I have 2 SharePoint sites from different organizations (tenants):
Tenant 1: abc.sharepoint.com
Tenant 2: xyz.sharepoint.com
The necessary permissions for an application have been registered and given on the azure portal for Tenan 1 'abc.sharepoint.com' so that it can be accessed with Tenant 2 users: 'xyz.sharepoint.com'
Authentication works fine
The access to the data of the sharepoint lists work correctly when I am authenticated with the users of Tenant 1 'abc.sharepoint.com'
What I would like is that authenticated with a user of Tenant 2 'xyz.sharepoint.com' you can consult the data of sharepoint, Example:
When I make the request:
https://graph.microsoft.com/v1.0/sites/root or https://graph.microsoft.com/v1.0/sites/xyz.sharepoint.com
It returns the information satisfactorily, because it consults the site of 'xyz.sharepoint.com' since the users are from that tenant
... but when I consult specifying the tenant 'abc.sharepoint.com'
https://graph.microsoft.com/v1.0/sites/abc.sharepoint.com
Returns the following error:
{
"error": {
"code": "invalidRequest",
"message": "Invalid hostname for this tenancy",
"innerError": {
"request-id": "c0a8fa51-245b-4d1e-bf0b-5f32b6c0eb26",
"date": "2019-08-17T16:27:57"
}
}
}
One authenticated with the users of another tenant. How can I check the information that the application is registered?
We cannot use an access token got from one tenant to access another tenant.
If you want to do so, you need to:
Add the user of Tenant 2 'xyz.sharepoint.com' as a guest into Tenant
1 'abc.sharepoint.com'. See Quickstart: Add guest users to your directory in the Azure portal.
Use admin account from Tenant 1 to do admin-consent to the app registered in Azure AD of Tenant 2. Just need to open a browser and make a request to
https://login.microsoftonline.com/common/oauth2/authorize?client_id={client id of the app registered in Azure AD of Tenant 2}&response_type=code&redirect_uri={reply url of the app registered in Azure AD of Tenant 2}&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent
Log in with the admin account of Tenant 1 and click "Accept".
Get the access token and use it to access Tenant 1 'abc.sharepoint.com'.
Related
Given I have created an app using this repository in Azure.
And this app is deployed using a Service Principal which was created by below command:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/YOUR-RESOURCE-GROUP-NAME" --sdk-auth
Now, I need to get the API token to manage my created resources using REST APIs.
Based on documentation, I should be able use my tenantId, clientId and client_secret to get the token by calling the bellow endpoint:
curl: POST
https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Please notice that, I am not the global admin in the tenant.
The official sample postman collection is here and here is how my request looks like in postman:
Sadly the endpoint does not provide me the token and instead it returns such error:
{
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier 'MY_CLIENTID' was not found in the directory 'MY COMPANY'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 5a9a2c53-c3c8-46da-a1a6-551b42082400\r\nCorrelation ID: bf7c5966-ffa4-4312-8a77-434c2560d65a\r\nTimestamp: 2022-10-05 14:54:23Z",
"error_codes": [
700016
],
"timestamp": "2022-10-05 14:54:23Z",
"trace_id": "5a9a2c53-c3c8-46da-a1a6-551b42082400",
"correlation_id": "bf7c5966-ffa4-4312-8a77-434c2560d65a",
"error_uri": "https://login.microsoftonline.com/error?code=700016"
}
please notice, I hided some sensitive values in error response by MY_CLIENTID and MY COMPANY
So, i guess, the main reason that i am facing this issue is that:
This can happen if the application has not been consented to by any user in the tenant.
Meaning that, i should consent my own app. Am I right ?
So, my question is:
How can i get the token to work with REST APIs to manage my resources ?
How can I grant consent to my own app, given that I am not a global Admin ?
Update:
As I figured out, I should be able to Grant Consent to my app using "Microsoft Graph permissions reference". And here is what i have done:
Login to Azure portal
Navigate to "Azure Active Directory"
Navigate to "App registrations"
Click on the created APP ("fxpricepredictor")
Navigate to "API permissions"
Click "Add a permission"
Click on "Microsoft Graph"
Choose "Delegated Permissions"
Search for "authentication" ---> (Sadly this option also requiereds Admin Consent)
I tried to reproduce the same in my environment and got the below results:
When I ran the same command as you, one Azure AD application named fxpricepredictor is automatically created with details like below:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/<subscriptionID>/resourceGroups/<resourcegroupName>" --sdk-auth
By including above details as parameters, I am able to generate access token successfully via Postman like below:
Please note that, I don't have global administrator role and granting admin_consent is not really required.
With the above access token, I am able to fetch and manage the Azure resources in that resource group like below:
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/SriTest/resources?api-version=2021-04-01
Response:
The error AADSTS700016 may also occur if there is no application in your tenant with provided ClientID.
I tried including random ClientID which does not exist in Azure AD tenant and got same error as below:
So, make sure to check whether the application is existing or not with the given ClientID in Azure AD tenant.
I've been breaking my head over this problem for the past 2 days.
My goal is to allow a user (any regular non-admin Azure AD user) to update the value of an (Azure AD) extension property for his AD 'profile'/account through the Microsoft Graph API.
Consider the following situation:
I'm in control (Global Admin) of some Azure tenant + Azure AD Directory
There's a regular Azure AD User "Joe"
I've created an App registration + Service Principal (either through PS or in the Azure Web UI)
I've created an Azure AD Extension Property using the following Azure AD PS commands:
Connect-AzureAD -TenantId xxx-xxx-xxx
$app = Get-AzureADApplication -ObjectId yyy-yyy-yyy
$app | New-AzureADApplicationExtensionProperty -Name "MyProp" -DataType "String" -TargetObjects "User"
Response:
Name TargetObjects
---- -------------
extension_b63fa5d85b9d43b8b60f982e4bf2ad11_MyProp {User}
I've Admin consented everything on Graph both on Enterprise Application "Graph Explorer" and on my own App Registration, especially Directory.ReadWriteAll and User.ReadWrite.All
I then use the Graph Explorer (or Postman using my own App Registration) logged on as regular user "Joe"
Using the following PATCH request fails:
PATCH https://graph.microsoft.com/v1.0/me/
with body (type application/JSON):
{
"extension_b63fa5d85b9d43b8b60f982e4bf2ad11_MyProp": "test"
}
It fails with the following response:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d0ef63c0-f944-44c4-b90d-413b076b2bca",
"date": "2019-04-11T08:21:48"
}
}
}
I seem to be unable to find out why this happens.
Things to note:
When I log on in Graph Explorer as global admin I am able to update this property successfully
I am also able to update this property for any user using Azure AD PS, logged in as global admin
As soon as I give Joe the Global Admin or User Admin role in Azure AD he is able to update the property too
As "Joe", using the above PATCH request in Graph Explorer (or Postman), I am able to update "mobilephone"
As "Joe", using the above PATCH request in Graph Explorer (or Postman), I am unable to update "city", or "givenname"
What am I doing wrong?
I've some problems with the admin consent in a multi tenant environment.
So here is my structur.
Tenant 1
Tenant 2
I've got registered one ActiveDirectory Aapp in Tenant 1, called "App1".
In this App, I set i.e. permissions for Microsoft Graph.
Then I granted this permission.
Now I want to have also this App1 in my Tenant 2, so I do an AdminConsent with:
https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
It worked fine. A few minutes later I saw App1 in Tenant2 and I was able i.e. to give access right to App1 for Users of Tenant2. No problem.
So then I had to give my App1 a few more permissions. So I clicked
"App registrations" in Tenant1 and gave more permissions for Microsoft Graph.
Then I clicked to "Enterprise Applications" in Tenant1, selected my App1 -> Permission and then "Grant admin consent for tenant1". A new browser was opened and I was able to do the admin consent for App1 in Tenant1.
Then I thought that I have to do the same in Tenant2, because it works the first time. So in Tenant2 I also navigated to ActiveDirectory -> Enterprise Applications -> selected my App1 -> Permissions
Here I saw the first permissions which I granted. Then I clicked to "Grant admin consent for Tenant2". A new browser was opened, but now it failed with folowwing error:
https://myRedirectURL/?error=access_denied&error_description=AADSTS65005%3a+The+application+%clientID_of_App1%27+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.%0d%0aTrace+ID%TraceID%0d%0aCorrelation+ID%CorrelationIDaTimestampTimestamp&admin_consent=True&tenant=TenantID_of_Tenant2
Better to read: Error:
"AADSTS65005. The application ID_App1 asked for permissions to access a resource that has been removed or is no longer available. Contatct the app vendor."
I get the same error when I invoke the URL https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
But I didn't do anything...so wheres the problem?
For your Redirect URI error you can try these steps:
Set the resource in your request to Azure AD.
Ensure that the client Id of the WebApp is configured in the WebApi's "knowClientApplications" array property in the manifest file
Ensure that all permissions are correct (APIs are added as delegated permissions to the client).
Ensure that all services (web app & apis) are multi tenant
Update manifest with:
"availableToOtherTenants": true,
"knownClientApplications": [
"{client app application id}"
],
See also the troubleshooting steps in these similar threads:
Azure AD error when fetching access token & login
The client application has requested access to resource 'https://outlook.office365.com'. This request has failed
I have an Azure AD app (AAD App1) which has user assignment enabled. So only, users from a particular group let's say "Group A" can access any resource (let's say an Azure Function API) protected by that Azure AD app.
Now I have another daemon Azure function job, which needs to make an authenticated call to the above mentioned Azure function API. Since this is a daemon job, I have generated another Azure AD app (AAD App2) for this.
Below is my code to get access tokens:
string resourceId = "id of app used to authenticate azure function"; // AAD app ID used by the Azure function for authentication
string clientId = "id of app registered for the daemon job";// AAD app ID of your console app
string clientSecret = "secret of app registered for the daemon job"; // Client secret of the AAD app registered for console app
string resourceUrl = "https://blahblah.azurewebsites.net/api/events";
string domain = "<mytenant>.onmicrosoft.com"; //Tenant domain
var accessToken = await TokenHelper.GetAppOnlyAccessToken(domain, resourceId, clientId, clientSecret);
Now when I try to generate access token to access the Azure function API, I get an invalid grant error as below:
AdalException:
{"error":"invalid_grant","error_description":"AADSTS50105: Application
'' is not assigned to a role for the application
''.\r\nTrace ID:
6df90cf440-c16d-480e-8daf-2349ddef3800\r\nCorrelation ID:
4c4bf7bf-2140-4e01-93e3-b85d1ddfc09d4d\r\nTimestamp: 2018-05-09
17:28:11Z","error_codes":[50105],"timestamp":"2018-05-09
17:28:11Z","trace_id":"690cf440-c16d-480e-8daf-2349ddef3800","correlation_id":"4c4bf7bf-2140-4e01-93ef3-b85d1dc09d4d"}:
Unknown error
I am able to properly generate AAD access tokens if I disable the user assignment.
I am trying to avoid creating a service account here. Is there anyway I can add an app principal to an Azure AD group or add it as a member of another Azure AD app?
Unfortunately, you cannot add an AAD application/service principal as a member of Azure AD group.
I have confirmed this issue in My Answer for another similar question [EDIT - now seems to be possible, see said answer]
You can also upvote this idea in our Feedback Forum. Azure AD Team will review it.
Hope this helps!
I'm trying to login to an Azure AD B2C app using the example here: https://github.com/nordvall/TokenClient/wiki/OAuth-2-Resource-Owner-Password-Credentials-grant-in-AzureAd
Configured like so:
url: https://login.microsoftonline.com/[myapp].onmicrosoft.com/oauth2/token?api-version=1.6
Passing in the Azure AD B2C applications application id for client_id but I'm actually not sure what to pass in for the resource. I'm trying to get an access token for some azure functions but the azure functions app doesn't seem to have any specific 'resource id' I can define anywhere..
When I make the post request I get the following:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.\r\nTrace ID: x\r\nCorrelation ID: x\r\nTimestamp: 2018-02-19 10:54:20Z",
"error_codes": [
90002
],
"timestamp": "2018-02-19 10:54:20Z",
"trace_id": "x",
"correlation_id": "x"
}
The guide you referenced is for Azure AD, not B2C, unfortunately.
Azure AD B2C doesn't currently support Resource Owner Grant Flow, see this SO post. UserVoice request for this.
This documentation might help: Azure Active Directory B2C: Types of applications. More specifically: Daemons/server-side apps.
These apps can get tokens only after an interactive user flow has occurred.