Get AccessToken to Microsoft Graph from Azure App Service Easy Auth - azure

I have a .NET core application hosted on Azure App Service. The application is secured with Azure App Service Authentication.
I need to get an access token to access Microsoft Graph.
Since I have Azure App Service Authentication turned on, and all the users that access the web application should already be authenticated, I was wondering if it is possible to get the access token from /.auth/me or Request.Headers["x-ms-token-aad-access-token"].
I tried to follow the example posted on here
, where I configured my additionalLoginParams /config/authsettings to ["resource=https://graph.windows.net"] (or ["resource=https://graph.microsoft.com"] as per Rohit suggestion), which in turn should give me an access token to MS Graph either via /.auth/me on client side or Request.Headers["x-ms-token-aad-access-token"] on C#.
However I checked both server side and client side, and there were no access token found. Any idea what went wrong?

since this was tagged azure-gov I presume the App Service is running in Azure Government? If so, what AAD authority are you specifying in the authentication context or /config/authsettings when calling Graph? If it's in Azure Gov, and you're planning to authenticate Azure Gov users, the AAD authority should be login.microsoftonline.us. What was the HTTP response to the request?
Also, as others have mentioned there are two "Graph" APIs (Azure AD Graph and Microsoft Graph) available at the moment. Microsoft Graph will ultimately replace Azure AD Graph but for now either can be used.
The resource uri for AAD Graph in Azure Gov, for now, is the same as Azure Public: graph.windows.net.
The resource uri for Microsoft Graph in Azure Gov, however, is graph.microsoft.us compared to graph.microsoft.com in Azure Public.

Related

Why need to add an OAuth 2.0 for Azure service that is already protected by Azure AD

Backgournd:
Our group using Azure AD to authenticate and authorise the resources that belongs to us in Azure. AKA, you need to login by your working ID to get verified it is a person belong to our group. This is how a team member can use the API service we owned.
Issue:
There is suggestion that to add an OAuth 2.0 authorization on top of the API. I get confused here. It is only used internally and protected by Azure AD. And login by Azure AD isn't itself already some kind of OAuth 2.0 authentication?
If the API does not have any protection, that means that anyone can hit the endpoint and get the information from the api. for example, if some random person with a cell phone connected to your wifi network somehow or hardwire laptop, they could query the api directly if there was no authentication/authorization on the endpoint. or if its on azure functions or something, then most likely anyone can access it on the internet.
I'm curious on what you mean by the resources are protected by azure ad. Where exactly did you set this up? if for example you are using an azure function as an api endpoint and you activated azure ad authentication/authorization on the azure function app, then your api layer IS secured and you can access the user tokens in the code. in this case there is nothing further to do.

Is it possible to call external Azure Service with AD Token from within D365/PowerApp plugins?

I am new to D365/PowerApps and wonder if i have a Azure Service, (Azure Functions or WebAPP) that is secured with Azure AD tokens (App Registrations).
Can I get an Access Token to my external services using Azure AD from within a plugin step in d365? How do I get such token on behalf of the context the plugin when running as a user.
You'll need to use Flow and compose a http request to get the token:
https://flow.microsoft.com/en-us/galleries/public/templates/edfa8fde25644f149448c8d8cff44699/call-a-web-service-from-a-powerapp/
Here's a good explanation on how to do it using the REST API:
https://stackoverflow.com/a/36982924/1384539
If I understand your question correct,
You have an Azure function APP or external azure service and that is secured by creating Azure AD App with it's roles delegation and so on.
Now you need Access token for this Azure APP with client ID and Client Secret.
We had this similar thing in Dynamics 365 i.e When we wish to use Dynamics 365 Webapi, We need to create Azure AD App and then provide roles delegation so that this app will have access to Dynamics 365.
In Plugin we can give details with client Id and Secret and then generate Token which will be used for Furthure process during plugin Execution.
Note: Most of these plugins we run under System context.
Here are few examples which will lead you to your desired direction.
Most of the Examples also talk about creating Non-Interactive user in Dynamics but in your case that shall not be needed because you are not communicating with Dynamics via (Azure AD App) rather you communicate with Azure functions or so on.
Link 1
Link 2
Link 3

Credentials prompt for access to Azure management APIs

I've been using the Azure fluent management APIs (https://github.com/Azure/azure-libraries-for-net) with some success in .NET Core.
However, I want to prompt the user to enter some credentials for a Microsoft account. Those credentials would have access to one or more Azure tenants / subscriptions, so I'd like to be able to use the result to browse and manage resources there.
This is something very close to what I would believe Azure Data Studio does: you can enter some Azure creds, and your resources will appear in the app.
I'm trying to understand the best approach for this. There seem to be a billion sites out there when you talk about Azure AD app registrations, but I haven't found a fruitful specific search query yet. I know I can register an app, get a client ID and client secret. I know I can set it to be usable by organisational accounts in the current tenant, or all tenants.
I can add the "Azure Service Management (delegated permissions : user_impersonation)" permission to my API permissions section for the app, but what's next?
If I use Microsoft.Identity.Client (as in https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon), I run into some questions:
AcquireTokenForClientAsync doesn't prompt the user - I guess because it's getting a token for the app to act with its own permissions?
AcquireTokenOnBehalfOfAsync wants a JWT.. great! I'll pass the one I got from AcquireTokenForClientAsync! Nope, AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint.
I don't know what scope I want. https://management.azure.com/user_impersonation is apparently invalid.. https://management.azure.com/.default works, but is that right? It's a guess, combo of the former and a .default suffix I found for Graph API scopes online. Any docs on this?
I ultimately get a JWT and tenant ID back. I can't find a way to use a JWT with the Fluent management APIs.. and my account (for instance) is associated with 3 tenants or 5 different tenants / directories - so how do I choose?
That's just what I've tried, the appropriate route might be a different one. In summary: I want a .NET Core Console app to request user credentials, and then get access to the Azure resources they have access to, in order to perform some resource management.
AcquireTokenForClientAsync doesn't prompt the user - I guess because it's getting a token for the app to act with its own permissions?
You are using the OAuth 2.0 client credentials grant to access web-hosted resources by using the identity of an application. This type of grant commonly is used for server-to-server interactions that must run in the background, without immediate interaction with a user .
AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint.
Azure AD provide two service : Azure AD V1.0 and Azure AD V2.0 . Please refer to Comparing the Azure AD v2.0 endpoint with the v1.0 endpoint . You can't use v1 token to acquire v2's token in a on-behalf-of flow .
AcquireTokenOnBehalfOfAsync wants a JWT.. great! I'll pass the one I got from AcquireTokenForClientAsync
AS pointed above , That function is used to acquire an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. So you can't use app token which acquire using Client Credential flow .
https://management.azure.com/.default works, but is that right? It's a guess, combo of the former and a .default suffix I found for Graph API scopes online. Any docs on this?
You are using the Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow , when sending a POST request to the /token v2.0 endpoint ,the scope should be :
The value passed for the scope parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value informs the v2.0 endpoint that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use.
Please check the Get a tokensection in above document .
I ultimately get a JWT and tenant ID back. I can't find a way to use a JWT with the Fluent management APIs..
AFAIK , currently Azure AD V2.0 apps can use:
Its own API
Microsoft Outlook APIs
Microsoft Graph API
Azure AD V2.0 currently doesn't support Azure management APIs .
So you problem is you need to allows work and school accounts from Azure AD and personal Microsoft accounts (MSA) which works with Azure AD V2.0 , but you can't use Azure management APIs . You can use Azure management APIs in Azure AD V1.0 but it allows only work and school accounts to sign in to your application , unless you invite Microsoft accounts as guest user in Azure AD V1.0 ,but you need to configure to point to the tenant-specific endpoint :https://login.microsoftonline.com/{TenantId_or_Name}). during authentication if you want to login with MSA in v1.0 apps.
Update:
You can use Code flow and azure ad v1.0 endpoint , user will be redirect to AAD's login page and enter their credential. Here is code sample for .net Core .
With Azure AD V1.0 endpoint , requests are sent to an endpoint that multiplexes across all Azure AD tenants: https://login.microsoftonline.com/common . When Azure AD receives a request on the /common endpoint, it signs the user in and, as a consequence, discovers which tenant the user is from. See document here . But in this scenerio ,you can only use work and school accounts(AAD) account to login .
The code sample in your link is using Azure Service Principal for Authentication , no interactive user login . You can use OpenID Connect Owin Middleware for authentication in .net Core applications as shown here .

Azure Active Directory Verify Access Token in Web Api outside of Azure

If my Web Api application is hosted outside Azure, can I use access tokens issued by Azure AD and verify the tokens in the Web Api itself or against Azure AD?
All the examples available are referring to the Web Api applications hosted on Azure. But there must be a way to do this with Web Api outside Azure.
Any reference to solution would help.
Azure active directory support the OAuth 2.0 to authorize the third-party apps. It doesn’t matter where the web API or apps hosted. Below figure is the stand OAuth flow from RFC 6749 – The OAuth 2.0 Authorization Framework.
Technically, the web API only need to verity the token from the endpoint it trust. I also explained the detail about verifying the access token from this thread.
And if you want to know more about the scenarios developing with Azure AD, you can also take a look this article.

Azure Management API access from a web app

Is it possible to gain access to the Azure Management APIs through the client ID and secret for a web app?
I have a web app through which i want to be able to manage Azure. I want to do this using the credentials of the application itself so that the current user does not have to be an azure administrator.
I have given the web app the necessary role on my subscriptions and obtained the access token through the client credentials grant flow in AD but i still get an unauthorized.
This is probably because the azure management API has no permission set other than delegated - the access works fine if i use the authorization code grant flow for the logged in user, but thats not what i want.
So to reiterate, if, given a web app that has RBAC to a subscription and is able to obtain an access token from AD, is there any way, without an interactive user, that the web app is able to use the management API??
Yes, you can obtain a token from AAD for a service principal and use that to manage resources as long as that service principal has all the access you need.
Make sure the token you get has a resource/audience of "https://management.azure.com" and is for the tenantId that the subscription is associated with.
You can also see this article from Brady Gaster that explains how to use Azure AD applications to manage Azure Services from an external app : http://www.bradygaster.com/post/using-windows-azure-active-directory-to-authenticate-the-management-libraries
EDIT : Azure AD supports Service to Service calls using OAuth 2.0 client credentials: https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
Hope this helps,
Julien

Resources