Azure B2C - Automation - EnableIEFKeySetGraphApis Feature - azure

I am trying to automate deployment of B2C TrustFramework policies and keysets.
For Custom policies, everything works as expected but I am having some problem listing keySets using the Graph API.
I've created a local user with B2C IEF Keyset administrator and B2C IEF Policy administrator roles.
I've created an app registration with these delegated permissions: Policy.ReadWrite.TrustFramework, TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All
Calling the AAD Token endpoint, I am able to get an access_token with the desired scopes for the graph api resource.
I am trying then to call the List KeySets endpoint using the access_token (as bearer token in the authorization hearder)
GET https://graph.microsoft.com/beta/trustFramework/keySets HTTP/1.1
Authorization: Bearer {{my access_token}}
And I am getting this response from the Graph API (403 Forbidden):
```
{
"error": {
"code": "AADB2C",
"message": "Unauthorized. Access to this Api requires feature: 'EnableIEFKeySetGraphApis' for the tenant: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.",
"innerError": {
"correlationId": "4674e4c9-933e-4e70-a26b-ed59e40dc088",
"date": "2019-06-04T08:55:32",
"request-id": "d796beda-62be-46a8-afa2-cf53d29409b5"
}
}
}
```
This tenant was created before Custom Policies went GA (so not sure if it is related) but how do I activate the EnableIEFKeySetGraphApis feature ?

There is a private Preview Sample available in GitHub for Graph API Key Sets.
https://github.com/Azure-Samples/ActiveDirectory-B2C-MSGraph-PolicyAndKeysets
try this and see you able to list your keysets or not.

Related

How to query the Sharepoint REST api (not the Graph api) using an Azure AD registered application?

I have a web application registered in Azure AD and have it working with the Graph API. But I would like to be able to instead query the Sharepoint REST API.
I have added the sharepoint delegated permission scope "AllSites.Read" to my application (in addition to the Graph API scopes that I was using before) and request this scope (in addition to the other delagated msgraph scopes) when I get the oauth token from the user. I successfully get the token, using https://login.microsoftonline.com/common/oauth2/v2.0 for the authorization/token calls, but am unable to make a successful query:
My query looks like client.get(f"https://{tenant}.sharepoint.com/_api/web/lists") where tenant is the tenant of the particular user who's token I am using.
The error I get looks like {'error_description': 'Invalid issuer or signature.'} with reason="Token contains invalid signature.";category="invalid_client"' in the header of the response.
I am able to query the Graph api, but would like to also be able to query the Sharepoint REST api, because the Graph api is is insufficient for my actual use case, which will be to get Sharepoint groups (Graph api does not give sharepoint groups when I ask for groups, only Office 365 and Azure AD groups).
Update:
The permissions I've set on the app:
I have not added any scopes in Expose API, I don't know if I need to. I did not need this part to have it working with Graph API.
Lastly I'll mention that in Postman, controlled environment purely with this as the request, with OAuth 2.0:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id
client_secret
Scope: AllSites.Read
I get a token successfully, with all the roles, although it still doesn't give me access to https://<tenant>.sharepoint.com/_api/web/lists. I get the following error:
"error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
}
}
which admittedly is probably a step forward from the invalid client error I was getting before, but still quite stuck.
I was able to get this to work in Postman:
OAuth 2.0
Grant Type: Authorization Code
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Client ID: <client_id>
Client Secret: <client_secret>
Scope: https://<tenant>.sharepoint.com/AllSites.FullControl
The token I get back has all of the permissions that I set on the application, including the Graph API ones and the Sharepoint scopes that I did not request in the Scope parameter of the auth request:
"scp": "AllSites.FullControl AllSites.Read Directory.Read.All Files.Read.All Group.Read.All MyFiles.Read Sites.Read.All Sites.Search.All User.Read User.Read.All", which was a little surprising.
A key point was setting the tenant url in the scope so that the aud parameter in the token comes back for the right tenant. It was coming back before configured for the resourceAppId associated with the Graph permissions (00000003-0000-0000-c000-000000000000), rather than the Sharepoint permissions. This way, aud got set to https://<tenant>.sharepoint.com and I was able to access https://<tenant>.sharepoint.com/_api/web/lists.
You can try to get the acccess token in PostMan for a testing purpose.
Callback URL: https://www.getpostman.com/oauth2/callback
Auth URL : https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<tenant_name>.sharepoint.com
Access Token URL : https://login.microsoftonline.com/common/oauth2/token
Client ID : <Application_ID>
Client Secret : <KEY>
Grant Type : Authorization Code
Will pop up a login window to sign in and then generate the access token and get the SharePoint groups:
Reference:
Use Postman and Azure AD to send REST request to SharePoint Online

Azure B2C - Link IdentityProvider to UserFlow causes 403 using Graph API

I am trying to use the Microsoft Graph API to configure an Azure B2C instance. Specifically, I need to create UserFlows and IdentityProviders. For this purpose, I have created an AppRegistration with IdentityProvider.ReadWrite.All and IdentityUserFlow.ReadWrite.All API application permissions for the Microsoft Graph. I am able to call the APIs for creating new user flows and identity providers without a problem, but I am unable to link flows to an identity provider. Whenever I use any of the linking API's, I get an error:
AADB2C (User Authorization: Access is denied)
As an example, I get this when trying to list registered identity providers for specific user flow, i.e.
GET https://graph.microsoft.com/beta/identity/b2cUserFlows/B2C_1_{flowId}/identityProviders
The response for this request is a 403 with
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": ...
}
}
I am using the Beta API as described in the docs here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-list-identityproviders?view=graph-rest-beta&tabs=http. I get the samme error when trying to link a user flow with an identity provider as described in the documentation here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-update-identityprovider?view=graph-rest-beta&tabs=http
Any idea why I keep getting this authorization block?
Update: I have tried expanding the .IdentityProviders property on a userflow when reading it from the graph api. This does not give a 403, but the identity providers list, on the returned user flow, is empty even when providers have been manually added to the flow in the Azure Portal.
Please ensure to comply with this:
The work or school account needs to belong to one of the following
roles:
Global administrator External Identity User Flow administrator

Call Microsoft graph API using Azure B2C

I am trying to access Microsoft Graph API using Access token of b2c login.
Following are the endpoints azure portal showing.
As I feel we must be able to call https://graph.microsoft.com endpoints according to this. Please correct me if I am wrong. Then I generated access token as follows and Tried to call https://graph.microsoft.com/v1.0/me/ using that token.
The result is as follows.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"date": "2020-08-25T11:58:07",
"request-id": "c6a9ba06-d41e-49f7-ba94-f75478ce89b0"
}
}
}
I have granted API permissions as follows in my application too
This wont work. Use the Azure AD flows in your AAD B2C tenant.
https://learn.microsoft.com/en-us/graph/auth-v2-service

Azure ad and Azure ad b2c token validation failure

I am using Azure ad B2c development Web app,I want use the graph api (msgraph) to get and set the user's group.So,I create a azure ad b2c service name is B2Ctest,and B2CTest based azure ad service name is Adtest.
I use this api Microsoft Graph Client Library for .NET and used Adtest setting msgraph.
I get the B2Ctest service's user token, and passing the token to msgraph get the user own's group.It's throw a exception.
I catch msgraph post http packet.
address:
https://graph.microsoft.com/v1.0/groups
response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "e715c5f9-5c2c-40d8-ad09-71c848205d2c",
"date": "2017-10-09T16:10:20"
}
}
}
aad b2c access token
aad access token
I found,that aad b2c access token and aad access token are not the same.

Accessing /me endpoint with azuread v2.0 and personal accounts

I am trying to have access to information in "/me" with Graph API for a personal account using Azure AD v2.0 but I receive the following error. It works with organizational accounts.
{
"error": {
"code": "UnknownError",
"message": "{\"Status\":500,\"Message\":\"All the offeractions povided in the property bag cannot be validated for the token.\\u000d\\u000a\"}",
"innerError": {
"request-id": "39e23062-80ad-4872-86a7-39f5a5d928ce",
"date": "2017-02-23T15:35:06"
}
}
}
I have the permission User.ReadBasic.All
The scope User.ReadBasic.All grant the permission to read the basic profile of all users in the organization on behalf of the signed-in user. This scope is t only supported for the Azure AD Account. If you just want to read the user’s profile for the Microsoft Account, you could use the scope User.Read . Code flow steps below is for your reference :
Get the authorization code :
Get : https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=<client id>&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
Then get the token :
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=<code>&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&client_id=<client id>&client_secret=<client secret>

Resources