Business Requirement:
We want to replace our Skype meeting URL with Teams meeting on our production system(within a ABAP daemon service without user integration). So I am trying to integrate with Teams using Microsoft Graph API to be able to generate one online meetings. Then this online meeting URL will send to our customer with a mail.
Target Graph API: For MS Graph API V1.0 verion, I think this in only one option Create onlineMeeting.(Graph API with /beta version is not a good option for production usage).
According the MS Graph documentation V1.0 Create onlineMeeting, this API only support permissions with Delegate type. I think we could only use use username/password authentication flow. Correct me if I'm wrong.
Issues: I'm trying to get token with user and password as describe with ROPC Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials, use following API to test it with my corporate mail.
POST /{{TennatId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id={{ClientId}}&client_secret={{ClientSecret}}&scope=https://graph.microsoft.com/onlineMeetings.ReadWrite&userName=MyCorporateMail#org.com&password=MyPassword
But, it will always get invalid_grant response: AADSTS50126: Error validating credentials due to invalid username or password.
I don't know why it cannot get token response with my corporate(work) mail/account **#sap.com, I'm sure my password and other parameters are correct.
And if I use a new-test-user sapse#wardsap.onmicrosoft.com which is created by Azure Active Directory, I'll get token successfully. This user doesn't need Two-Step authentication when login to Azure. But this user does have Teams/OnlineMeeting license, so it couldn't generate onlineMeeting.
My Question:
Will it possible caused by MFA configuration from my org? Because I noticed that every time I login to https://aad.portal.azure.com/, it has second authentication step, verify with my Phone message.
If yes, will it be possible to disable MFA to some test/dev account forever? Where should we config it? Within MS Azure or some where else? Who should I get support from?
For this Create onlineMeeting API, do we have other authentication flow for this Delegate permission type for a back-end daemon service?
Thanks and Best Regards,
Ward
MFA will definitely prevent you from using this authentication flow.
The Resource Owner Password Credentials flow and its use are discouraged.
There are many flows which are more secure, and usually you can use ones like authorization code flow to achieve what you want.
MFA is configured by your organization, you'll need to contact your IT about that.
But I would not recommend disabling MFA for this.
A back-end daemon application needs to either use application permissions or a refresh token.
If the API in question does not support application permissions, you can acquire a refresh token for a user through the authorization code flow, store it securely, and use it whenever you need a new token.
If you do this, be sure to overwrite the old refresh token with the new one that you get when you ask for an access token.
Related
Simply put, i am following official Microsoft Documentation to fulfill a straight forward task of;
How to revoke an access token for a user so they can't request data from a mobile back end in azure
However, even following the provided guidance, nothing is happening.
I know there are policies that can be created in Azure with lesser time-spans but thought it would be possible to just revoke a users token.
Web apps seem to be catered for but not Client Apps.
Code Example:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
Any advice is appreciated.
This command only revokes the RefreshToken which can be used to obtain a new AccessToken. It does not revoke AccessTokens. Applications are not validating every JWT access token against AAD every time, they only validate the signature. This is why access tokens are usually given out with a much lower lifetime than the refresh tokens.
I want to get the access token using Microsoft azure username & password.
Is there any API or flow available by using username & password I will get access token.
As per your comment, please follow the detail steps:
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
client_id:b603c7be_Client_id_e61f925
scope:https://graph.microsoft.com/.default
client_secret:NpmwO/KDJ_client_secret:NpmwO_W0kWf1SbnL
username:tenentUser.onmicrosoft.com
password:YourUserPassword
grant_type:password
See the screen shot:
I am getting token as expected
Step: 1
Step: 2
Step: 3
Note:
Requested token user must be a tenant user for example YourUser#Yourtenant.onmicrosoft.com
User password must be correct that you are suing to token request.
Make sure your user belong to azure portal on your tenant
Your Client Id belongs to that tenant
Application secret is valid or not expired.
For more information you could refer Official document
Feel free to share still you are having problem.
I am required in Java or any rest API using that I can develop in java
Microsoft identity platform supports the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant, which allows an application to sign in the user by directly handling their password.
Send below request in java and after successfully it will return access token.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=user.read%20openid%20profile%20offline_access
&username=MyUsername#myTenant.com
&password=SuperS3cret
&grant_type=password
Microsoft recommends you do not use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
I'm creating a Xamarin.forms mobile app with Azure. I have enabled Authentication/Authorization in Azure to protect the APIs in Backend.
What I need is that to ask user to login with Facebook or Google and get some information of the user such as name, email and... and then save this data in a table as user information. I like to ask user just once for login and get the data and I don't need to keep the token provided by Facebook for example and refresh it always (which I red refreshing is not supported by Facebook), but also need to keep the user logged in and has access securely to Backend APIs. I am new in this and completely confused of using Azure AD, facebook and...
What is the best way to do that? I have followed this tutorial and now am able to login with Facebook.
Maybe what you are looking for is Azure AD B2C (Business to Customer), which will provide facilities to allow your customers to create an account for your app, but also login with Facebook (see here) or Google (see here).
Since Azure AD B2C implements OAuth2, integrating it in a Xamarin.Forms app by means of Xamarin.Auth should be possible (see here). Once you have acquired the OAuth2 token, you can include the token in the headers of your HTTP requests in the Authorization header with the Bearer type (see here)
Authorization: Bearer <token>
On the server side you can then validate the token. I have not used Xamarin.Auth with Json Web Tokens (JWT), but maybe you'll be able to retrieve a JWT with Xamarin.Auth, which you'll be able to validate on yourself. Otherwise, if Xamarin.Auth is restricted to access tokens, you might have to contact the authentication server to verify the token. If the token is verified successfully, you can grant the user access, otherwise, answer them with a 401.
I need to write a backend app to read & write one company emailbox.
I have registered Active Directory Application and granted Delegated permissions (read and write to user mailbox).
Question is how to get the token needed for authenticate the graph api calls(for example ListMessages).
From the document I coundn't find any working example for backend app aquiring token and make api calls.
There are two endpoint versions:
Azure AD and Azure AD v2.0 endpoints;
And two authentication method:
1. Get access on behalf of a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
2. Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
What shoud I use ? Really confused.
Thanks all.
According to your description, I assume you want to get an access token without user login page.
Based on my test, we can get an access token that run as a background services or daemons.
It requires administrator to grant the access permission once, then user will not see login popup window anymore.
For more detail, we can refer to this official document.
Sounds like you are looking for Resource Owner Password Credentials grant flow.
However its usage is not recommended.
It does not work in these scenarios:
User has MFA
User password has expired
User is federated (MS account/Google/on-prem AD)
The only scenario that I can think of where this flow is okay is integration tests of APIs where you need to test scenarios where you call your API on behalf of a user.
Here is a better way to do what you want:
Require an application permission to access user emails and have the admin grant it. Now you can use client credentials grant flow to get a token anytime you need one.
Use delegated permissions, have the user sign in once with Authorization Code grant flow. Then exchange the code for an access token and a refresh token. Store at least the refresh token somewhere secure. Use refresh token whenever you need a new token.
The first approach is more reliable but requires broader permissions.
The second has tighter security (only users who have authorized access can have their email read), but has slightly less reliability.
Refresh tokens can be invalidated, in which case you'll need the user to login again.
I was working on a JS app which talks to Azure AD app using OIDC. Here is the flow of authentication and validation -
Redirect user to common login end point
Get access token, id_token etc. on callback url
Validate response with jwt keys retrieved from discovered url - https://login.microsoftonline.com/common/discovery/keys
Get user info from discovered userinfo url - https://login.microsoftonline.com/common/openid/userinfo
Store the information in local / session storage, depending upon settings.
The problem with Azure AD is, we can not complete step 3 and 4. Both the urls do not support CORS. We are not able to validate the tokens we get and can't retrieve the user information.
Is there any better way to get userinfo in Microsoft's implementation of OpenID for Azure AD?
You are correct, Azure AD does not support CORS for either the metadata URL or the keys URL.
The general guidance is to not validate the id_token since you should only be using those claims for display purposes and not to drive any core functionality.
For core functionality (aka API calls) you should use access_tokens which should be validated by your back end which does not need CORS enabled endpoints.
You'll see these principals in action in the Azure AD SPA sample where authContext.getCachedUser() in adal.js is used to obtain the read the user and its claims without any validation.
If you want more validated user info, the guidance is to call the Graph to obtain user info via the Microsoft Graph's /me endpoint. You can see this pattern in the Azure AD Xamarin Sample.
You can vote for the request in the Azure AD feedback forum: Add CORS support for discovery and json web key set endpoints.
I ran into the same problems a while ago and the solution to these problems was to double hop the JWKS and UserInfo calls via an API.
I also used the certified and widely respected OIDC Client library, which has features for SPA silent token renewal and id token validation.
Personally I like to keep my apps coded in an Open Standards manner as much as possible, rather than being locked into one vendor.
PS. If you think this type of solution would work for you, here is a GitHib Sample and some documentation.