I have an API hosted on the cloud and a daemon app client in the same organization and on the same network but on my local machine. I have double and triple checked the setup but still not able to connect them with each other.
So to look at the problem I divided them into two sub-problems.
Connecting Daemon App to Azure AD retrieving the token and then accessing Microsoft Graph using the token.
Error post retrieval of token.
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2646f5f8-9c25-482d-a89f-f14ca6c06cf7",
"date": "2019-07-22T01:13:30"
}
}
I used this Azure Document and Sample to produce the error above.
Accessing the API using the daemon app - So I never reached to because I never was able to pass step 1.
Any thoughts on how can I get to fix this. Am I am missing something simple?
Azure AD Graph API is different from Microsoft Graph API. So there are two ways to make it work.
1.Use Microsoft Graph API.
You should grant the application microsoft graph api permission.
2.Use Azure AD Graph API.
You need to update the code as below.
a.Change the scope to https://graph.windows.net/.default.
b.Change the api to GET https://graph.windows.net/myorganization/users?api-version=1.6
Note:
We strongly recommend that you use Microsoft Graph instead of Azure AD
Graph API to access Azure Active Directory resources.
Related
I have Azure Functions which i want to authenticate using access token.
I have following things set up
Azure App which is being used by Angular SPA to authenticate user
Access token which is used to invoke graph APIs, Permissions are set in Azure app (point 1)
Azure Function which is having http triggers (APIs) which are being used by SPA
Currently, APIs are anonymous and can be invoked from anywhere. i want to secure these apis using access token which is being used by graph api (point 2)
I think the best approach for me is AAD multi tenant authentication. However, When i click on "Authentication (classic)" it gives me This app is configured using the new authentication experience. Click here to access Authentication (preview).
Also, if i keep authenticated with following options, i get "You do not have permission to view this directory or page." error
Most of the articles which i find online are talking about AAD. for me that option is not enabled.
I have tried following articles to make it work but somehow its not happening. can anyone suggest. how can i achieve this.
https://medium.com/medialesson/protecting-azure-function-apps-with-azure-ad-authentication-authorization-fd167ce4fe33
https://medium.com/geekculture/easyauth-in-functions-app-with-azure-active-directory-29c01cad8477
is there something i need to do in my existing Azure app to make it work ?
Per my understanding, your Azure function is protected by AAD using Authentication(Easy auth). And now, your angular SPA would like to access this function. Pls follow the steps below:
Go to Azure AD => App registrations => The App you created to protect your Azure function=> Expose an API to add a scope, for instance, access_as_user so that your SPA could require an access token for this scope:
Got to Azure AD => App registrations => The App you created for your SPA app=> API permissions => Add a permission => My APIs to grant the scope we just created:
Click the grant admin consent button to finish the process.
In your SPA app, use MsalService to acquire an access token with scope: api://<your azure function app id>/access_as_user, by this token, you can access your Azure function. For a quick test, I just test it in post man and it works perfectly:
Not use this access token
Bring this access token
UPDATE
Basically, your app request diagram as below:
SPA (request with access token)==> Easy Auth of Azure function (valideate token,if pass,goes into Azure function code logic,if not, return 401)==> code logic of Azure function (obo flow to get access token for Graph API) ==> call Microsoft Graph API
By now, we have finished steps 1 and 2: get access token for easy auth and pass easy auth goes into Azure function code logic.
So in the Azure function code logic, we need to do 2 things:
Get the access token in the request header
Use the access token and OBO flow to exchange a new access token for Microsoft Graph API. Just refer to request below to use OBO flow to exchange an access token for Microsoft Graph API:
BTW, pls make sure that your Azure function app has been granted with permission user.read and Calendars.Read:
So that you can get a new access token to call Microsoft Graph API:
May be this will help someone, I have tried using above suggestions but could not achieve 😠instead i am using Key for each Azure function. and storing those keys in azure Key/Vault and retrieving those keys within App settings of the application using managed identity. This may be not be the ideal situation but i think it will do for me at the moment. I really hope MS will improve their documentation some day along with sample code/steps
So, I am trying to utilize Graph API with Azure AD B2C. My understanding is that it's not possible to use the client_credentials flow when requesting access tokens. When I try to utilize an access token with client_credentials to get /beta/policies/b2cAuthenticationMethods I receive this error:
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": {
"correlationId": "4c00031f-febc-4c1a-9728-701f0c1fda00",
"date": "2021-01-19T18:51:42",
"request-id": "77a30adb-5103-40ec-84f3-0626800e976a",
"client-request-id": "77a30adb-5103-40ec-84f3-0626800e976a"
}
}
}
Which is expected since I used the client_credentials flow.
But, the documentation states the following:
Although the OAuth 2.0 client credentials grant flow is not currently
directly supported by the Azure AD B2C authentication service, you can
set up client credential flow using Azure AD and the Microsoft
identity platform /token endpoint for an application in your Azure AD
B2C tenant. An Azure AD B2C tenant shares some functionality with
Azure AD enterprise tenants.
I have gone through the process linked above. However, I am running into one issue and now have questions about this "automated" process:
Question: How do I complete this automated process for requesting and utilizing access tokens with a registered app in B2C if I cannot use the client_credentials flow?
I cannot have any user interaction when this application requests an access token.
Do I have to use a different flow? If so, how do I do it so that things like MFA aren't an issue? I am not using any SDKs, I am just directly querying MGraph using an HttpClient in my application with the Authorization Bearer header passed.
Issue
Why am I not able to complete this part of the above linked documentation.
I am logged in as a global admin for my B2C tenant. I navigate to the Roles and Administrators section
Then, in the Add Assignments popup that appears on the left I start typing the name of my app
and it does not appear! But it is registered, and I can see it in my list of registered applications:
What is the deal here?
I have found many other questions similar, and all have led me to the referenced documentation page. But, I still am not quite understanding the correct procedure to automatically get an access token for a registered app in B2C tenants.
Thanks so much.
Edit
See my answer for both solutions to the problems I had in this post.
Okay, so I managed to find the answer to my issue here.
Just out of curiosity, I made that ServicePrincipal for my application a Global admin. I used the client_crededentials flow again to the beta/policies/b2cAuthenticationMethodsPolicy and STILL received that above error about User Authorization: Access is dened. What the heck? I'm starting to wonder if it's that specific endpoint that's the issue, and not the flow itself. Especially because I can get /beta/users just fine when using the access token from client_credentials flow for my B2C tenant.
Alright, I have found my answers.
To my issue:
I found the answer on this thread https://learn.microsoft.com/en-us/answers/questions/229991/azure-ad-b2c-application-won39t-show-up-as-an-opti.html.
To my question:
I opened an issue on the MSFT Docs GitHub page, and someone was able to answer my question there.
Good day
I follow this https://learn.microsoft.com/en-us/graph/use-postman part of Set up application API calls.
I'm able to get users via API: https://graph.microsoft.com/v1.0/users
but not able to get messages via API: https://graph.microsoft.com/v1.0/users/{ {UserId}}/messages, it show me error below.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2020-06-28T06:16:03",
"request-id": "c0c3d9d5-9fa5-47a0-8b81-df85663ba297"
}
}
}
API Permission granted as below, could anyone advise how to fix above error?
API Permission in Azure
Postman Request for get Token
Thanks for sharing the request-id,timestamp(date) and postman Snapshot. Your application is an multitenant application and needs an additional step to get the permissions approved(admin consent). Here are the steps:
In the azure portal(portal.azure.com) navigate to the enterprise application.
Change the application type filter to "All application" and search for your application.
Click on the application name and click on the permission menu.
Click on grant admin consent for tenant (refer screen shot below).
After the above step, you will be able to get token with all the approved permissions.
Personal Account
Your application is preauthorized to read the messages (email) for the users within your tenant. Yours personal account (Microsoft Account) emails are stored your tenant context or any azure ad tenant context. To read personal account emails, application need to call /me/message graph API with delegated permission.
I have a .NET core application hosted on Azure App Service. The application is secured with Azure App Service Authentication.
I need to get an access token to access Microsoft Graph.
Since I have Azure App Service Authentication turned on, and all the users that access the web application should already be authenticated, I was wondering if it is possible to get the access token from /.auth/me or Request.Headers["x-ms-token-aad-access-token"].
I tried to follow the example posted on here
, where I configured my additionalLoginParams /config/authsettings to ["resource=https://graph.windows.net"] (or ["resource=https://graph.microsoft.com"] as per Rohit suggestion), which in turn should give me an access token to MS Graph either via /.auth/me on client side or Request.Headers["x-ms-token-aad-access-token"] on C#.
However I checked both server side and client side, and there were no access token found. Any idea what went wrong?
since this was tagged azure-gov I presume the App Service is running in Azure Government? If so, what AAD authority are you specifying in the authentication context or /config/authsettings when calling Graph? If it's in Azure Gov, and you're planning to authenticate Azure Gov users, the AAD authority should be login.microsoftonline.us. What was the HTTP response to the request?
Also, as others have mentioned there are two "Graph" APIs (Azure AD Graph and Microsoft Graph) available at the moment. Microsoft Graph will ultimately replace Azure AD Graph but for now either can be used.
The resource uri for AAD Graph in Azure Gov, for now, is the same as Azure Public: graph.windows.net.
The resource uri for Microsoft Graph in Azure Gov, however, is graph.microsoft.us compared to graph.microsoft.com in Azure Public.
Problem
When generating an access token for Microsoft Graph API via ADAL, Graph API does not accept the token.
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
What the application does
The application should read all users of a tenant. The application is configured to have User.Read.All privileges. The application consent is granted by the tenant, where the users should be read from - the application does appear with the privileges in Azure Portal.
What I have so far
The application worked a few days ago and I changed nothing. Other applications using the same way to authenticate work.
Recreating to AAD application did not help
Reinstalling the NuGet packages did not help
Changing the authority from login.windows.net to login.microsoftonline.com did not help
Token generation does not work with client secrets and not with a certificate
Decoding the generated JWT token shows the permissions required for the action
Solution
It seems, that the documentation from microsoft is not correct. Listing users requires the Directory.Read permission.
Update
According to Microsoft it is not clear, if this is a bug in Graph API or the documentation is wrong.
An issue is open at Github here.
Update 2
This issue was fixed in an update of the Graph API in May 2017.