We are developing an application that uses Azure Active directory for sign-in process. Azure AD is configured with MFA(multi-factor authentication). Now we are facing an issue with QA automation where we need to manually update the MFA code. Is there any way to get it done automatically or some other alternative for this.
Generally automated processes require a bit more work when MFA is involved.
You have 2 options that I can think of right now:
Don't use a user account, use a service principal/app registration + application permissions
Allows you to use client credentials to authenticate, no MFA
Run the authentication flow once with a user to get access token + refresh token, use refresh token to get new tokens whenever needed in the automated process
You will get a new refresh token as well every time you use a refresh token, be sure to replace the one you have with the new one
Refresh tokens can and do expire, so you may need to redo the initial authentication again
Take special care in storing the refresh token securely
We implemented the second case for a customer's background process: https://joonasw.net/view/adding-opt-in-feature-to-azure-ad-app
Oh, and in case you are talking about UI automation, the Azure AD product team has said to me many times that you should not try to automate the login page itself.
It has invisible checks and may block your automated login.
In these cases, you may need to have a user with no MFA, use the ROPC flow to get tokens, and somehow inject those tokens to your UI.
Or use the refresh token approach to get the tokens and then inject them.
Related
I need to log into an account that has MFA (Multi Factor Authentication) enabled to be able to retrieve an access token.
This is alright if I use MSAL with interactive Login into a registered app in Azure. But I want to automate the process so it can run inside an Azure Function.
The problem arises when I try to login using Password. The code fails, saying the login requires interaction.
Dropping the MFA is an unwanted action.
I was hoping that someone who has experienced similar issue could direct me into an answer that would allow me to keep MFA and login into the account without requiring interaction.
You can't skip MFA.
One way that you can achieve something like this is to do an interactive login, store the received refresh token, and then use that to acquire tokens when needed.
You may need to repeat the interactive authentication if the refresh token stops working.
We are using Azure Active Directory B2C to authenticate users into our app, we use a user flow to let the user enter their credentials. after receiving the access token from azure we generate an app token that contain app related information.
we recently added the keep me sing in feature but it seems that there is no way to know in the response if the user has checked it or not? even the returned access token still expires after 60 minutes. this causes a problem for us since our app logs-out the user automatically after the token time's out. but if the user choose to stay signed in we want to stop this behaver. SO how can we tell if the user checked the keep me signed in?
I've read a lot in Microsoft docs and searched a lot with no luck to find a way!
the one thing I found was a KMSI attribute but it can only be added in custom policy's. witch is kinda hard to do now.. is there a way to get such an indicator from the user flow?
You can get the KMSI Boolean in the token using custom policies and claims resolvers.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
However, this shouldn’t be needed in your scenario. When access token expires, the refresh token is used to redeem a new access token. If the refresh token is expired, then the B2C cookie is used to perform single sign on via the B2C login page.
The user is only logged out if all of the above are expired/invalidated.
More to read here What does KMSI in Azure B2C actually DO?
I have the following requirement:
create a user on AD B2C.
using the credentials of that user, I need to get access token and refresh token to access an existing api(REST SERVICE).
Active directory here is Azure AD.
I am new in oAuth and Azure. Please suggest me the steps and configuration to achieve this. (I do not want any user interaction to get access token and refresh token).
creating a user is clear to me. but if it requires any specific type of user or any required permissions, please suggest those.
To me, it sounds like your use case can be better realized with a service principal. If you don't need a user context but, consider using an SP instead. See:
Microsoft identity platform and the OAuth 2.0 client credentials flow
If for whatever reason you want to stick to non-interactive user login, you can use the Resource Owner Password Credentials flow. But be aware that:
Microsoft recommends you do not use the ROPC flow. In most scenarios,
more secure alternatives are available and recommended. This flow
requires a very high degree of trust in the application, and carries
risks which are not present in other flows. You should only use this
flow when other more secure flows can't be used.
I need to write a backend app to read & write one company emailbox.
I have registered Active Directory Application and granted Delegated permissions (read and write to user mailbox).
Question is how to get the token needed for authenticate the graph api calls(for example ListMessages).
From the document I coundn't find any working example for backend app aquiring token and make api calls.
There are two endpoint versions:
Azure AD and Azure AD v2.0 endpoints;
And two authentication method:
1. Get access on behalf of a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
2. Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
What shoud I use ? Really confused.
Thanks all.
According to your description, I assume you want to get an access token without user login page.
Based on my test, we can get an access token that run as a background services or daemons.
It requires administrator to grant the access permission once, then user will not see login popup window anymore.
For more detail, we can refer to this official document.
Sounds like you are looking for Resource Owner Password Credentials grant flow.
However its usage is not recommended.
It does not work in these scenarios:
User has MFA
User password has expired
User is federated (MS account/Google/on-prem AD)
The only scenario that I can think of where this flow is okay is integration tests of APIs where you need to test scenarios where you call your API on behalf of a user.
Here is a better way to do what you want:
Require an application permission to access user emails and have the admin grant it. Now you can use client credentials grant flow to get a token anytime you need one.
Use delegated permissions, have the user sign in once with Authorization Code grant flow. Then exchange the code for an access token and a refresh token. Store at least the refresh token somewhere secure. Use refresh token whenever you need a new token.
The first approach is more reliable but requires broader permissions.
The second has tighter security (only users who have authorized access can have their email read), but has slightly less reliability.
Refresh tokens can be invalidated, in which case you'll need the user to login again.
Is it possible to get an access token for PowerBI without redirecting to another page? I'm developing a web app that already contains a login mechanism and I don't to require two logins. Is OAuth 2.0 Client Credentials suitable for my case?
If your existing authentication is using an AAD application, and the user's credential are the same for your app and their power bi account, then if your application has rights to both your app and Power BI, you should get an access token that you can use for both AAD and Power BI.
In most case the above isn't the case - the user will have a different account for Power BI. So you have two options. The first (and recommended way) is to show the login for Power BI once, save the refresh token you get back and then use the refresh token to get new access tokens. This isn't perfectly matching your ask - there is a periodic need to do the redirect workflow (first time, and if refresh token expires) but it does ensure you don't have to store and manage the user's credentials.
The second ( and not recommended way) is to use the ADAL username + password workflow. There's a great blog post you can review and decide if you want to use this workflow.