Hi I have a daemon application which will access Azure AD graph API.
I am trying to have certificate based authentication,Hence first creatinga self signed certificate.
I have followed this article
https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-daemon-certificate-credential/
I am using windows 10 machine.
When I try to modify the manifest file of registered application of Azure AD I get below error
Failed to update application graphapi2. Error details: KeyValue cannot be null or empty Request ID: fea0789a-b8fd-4001-83c4-f74d67fb9812, Timestamp: 12/13/2018 11:56:08
Has any one faced this issue?How will I be able to create self signed certificate to azure ad registered applications.
I got it working by following this link :-github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2 . While exporting the key choose the option ->Do not export private key->Base 64 encoded option.Later I uploaded the certificated in the app registrations preview and it works!! :)
This seems to be happening in the Azure Portal when using the "App registrations (preview)" rather than the normal "App registrations". If you try "App registrations" and edit the manifest there and add your KeyCredentials it seems to work fine.
Related
When I run signupsignin user flow in Azure B2C portal to test Open ID Connect (external Azure Tenant login), received below error.
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 6744ccb7-eb8d-47f6-bb0a-bcd2f84f5771
Timestamp: 2021-08-04 04:10:53Z
ConnectionTimeOut: An exception has occurred.
This article describes a similar error that occurs when you try to sign in to an app that's set up for Azure AD B2C
Cause: The client ID may be missing or incorrect in the Web.config file for the app.
Resolution
To fix this issue, follow these steps:
Open the Web.config file for the app.
In the Web.config file, find the app key ida:ClientId.
Replace the value of the app key with the client ID that is provided for your app in the Azure AD B2C admin portal.
The changed part of the file resembles the following:
<appSettings>
<add key="ida:ClientId" value="**xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx**">
</appSettings>
References:
troubleshooting-with-application-insights
azure-ad-b2c-importing-in-users
Could be the case:
Make sure you are using the API Key and API Key Secret.
Not the ClientId and Client Secret
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-twitter?pivots=b2c-user-flow
I am trying to get the access token for the Azure function app. I have enabled managed identity for the function app(system assigned). but while fetching the token using the nuget Azure.Identity.
var tokenCredential = new DefaultAzureCredential();
var accessToken = await tokenCredential.GetTokenAsync(
new TokenRequestContext(scopes: new string[] { "https://xxx.azure-api.net/" + "/.default" }) { }
);
I am getting the error.
The resource principal named 'xxx.azure-api.net' was not found in
the tenant 123
but when run az cli to check the subscription details, the subscription indeed part of the tenant 123 only.
Here is what I have finally done.
I have registered an App in AD. and Exposed the API of that App.
I have assigned System Assigned Managed Identity to the Function.
In the local I am not able to request token because Azure CLI is not given consent.
After deploying the application in Function my Function app can request a token using its identity.
You need to register the application in azure ad and enable the access token. Once that is done the you need to provide RBAC access to your xxx.azurewebsites.net
Follow this article for the step by step documentation Microsoft Document Reference
Unfortunately, the error message is not really helpful. But adding a scope to the app registration solved the problem for me:
In Azure Portal navigate to App Registrations
Find your app, in the left side menu select Manage => Expose an API
Add a scope. I named mine api_access as this was where this error occurred.
In my case I then got an API URI (like api://client-id/scope_name) which I used in my Angular app. Error message was gone.
Also, make sure that in the Enterprise Application you have created, under Manage => Properties, "Assignment required" and "Visible to users" is turned on.
I got a node.js application and I'm trying to use the AdalFetchClient of PnPjs to fetch some data from sharepoint.
sp.setup({
sp: {
baseUrl: "https://placeholder.sharepoint.com",
fetchClientFactory: () => {
return new AdalFetchClient("tenantId", "azure_clientId", "azure_clientSecret");
},
},
});
await sp.web.getAppCatalog().get();
I get this error: Error making HttpClient request in queryable [401] Unauthorized ::> {"error_description":"Invalid issuer or signature."}
I setup the permissions of my azure active directory app like so:
Azure App permissions
I granted all the permissions to the tenant I'm trying to fetch data from:
Granted permissions to Azure App
The example I used is here: https://pnp.github.io/pnpjs/nodejs/adal-fetch-client/
I also tried to use the AdalFetchClient with graph.. which is working. Only the sharepoint api seems to have a problem.
I found the solution. There is a AdalCertificateFetchClient which requires the following paramters:
Tenant-ID
Azure App Client ID
Thumbprint of your x.509 certificate
The private key of your x.509 certificate
The root url of the sharepoint you want to connect to
So first of all you have to create a x.509 certificate. I used this tutorial for this. (Thanks for that)
After that you have to get your thumbprint by installing the certificate to your local machine and following this steps
Last step is to get your private key of your certificate. For that you have to install openssl for windows and follow this steps
Now you can use your AdalCertificateFetchClient
I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.
I am trying to setup a authentification for POST requests on my Node.js server hosted # Azure.
I am using this example:
passport.use(new OIDCStrategy({
callbackURL: config.creds.returnURL,
realm: config.creds.realm,
clientID: config.creds.clientID,
clientSecret: config.creds.clientSecret,
oidcIssuer: config.creds.issuer,
identityMetadata: 'https://login.microsoftonline.com/TenantGuidOrTheWordCOMMON/v2.0/.well-known/openid-configuration',
skipUserProfile: config.creds.skipUserProfile,
responseType: config.creds.responseType,
responseMode: config.creds.responseMode,
(tenant: "Guid from AzureAD-Endpoints-Button"),
(validateIssuer: false/true)
}, (...)
Although my code redirects me to a "https://login.microsoftonline.com" page (which is nice), after entering my email-address it immediately redirects me somewhere else.
There I get an error in the browserUrl: "the client does not exist"...
and it says I should create an application # "https://apps.dev.microsoft.com".
WHY? I have a AppService "MyService", an Azure AD within the same subscription and within the Azure AD an "App registration" for "MyApp".
What is now this cruel apps.dev.microsoft site? Why is there not my registered "MyApp" shown and Vice versa?
What do I have to enter within "oidcIssuer"? the MyApp.ApplicationId? The (apps.dev.microsoft.com)-Application.ApplicationId? The AzureAD-ClientId? The AzureAD-IssuerUrl?
The same question for the clientSecret
Whats the difference between using identityMetadata with an ID instead of "common" + validateIssuer:true against using identityMetadata with "common", validateIssuer:false + tenant:"myTenant(Guid?)"
When I Use "ExpressSettings" within Authentication/Authorization-->AzureAD why can I not find the Application I defined in Azure AD?
Do I have to activate the Graph API (I dont know anything about it yet)
Are there good alternatives protecting my express.post endpoint with authentification in Azure AD? (ADAL seems to be for resources)
I dont get all this settings, properties and portals of Microsoft I am just overhelmed by all this... (not to mention there is also an "OLD" portal)
The next days I will try this Azure Step-By-Step Guide maybe It will help me somehow...
For this example you are using, you don't need to modify the params in OIDCStrategy object. Instead, you need to config your AAD settings in client_config_*.js. files. Just like the document describes at https://github.com/AzureAD/passport-azure-ad/tree/master/examples/login-oidc.
And BTW, we manage our AAD applications on the Classic Portal.
Like my answer to "Has anyone successfully used Azure AD to authenticate users for a Node.js web application?"
I setup my authentification like this instead (without code) in the new Azure Portal:
host my Node.js Server
add an AD to the subscription
Register new application within the AD
Add "https://YourNodeJS.azurewebsites.net/.auth/login/aad/callback" as Reply URL
In AppServices, pick your Node.js Server
In Settings go to Authentication/Authorization
Activate AAD
Use Advanced Mode of AAD
Enter the ClientID (GUID) of the application registered above in AD
As issuerURL enter this link: https://sts.windows.net/YourADGuid/ (you can see the GUID within "Endpoints" if you look back at your application registered in AD above)