I have a following application architecture:
Angular 5 client
C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
Click Settings
Go to Required permissions
Click Add
Click Select an API
Select Microsoft Graph and click Select
Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
Related
So I'm using Power Automate to connect the API for Azure Cost Management Usage Specifically this guy:
https://learn.microsoft.com/en-us/rest/api/consumption/usage-details/list?tabs=HTTP
However, Powerautoamte, though it has an ADAuth with Oauth2 option, requires something called an "Audience?" and really I have no idea what to put here.
I have indeed registered an app, gave it the user-impresonation permission, approved it for my domain, and generated a client/secret for that app. All I need is the "Audience"
The Audience is the API which your AAD app has permissions on.
To find this URL, try to navigate to Azure AD and App Registration, then select your Application, and click on API Permissions.
Select API / Permissions name which should popup the permission details along with the used API.
For example my AAD app has Microsoft Graph permissions
If I select Microsoft Graph row or click on one of the permissions the popup shows details
The URL https://graph.microsoft.com/ represents the Audience in my case.
You are probably using Azure Service Management, so in your case the Audience will be https://management.azure.com/
We want to use Azure AD as the authentication mechanism for our project. To do that, in our organization Azure AD, i have registered an application for our project, added the SPA redirect URI. Added the internal users into the same enterprise application by using Add Users/Groups. Since the frontend app is based on React, we are using #azure/msal-react for authentication and using org AD tenatid and the respective clientid in authConfig.js file with scope as User.Read. Here i am using loginRedirect to start the login process on load of application.
As we are using org Azure AD, there are other applications as well created by other developers. I want to restrict login of other internal users to access this application. I was trying to use User Assignment required as Yes to achieve that, but in that case it is asking for "Need Admin Approval" which we don't want. As for big organization, Global Admin/Application Admin/Cloud Admin will be in different timezone and user shouldn't wait to get the approval from them.
So is there any way i can restrict other internal users to access the application and show them unauthorized page when trying to access the application. Only allocated users would be able to login to the application.
Please suggest. If you need anymore info, please let me know.
Thanks in advance.
To get rid of "Need Admin Approval" screen, please follow below steps:
Make sure you have "Global Admin Role" to change user settings in Azure active directory.
Go to Azure Portal -> Azure Active Directory -> Go to Enterprise Applications -> Click on User Settings -> Admin Consent Requests. Set ‘Users can request admin consent to apps they are unable to consent to’ to “No”.
Make sure to Grant admin consent for the required api permissions you added to your application.
After granting it, it should be like below:
I have tried in my environment, I was able to login to the application without waiting for Admin approval.
AFAIK, to restrict other internal users to access the application and show them unauthorized page when trying to access the application try making use of conditional access policies.
To know how to do that in detail, Make use of below references:
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-access#create-a-conditional-access-policy
c# - iOS authentication with Azure AD - Stack Overflow.
I have set up a Azure Active Directory App so that I can access the Microsoft Graph API with MSAL. However, I want to perform API calls without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service) and as such I have added a few permissions that require "Admin consent" to my app. However, I cannot find a way to grant my app these permissions.
I've tried looking around the Azure portal for a way to grant these permissions but without success. I have also tried using the https://login.microsoftonline.com/{tenant}/adminconsent&... link to grant permissions, but unsucessfully so.
The response I received was
AADSTS500201: We are unable to issue tokens from this API version for
a Microsoft account. Please contact the application vendor as they
need to use version 2.0 of the protocol to support this.
I do not have an Azure subscription (not even the free one), but seeing as I was able to add apps to Azure AD as well as get access tokens and then make API calls on behalf of the authorized users I assumed I might not need a subscription.
I just made another app and now I have the grant consent button when I open the API Permissions view.
I am trying to access the Online Meetings Graph API (Beta version) using developer tenant. I am able to login successfully to the developer tenant but not able to get the Token to access the graph API for Application type graph APIs. I am able to get the token for delegated type Graph APIs successfully and able to connect to the Graph API.
I given the admin consent for these APIs using button "Grant admin consent for [0]" in Azure Active Directory => App Registrations => My App => API Permissions in the Azure portal. I am able to see the success message as "Granted for [my Tenant]".
But I am getting the error saying "AADSTS65001: The user or administrator has not consented to use the application" while getting the token. I am using ConfidentialClientApplication class and AcquireTokenByAuthorizationCodeAsync method to get the token.
So is there any other place I need to verify for the consent or for developer Tenant and for these Beta APIs, I need to check any other process ?
Thank You for Your Time,
Rishi
I tried for delegated APIs (User.Read and Contacts.Read) and working fine on developer tenant. While doing trail and error I got error saying Invalid Scope (OnlineMeetings.ReadWrite.All) couple of times.
For Application type graph APIs, you should use client credentials flow to get the token.
Make sure you add the application permission and grant admin consent for it.
I am trying out the sample code on GitHub called active-directory-b2c-dotnet-webapp-and-webapi and when I run it against the AD B2C directory in the sample it works fine but I'm having an issue trying it out against my own AD B2C directory. I get the following error:
The application with ID 'xxx' cannot get an ID token either because the openid scope was not requested or the application is not authorized for it
Isn't the openid scope included automatically? I setup a Web App and a Web API app as per the instructions provided. When I look at the scopes that the Web App has access to, the openid scope is not listed there. Is this something I need to add manually?
When we change the API permission for an app, the openid permission gets overwritten. We can re-enable it if this happens. The option will be available at API Permissions blade under https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.
Open the API Permissions at the above link, Add a Permission, Select Microsoft Graph --> Select Openid and save. There you are! :)
In addition to the openID step outlined above, also do the below:
Go to the API access under the Application in B2C for the app in question and add a permission against this same app saying "access this app on behalf of the signed in user".
No other steps needed.
I found the issue was with app registrations > API Permissions. When adding permissions in the Request API permissions screen, make sure you select "Delegated permissions: Your application needs to access the API as the signed-in user."
If you selected the other option, then recreate your configuration and try again.
openid scope is not included automatically. It should be present by default in the sample, but if it was removed, then the request will fail.