I've implemented Azure AD authentication with no problem, however we also need to always show the account picker whenever the user has more than one account (basically show even if there's only one account available)
What we need is exactly what this post has described (Force google account chooser) but with Azure AD.
You guys know if there's possible? Couldn't fine anything related to that in the Azure Doc
You didn't specify which SDK (if any) you're using, but at a low level, you include &prompt=select_account as a query parameter in the request to the authorization endpoint. This is documented here: https://learn.microsoft.com/en-au/azure/active-directory/develop/v1-protocols-oauth-code
prompt
Indicate the type of user interaction that is required. Valid values are:
login: The user should be prompted to reauthenticate.
select_account: The user is prompted to select an account, interrupting single sign on. The user may select an existing signed-in account, enter their credentials for a remembered account, or choose to use a different account altogether.
consent: User consent has been granted, but needs to be updated. The user should be prompted to consent.
admin_consent: An administrator should be prompted to consent on behalf of all users in their organization
Related
I created an SSO application in the azure portal. As a global administrator I signed to my application with sso and I'm able to fetch the access token and graph details.
In our organization we need to allow few users to use this application. So I added their emails to the 'Users and Groups' in Azure portal. So When the users signed in,they allowed the consent permissions and then the below window appears. May I know the reason?
Is this normal or any kind of bug from side?
Is this window appear everytime once the user got approval ?
Please help me to solve this as I am going through a tough time.
It is not a bug and it is Admin Consent. You as a global
Administrator need to approve the concern from azure AD.
This window will appear only once and it will not appear once user log-in after consent next time.
Please go through Ms Document which has information of configuring Admin Consent.
It seems you are trying to use application permissions, since both shown permissions do not require admin consent for delegated permissions scenarios.
You can read about permission types at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
If you want to review the configuration of your application you can turn to Azure AD. On page https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/CallAnAPI/appId/YOURAPPID/isMSAApp/ (replace YOURAPPID with your app id) you should see something similar to this:
If you at (1) have any of type "Application", these will require admin consent.
Regardless of whether you have any of such, you (required admin privileges) can grant application consent for the tenant using the button at (2).
I'm using Microsoft OAuth2 to get access token for my app. The normal Oauth flow works fine but if I have multiple accounts it always defaults to the last used account without letting me choose an account even if it's available in the list.
The only alternative I can think of is to use prompt=login but thats too intrusive, especially for every login.
My oauth urls
Auth request: https://login.microsoftonline.com/common/oauth2/authorize?client_id=<myAppId>&response_type=code&redirect_uri=<myUrl>&scope=User.Read&state=1111
Token request: https://login.microsoftonline.com/common/oauth2/token?client_id=<myAppId>&client_secret=<myAppSecret>&redirect_uri=<myUrl>&code=<codeFromPreviousCall>&grant_type=authorization_code
Is there a param that can be set to make user select an account?
Please see the gif below and note that I'm not clicking on any account in the second page
You can use prompt=select_account.
select_account: The user is prompted to select an account,
interrupting single sign on. The user may select an existing signed-in
account, enter their credentials for a remembered account, or choose
to use a different account altogether.
INCLUDE 'prompt' => 'select_account' TO THE PARAMETERS OF THE REQUEST
I have a native app (Electron) where I have integrated Azure AD v2.0 Sign in experience. We have only enabled Microsoft Account based sign in for now.
Here's my sign in URL looks like:
const url = `https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=<my-application-id>&response_type=id_token&redirect_uri=${encodeURIComponent('urn:ietf:wg:oauth:2.0:oob')}&scope=openid%20profile%20email&response_mode=fragment&nonce=<some-random-value&state=<some-random-value>`;
Using this link, a user can sign in successfully. There're no issues there. However every time a user signs in, they are presented with a consent dialog after providing their credentials.
Based on my knowledge, if a user has consented to an app and there're no change in the permissions (rather scopes) asked by the app, then the user should not be prompted to consent again.
I'm wondering why this is happening. I even tried with appending prompt=login to the URL but that has no effect.
Is there another setting that I need to make? I looked at both the old portal (Microsoft Application Registration Portal) as well as new portal (App Registration (Preview) in Azure Portal) but could not find a setting that will disable the consent prompt on every sign in.
The behavior you are seeing is due to the fact that you are using a reply URL with a scheme that is not "http" or "https" ("urn", in your case). In this situation, Microsoft Accounts will ask the user to confirm the the delegated permissions the app is requesting, even if these permissions have been granted previously. This additional prompt helps make sure users know which app the app is identifying as.
In most native client app scenarios, this should not be a significant issue. It will add an extra step during the initial sign-in to the app, but after that, the app should be able to make use of the refresh token for most token acquisitions. (Occasionally, the app may need to trigger an interactive sign-in again, but this would be relatively rare.)
If you look very closely, you'll notice a slight difference between the initial consent prompt ("...needs your permission to..."), and the subsequent confirmation prompt ("... needs you to confirm its permission to...").
I want to hide the administrative portal / enrollment process from end users, and also want to prevent this Dead End GUI from appearing, if the user is not an administrator. (the only possible user flow is to hit Back a few times... bad UX)
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators
To workaround this UX issue, I want the user to
Sign in first as an Org Admin
Once a proper account is signed in, I'll ask them to provide consent via the prompt=admin_consent attribute
Question
How can I see if the logged in user is an admin of some org, and ideally, the display names, and OrgID(s)* they are an admin of.
**I believe it's possible to be an admin of more than one AzureB2C or Azure AD directory.
To check whether the user is the admin of that tenant, we can use the Azure AD Graph REST. We can use the REST below to get all the roles/groups user assigned.
GET: https://graph.windows.net/adfei.onmicrosoft.com/me/memberOf?api-version=1.6
And if user was assigned to the Global Admin to a tenant, we can get the response like below and we can check this role using roleTemplateId property with value 62e90394-69f5-4237-9190-012177145e10.
I have an existing web app which I am trying to add Office 365 integration. I want all users to be able to log in with OAuth2, and admin users to be able to read users from the directory.
So I created an Azure AD app, and granted the "Enable sign-on and read users profiles" and "Read directory data" delegate permissions.
When an O365 admin user logs in, it works as expected. But when a O365 non-admin user logs in, they get the error "AADSTS90093: Calling principal cannot consent due to lack of permissions.".
After much trial and error (the docs are anything but clear), I figured that I need to append prompt=admin_consent to the auth url. By appending this to the auth URL, if I log in with an admin, then subsequent non-admin logins work as expected.
The problem is, that I don't know whether the user about to click the "Login with Office 365" button on my login page is an admin or not. It seems that the first person who logs into the app from the O365 domain MUST be a O365 admin, AND the auth url MUST have prompt=admin_consent. If a non-admin tries to login BEFORE an admin does, then they get the AADSTS90093 error, and there doesn't seem to be any way for my app to gracefully handle this scenario. Even worse - they can't log in at all.
What I really need here, is to have 1 login button, that will log non-admin users in but without access to the directory, and will log admin users in with access to the directory, but this doesn't seem to be possible. Google have the concept of scopes, but this seems absent from Microsofts implementation.
I see 2 potential solutions, neither of which are great:
Add a checkbox on the login page labelled "Log in as Office 365 Administrator". If this is checked, then I append the prompt=admin_consent to the auth url. The problem with this (aside from cluttering up my login page), is that it doesn't cater for non-admins trying to log in before an admin has. So most users still aren't able to log in - not great.
Create 2 Azure AD apps. One with both "Enable sign-on and read users profiles" and "Read directory data" permissions, and the other with just the "Enable sign-on and read users profiles" permission. The login page is linked to the first app, which would allow both admin and non-admin users to log in at any time. Then, on a config page in my app, I have an option to "Complete integration with O365", which presents a link to authenticate with the 2nd AAD app. This way, I can guarantee all users can perform basic log in, and I can integrate with the directory and calendar when an admin clicks the 2nd button. The downside of this, is that even if the first user to log in is an o365 admin, I won't be able to access the directory until the second auth has been completed. And secondly, my app will appear twice in the customers AAD applications list.
It seems like I am trying to achieve such a trivial thing here - to be able to log all users in, but if an admin logs in then they can access the directory. So how do you achieve this with AAD apps?
Your solution #1 is the one we recommend in our samples, take for example https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet and the sign up controllers. As of today consent in Azure AD is an "all-or-nothing" package deal, hence apps that require admin consent must be first approved by an administrator. We are working on making the consent dynamic, thanks to which you'll be able to sign in non-admin users without directory querying powers and defer that ability until an admin grants consent - but that's still quite some time out hence for the time being #1 is the supported approach.
if your app requests permissions that requires tenant admin consent, then only a tenant admin can actually grant those permissions, and thus you will see errors like the one you are having.
You can resolve your issues by reducing the permissions requested by your application to only those which a normal user can consent to.
Also make sure you are not passing the query parameter "&prompt=admin_consent" as this can only be done by an admin.
https://www.gittprogram.com/question/3306112_aadsts90093-calling-principal-cannot-consent-due-to-lack-of-permissions.html