggy, I also registered this application with the 'Global Administrator Role' ... absolute overkill & insecure ..
(1b) I am certain that I assigned the appropriate Microsoft Graph API permissions in the app registration tab
(1c) As described in the doc, I also granted the application the user administrator role, although that is contained within the global administrator role.
(1d) Per the doc, "Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API."
When I run "https://graph.microsoft.com/beta/applications" to get a list of registered applications, all I see is the single App Registration our 'root' Azure account has for our Azure Functions App. Since this was an article on managing azure ad B2C with Microsoft Graph, I was expecting to see the applications registered to my B2C Tenant.
? Does anyone read (1d) to mean that I should not be able to use https://developer.microsoft.com/en-us/graph/graph-explorer, logged in as the B2C global administrator, and granting all permissions the endpoint requires, to make Microsoft Graph API queries?
Next goal: Get a list of users registered to my B2C Tenant
Resource#2 "List Users" - the link to this resource was provided by Resource #1, link provided above.
(1) There only mention of B2C in this article is: "The $count and $search parameters are currently not available in Azure AD B2C tenants."
(2) The request to get all users is GET "https://graph.microsoft.com/v1.0/users"
(2a) The request returns a list of users for the MyOrg's root AD tenant, not the application's B2C tenant. Not surprising since there's nothing in the request to specify the B2C tenant.
(3) Another resource provides this request format: https://graph.microsoft.com/beta/.onmicrosoft.com/users, which specifies the b2c tenant.
(3a) This executes without error in Graph-Explorer but does not return any of the users that registered for the application using the sign-up/sign-in policy (Consumer B2C Users). It still returns a list of users for the 'root' Azure account.
Update re:specifying tenant in graph-explorer:
While logged in to Graph Explorer us my work MS email which is registered as a global admin for our Azure account and owner of the B2C tenant I specified:
This returns a list of applications for the root Azure account, not app registrations for the B2C Tenant I specified. Perhaps I misunderstood the intent of this Graph API call.
I optimistically ran 'https://graph.microsoft.com/beta/identity/b2cUserFlows' with the tenant specified in the URL (as in screenshot). Result:
"error": {
"code": "AADB2C",
"message": "'4fba2ea8-XXXX-XXXX-964e-99f48b79d925' is not an Azure AD B2C directory...
I'm still not certain what the UUID returned in the message represents. The UUID has no correlation, that I can find, with the tenant I specified in the URL.
The reason is that you are using an Azure account which is from your root AAD tenant.
You have two options to resolve it.
Specify the tenant in the Graph Explorer URL:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant={Your b2c tenant}.onmicrosoft.com. Still use that Azure account from root
AAD tenant to sign in and you can get a list of applications and
users of your B2C Tenant now.
Another method is creating a new user in your B2C tenant and assign
Global admin role to it. And then sign into
https://developer.microsoft.com/en-us/graph/graph-explorer with
this new user. Now you can list applications and users of your B2C
Tenant as well.
Update:
Don't use a Consumer account (local account) for the second suggestion. You should create an AAD user (work account, format: mytenantname.onmicrosoft.com ) in Azure portal in B2C tenant and assign it global admin role.
Overview of user accounts in Azure Active Directory B2C for your reference.
#AllenWu's second solution was, in effect, correct but not explicit enough for me.
The New user interface in the B2C Tenant offers three options for creating users: Create user, Invite user and Create Azure AD B2C user. Most of my work has revolved around B2C users so I did that and gave the user Global Admin rights and my Graph Explorer results were unchanged.
Another user provided this suggestion and made it clear that I needed to create a user w/an email address of #my-tenant-name.onmicrosoft.com. I created such a user, assigned it Global Admin rights, and I was able to use Graph Explorer as I expected.
Note that users with an email of "SomeTestUser_gmail.com**#EXT#**#my-tenant-name.onmicrosoft.com do not behave in the same way.
Thanks for the suggestions & feedback & I hope this helps if you ended up here with the same question.
I try login to Azure AD web app and when i do it with user inside my tenant its ok,
but when login other user i get
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'a1eda862-65fb-4f90-8482-06151f5c7abc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Login Url :
https://login.microsoftonline.com/common/oauth2/authorize?client_id=a1eda862-65fb-4f90-8482-06151f5c7abc&response_type=id_token+code&redirect_uri=http://localhost:44302/&response_mode=form_post&scope=openid+profile&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&resource=https://management.azure.com/
Tenant settings
Few things to check -
Based on the error you shared, it seems you're logged in with some Microsoft account like live.com/hotmail etc. Are you doing that intentionally or just happened to be logged in and getting confused by that? If you do want to login with a Microsoft account other than a usual organizational account, then as the error says, you need to add that account to your AzureAD tenant as an external user.
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant
For any other organizational user, i.e. user from a different AzureAD tenant than the one where this application is registered, you will first need to go through the consent process. You may have done it already or not.
More details on that process here - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent
Issue:
You wanted to use a personal account within a multi-tenant application to get a token for the "https://management.core.windows.net" API
Scope:
We will focus on this issue and consider it as resolved once we provide you with the reason that Personal accounts cannot be used against a v1 multi-tenant application.
Alternatively, we will consider this case resolved if we confirm that the problem is caused by a third-party application or is by-design.
This agreed resolution statement describes the specific conditions where we will close this case. Please let me know if you do not agree with this scope.
Cause:
For multi-tenant applications in v1 you can only use an organizational account and not a personal one. That happens because for personal ones you will be logged authenticated by the “Live” endpoints and not by Azure endpoints, also because we are sending the user to the “common” endpoint and in there we do not know in which directory you want to sign in.
Resolution:
Having a multi-tenant application and sign-in users with personal and organizational accounts can be covered by the Azure AD V2 endpoints, nevertheless the v2 has some limitations right now and one of them is that you could only get a token for Microsoft Graph API and not for https://management.core.windows.net. We plan to implement all APIs that are available in v1 also in v2, but as for now cannot be used to acquire a token for such API.
I've got some trouble with Azure AD authorization for APIs with active roles. Here are my steps:
I've created an Azure AD App and activated the option "User assignment required"
In the manifest I've created the roles
In my WebApp I've used ADAL and my assigned users can log in. Everything works fine
My problem:
Now I have another API/Batch which should "log in" into my AD-App.
Easy I thought -> I've created an secret key and my Parameters for my request looks like:
URL for Login: https://login.microsoftonline.com/MyTenantID
ClientID: myAppID of the AD-App
Key: MyKey
ResourceID: MyAppID of the AD-App
-> Error: Application 'xxx' is not assigned to a role for the ...
So what I am doing wrong? How can I assign the APP to login 'by itself'?
As User assignment required option noted as follows:
If this option is set to yes, then users must first be assigned to this application before being able to access it.
If this option is set to no, then any users who navigate to the application will be granted access.
This option is only enabled when the application is configured for the following sign-on modes: SAML-based SSO or WIA with Azure AD Authentication.
So what I am doing wrong? How can I assign the APP to login 'by itself'?
Based on your description, I assumed that you are using the Service to Service Client Credentials Grant Flow without user interaction. For your scenario, you need to define the Application roles for Application member, details you could follow this similar issue.
Moreover, you could refer to my test steps as follows:
Define the Application roles:
Create another AAD app and configure required permissions to access another AAD app:
Acquire the token:
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
We are using Azure AD B2C and I'm trying to implement the changePassword function for signed-in users. We have followed this tutorial https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet, and we have succeeded to make it worked.
But we want signed-in users to have the possibility to change their existing password (directly in applications). We found this method (https://msdn.microsoft.com/fr-fr/library/azure/ad/graph/api/functions-and-actions#changePassword) but we failed to make it work...
What is the standard workflow for using AD Graph API in AD B2C with signed-in users ?
I have an application linked to a B2C tenant. I have created both Android and iOS apps and I am able to connect and get tokens thanks to the sign-up or sign-in policy, this point is OK...
In parallel I have created a service app in order to use the AD Graph API (thanks to the first link above).
We have suceeded in testing some operations like get the lists of users, find a specific user, change some.... But now I want to use the method "changePassword" for the connected users (second li) and I have failed using it. I don't know which access token to provide, both tests (using the token from the app service credential or using the access token received thanks to the signin policy) have failed ??
Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??
Thanks ;)
Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??
We can locate the service principal which created by PowerShell by searching the appPrincipalId like below:
Update
To perform the change password REST API of Azure AD Graph, we need to provide the delegate access token. In this scenario, we can use resource owner password credentials flow which require users' username and password for the authentication. To use this flow we can register the service principal like below:
$app = New-AzureRmADApplication -DisplayName "appPS2" -HomePage "https://adb2cfei.onmicrosoft.com/appPS2" -IdentifierUris "https://adb2cfei.onmicrosoft.com/appPS2" -Password "123"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Then we need to login the Azure classic portal to grant the delegate permission Directory.AccessAsUser.All as figure below:
Here is the code to acquire the token using the resource owner password credentials flow:
Post: https://login.microsoftonline.com/adb2cfei.onmicrosoft.com/oauth2/token
resource=https%3a%2f%2fgraph.windows.net&client_id={ $app.ApplicationId}&grant_type=password&username=fx%40adb2cfei.onmicrosoft.com&password={currentPassword}&client_secret=123
Then we can use this token to change the password of the sign-in user like below:
POST: https://graph.windows.net/adb2cfei.onmicrosoft.com/me/changePassword?api-version=1.6
authorization: bearer {access_token}
content-type: application/json
{
"currentPassword":"{currentPassword}",
"newPassword":"{newPassword}"
}