I am currently using Phone Based MFA with Custom Flows created using Identity Framework Experience. How would I extend this to use Hardware Tokens, or App based authenticators like Google or Microsoft Authenticator.
You could extend your MFA using Hardware OATH tokens in Azure MFA
As Microsoft Previews Hardware OATH Tokens with Azure Multi factor Authentication.
Requirements:
The following are the pre-requirements to complete this configuration:
Azure AD Premium P1 or P2 license
Token2 hardware token(s)
A CSV file for your token device(s). You will receive an email with the CSV you confirm the delivery*
Devices For CSV
As I don't have device right now that's why I am using virtual device emulator refer here
You have to create a secret with this device. The secret is required for upload to Azure AD and is required in the form of a CSV file with six columns:
Secret would be look like this below:
This CSV file must contain following information:
upn,serial number,secret key,timeinterval,manufacturer,model
Which should match with azure portal like below information:
Ensure each UPN in the first column matches the device you are issuing
to the user and upload the CSV file to Azure AD.
This is done from Azure Portal > Azure Active Directory left menu >
MFA (in Security area) > OAUTH tokens (in settings area)
Upload CSV
Once you have created your csv file from the given emulator which has given above
You have to upload your file on azure portal.
CSV format
upn,serial number,secret key,timeinterval,manufacturer,model
gulnara#token2.onmicrosoft.com,60234567,1234567890abcdef1234567890abcdef,30,Token2,c101
Note: Make sure you include the header row in your CSV file as shown above. Also, please do not edit the CSV file in Excel use a
text editor (Notepad) instead
Click Upload and browse for your CSV file. As long as there are no errors it will upload fine. Errors are displayed in the notifications area. Once the upload is complete click Refresh to see the imported hardware tokens. Tokens assigned to users that do not exist will appear after the user is created, if the user is created within 30 days
Then you just need to activate the hardware token by clicking Activate
See the screen shot below
Once you have activated soon the verification code prompted like below:
Once OATH token is activated and set as the default MFA method, users can use it to log in. Like below
Please note that the login page will still ask for "authenticator app"
code on the login page, but the OTP generated by the hardware token
will for sure be accepted without any issues.
Now Enter the code from the hardware or your emulator. The token changes every 30 seconds and is valid for a short while either side of the time it is displayed for on the device.
See the screen shot:
For large organization they can also set up additional MFA methods in
addition to the hardware tokens. This will ensure users can still log
in in case the hardware token is lost or damaged. Additional MFA
factors, such as SMS or mobile app can be configured by users
themselves on this page.
Like below:
If you need more information you could refer here
Microsoft reference check here
Hardware token device information refer here
Related
What I need:
I need to read an excel table from Microsoft Teams Channel with Microsoft Graph API.
That is possible with the following URI:
https://graph.microsoft.com/v1.0/drives/someId/items/someId/workbook/tables/tableName/rows
The problem is, that this endpoint needs a valid token.
There are 2 opportunities:
Create Azure AD Application, that have access to the whole OneDrive.
Create Azure AD Application to retrieve a token for a service user, that have access to needed files.
The problem of the first one is, that I don't want to give it access to the whole OneDrive. I want it to have an access just to one OneDrive folder.
Maybe there is some possibility to limit the access just to one OneDrive folder?
I've tried the second alternative with com.microsoft.aad.msal4j library:
String APP_ID = "20106bdc-eec0-493d-b32f-526583aa95a6";
String AUTHORITY = "https://login.microsoftonline.com/112121a0-cc1f-12af-1213-faaa12ef1b11/v2.0";
PublicClientApplication pca = PublicClientApplication.builder(
APP_ID).
authority(AUTHORITY).build();
String scopes = "User.Read";
UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(
Collections.singleton(scopes),
userName,
password.toCharArray()).build();
IAuthenticationResult result = pca.acquireToken(parameters).get();
But this leads to the following exception:
com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Any ideas? Thank you
For this issue, you need to learn about the difference between ConfidentialClientApplication and PublicClientApplication.
Please see Public Client and Confidential Client applications.
Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to
safely keep application secrets, and therefore access Web APIs in the
name of the user only (they only support public client flows). Public
clients are unable to hold configuration time secrets, and as a result
have no client secret.
So for PublicClientApplication, we don't need a client secret.
What you need to do is (which you have found from this comment):
In the Application menu blade, select Manifest, and in the manifest editor, set the allowPublicClient property to true.
There is a completed sample with detailed steps here for your reference.
Besides, since you are trying to read an excel table, user.read permission is not enough.
Based on List rows Permissions, you need to add Files.ReadWrite delegated permission in the Azure AD app (app registration). And you should also specify it in your code.
All steps that I've done, so that it works:
I need to access a shared folder, so I needed to change the scope to "Files.ReadWrite.All" in my code.
In the list of pages for the app, select API permissions, click the Add a permission button and then, ensure that the Microsoft APIs tab is selected. In the Commonly used Microsoft APIs section, click on Microsoft Graph. In the Delegated permissions section, ensure that the right permissions are checked: Files.ReadWrite.All. Use the search box if necessary. Select the Add permissions button.
In the list of pages for the app, select Manifest, and in the manifest editor, set the allowPublicClient property to true, select Save in the bar above the manifest editor.
Login as a tenant admin to https://portal.azure.com. Open the registration for your app. Go to Settings, then Required Permissions. Press the Grant Permissions button.
Hoping someone can shed some light on the following matter;
I got an Angular & .Net core Web API application that uses Azure B2C to authenticate users.
User accounts are created by the users themselves via the signin/signup custom policy or administrator can create accounts via the app using the Graph API.
Due to the requirements, the app uses usernames (as opposed to email addresses) to log into the application. So far I've managed to get everything working except for the following scenario:
When an account is created via the Graph API, the owner of that account cannot reset the account's password. The error is "An account could not be found for the provided user ID".
This isn't the case for accounts that get created via the custom signup policy so I did some comparison and found that for those account that get created via the Graph API, the Email is missing (which can be found under User -> Authentication Methods). I looked at populating that field, but it appears the "Mail" attribute is 'read only' (not sure if that's the right attribute anyway).
At the moment I'm having to manually set the email via Azure so those account's passwords can be reset by their owner if necessary. This is obviously not ideal and wanted to see if there is anyone that might have gotten around this issue, or a least get confirmation that this is indeed a limitation of the Graph API.
Thanks in advance for your help
So I managed to get this working using the approach outlined by Jas Suri. These are the steps that I went through
Created a custom attribute in my B2C tenant to hold the account email address
Included the custom attribute claim type (extension_emailAddress) as well as the strongAuthenticationEmailAddress in the TrustFrameworkBase.xml
Updated my apps's custom policies to include the technical profile for local account discovery. I basically just copied the necessary bits and pieces from here
Updated the local account discovery to perform the comparison against the extenstion_emailAddres instead of strongAuthenticationEmailAddress.
Added an extra step to the Sign up user journey so that the value in strongAuthenticationEmailAddress is copied to extension_emailAddress
Updated my Web API / Graph API "create user" function so that it sets the extension_appidguid_emailAddress
That's it. Now it doesn't matter how the account gets created, the email address will be stored in the extension attribute and the password reset will be able to find the account using that attribute.
happy to provide more details if anyone comes across this.
The problem is as you’ve identified, the Sign Up policy uses the strongAuthEmail attribute to store the verified email for a username based account. The Password reset policy will use this to verify the user owns the username. When creating the user with graph api, you can’t populate this field, it’s not exposed. The only option is to use a custom policy which stores this secure email in an extension attribute, and your graph api created users can then also target the same attribute to allow the stars to align.
Mail attribute is not the same as the Email under Authentication Methods, and currently there is no such graph api to set the Email value under Authentication Methods.
By the way, there is no need to create Azure AD B2C user for a user as users can sign up themselves.
I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.
The API I am calling (with new user log-in) to first retrieve all applications:
https://graph.microsoft.com/beta/applications
Response is:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
Of course I have apps in that tenant.
Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.
Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.
So it will query the apps list for the personal account rather than tenant_y.
So now you have two choices:
Create a new user in tenant_y by following add a new user and
then use this new user to log into Microsoft Graph Explorer to query
the apps list.
Implement Get access on behalf of a user and make sure that you
call {your tenant} endpoint rather than common endpoint while
requesting the access token. And you should use another tool (for
example Postman) instead of Microsoft Graph Explorer.
Update:
You can modify the permissions in Microsoft Graph Explorer like this:
Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.
Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format
https://login.microsoftonline.com/{tenantId}/V2.0
Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).
The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.
Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.
I'm trying to use Video Indexer API (v2). But when I try to sign in to it using the the Azure Active Directory, I get this message:
Selected user account does not exist in tenant 'Microsoft' and cannot access the application 'da0eb6e2-d2bd-4cbd-ad65-81ddc43546e2' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
I'm not sure what the issue is?
Sign-in to the VideoIndexer developer portal has been revised.
We unified the developer portal sign-in with that of the VideoIndexer site.
The screenshot in #Mohit_Garg comment in no longer relevant. This is our new sign-in experience.
The first option should be used in case of Active Directory accounts. This is also the only option that will allow you to use Video Indexer paid.
In many cases users selected the Microsoft option in the old authentication method when they actually wanted AAD option.
After the new experience they select the first option "Sign in with a corporate account" and get a message saying that an account with that E-Mail already exit.
An Email is unique in Video Indexer developer portal. So if you want to use your AAD but previously opened an account in the developer portal using a different authentication method you will need to sign-in using the original authentication method and close the account in your developer profile page. After the account removal you will be able to sign in with different authentication method.
More info can be found in the official video indexer documentation
Clarification: I'm a developer in the Video Indexer team.
Follow below steps to Subscribe to the API -
Sign in.
To start developing with Video Indexer, you must first Sign In to the Video Indexer portal.
If signing in with an AAD account (for example, alice#contoso.onmicrosoft.com) you must go through two preliminary steps:
A. Contact us at visupport#microsoft.com to register your AAD organization’s domain (contoso.onmicrosoft.com).
B. Your AAD organization’s admin must first sign in to grant the portal permissions to your org. To do this, the organization's admin must navigate to https://videobreakdown.portal.azure-api.net/signin-callback?provider=Aad, sign in and give consent.
Subscribe.
Select the Products tab. Then, select Production and subscribe.
Once you subscribe, you will be able to see your subscription and your primary and secondary keys. The keys should be protected. The keys should only be used by your server code. They should not be available on the client side (.js, .html, etc.).
Start developing.
You are ready to start integrating with the API. Find the detailed description of each Video Indexer REST API.
How I can generate different app keys (passwords) to be used by different applications. I need to use gmail account for sending emails. but I dont want to put my password in file, I will use it in multiple projects to send email.
I dont want to put password in every project file, doing this when I change password I will have to change in all applications.
I'm looking for a way where I can use different keys for every applications. Please guide..
An App password is a 16-digit passcode that gives an app or device permission to access your Google Account.
Visit your App passwords page. You may be asked to sign in to your Google Account.
At the bottom, click Select app and choose the app you’re using.
Click Select device and choose the device you’re using.
Select Generate.
Follow the instructions to enter the App password (the 16 character code in the yellow bar) on your device.
Select Done.
Once you are finished, you won’t see that App password code again. However, you will see a list of apps and devices you’ve created App passwords for.
Note: You may not be able to create an App password for less secure apps. Learn more about allowing less secure apps.
Documentation can be found here Sign in using App password