I created a new app registration in Azure Portal and added O365 SharePoint-Permissions.
I only allowed "Read user profile", what is the scope "User.Read.All". Then I request a token and authenticate as a user, that is global SharePoint-Administrator.
The access token I get contains: "scp": "User.Read.All", what is exactly, what I expected.
But if I use this token to read files from site collections, this also works. I can perform search queries with the User.Read.All Scope- what shouldn't be possible, because I only delegated the "Read user profile"-Permission to the app, that uses the token.
Any proposals, what I am doing wrong?
Related
We are developing an application with a frontend and a backend. The backend should be accessed via Rest API with an OAuth2 token. Authorization provider is Azure AD.
In Azure we created 2 app registrations. One for the API, one for the client app. The API registration defines 3 scopes (Read, Write, Delete). The client app registration has delegated permission for these scopes.
We are requesting tokens with the clientID and clientSecret from the client app registration.
When requesting a token for a certain scope, after login and approval of permission grant prompt, I just get an access denied error. Does my user need any additional permission in Azure AD to grant permission for the requested scope?
As a workaround I could add the client app as an 'Authorized client application' in the API registration for all three scopes. But then all three scopes are always returned in the JWT under 'scp' regardless of the scope I am requesting and the user does not see the permission grant prompt anymore. Not sure if I want this. I would rather understand how to solve the access denied.
It seems that user consents are not allowed in my organization's AD tenant. (Enterprise Applications -> Consent and Permission -> User Consent Settings.)
I have a question about accessing the Microsoft Graph Api once a user is logged in through Azure Ad B2C. I am trying to migrate my app to login through b2clogin.com instead of login.microsoft.com and mostly it works except I can no longer call the Microsoft Graph Api to get the logged in user profile.
I have set up Postman as an Application in my B2C tenant and configured the api permissions with https://graph.microsoft.com/User.Read but when I try to get a token with the https://graph.microsoft.com/User.Read scope I get the following error
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation
I am not sure what this error means but when I look at the signins for the user in the portal I see 3 signins.
The first has a status of Interrupted with an Failure Reason of
The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.
The second one has a status of Interrupted with an Failure Reason of
Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.
The third one has a status of Success
I have been looking through the documentation for days trying to figure this out.
I am missing some configuration I need to access the Microsoft Graph Api for a B2C user?
The setup you describe is not actually possible.
You have created an App Reg in the AAD blade and assigned the Ms graph permissions.
Then the error you receive is against the AAD B2C endpoint, not the AAD endpoint for which your app is made for (since AAD B2C apps cannot be assigned permissions for Graph api). So you have used an AAD app and tried to auth against the B2C endpoint - that won’t work properly.
You cannot access ms graph via a B2C user authenticated against the B2C endpoints.
You can access ms graph via an AAD user or AAD user inside a B2C directory via the AAD endpoints of an AAD or AAD B2C directory.
In a B2C scenario the normal pattern is to auth the user against B2C endpoints and have your API auth against the AAD endpoints using client credentials to gain access to Graph API and make operations on the users behalf.
I am working on an app where i have some users on azure ad and some users need to be externals(ex:gmail).Iam using microsoft graph api to invite users from external. All these users are have user administrator role in AD.
I am able to invite external user successfully with internal user credentials. But when i try to invite external user again with the invited user details i am getting
error :
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web apps.",
"innerError": {
"request-id": "2d6d6c29-4f13-4eeb-bae4-2d6cc0d2de00",
"date": "2019-05-27T13:22:20"
}
}
}
I am using postman to check these apis.I have attached the request details to get the jwt token.Can you please help here. Let me know if you need more info.
I can reproduce your issue if I add Google as an identity provider for B2B guest users.
I have also tried with Graph explorer. We can not even use this tool since the google account is not a microsoft account.
Maybe the only way to invite another guest user with the invited google account(isn't a microsoft account) is using Azure portal.
Google guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid=<tenant id> or https://portal.azure.com/<tenant id>
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
I log the user in while asking him to consent to some permissions (for both API's and on first login only)
I request a token in the background for the Graph API scopes
I request a second token for the Azure Management API scopes
I have a website which allows admin users to connect to their Office 365 account. From this I can read the calendars of all users and also get a user list. This all works fine.
The user rights that I ask are:
Sign users in
Read calendars in all mailboxes
Read directory data
Read all users' full profiles
Sign in and read user profile
Enable sign-on and read users' profiles
Read directory data
And these are the scopes: ["openid", "Calendars.Read", "User.Read", "User.Read.All", "offline_access"]
Getting all the users works fine with this call:
https://graph.microsoft.com/v1.0/users
However now I want to enhance the features so users are logged in automatically. So all I need is a call to get the current profile of the user so I can match the ID with the ID's in the application... I found this call and tried executing it:
https://graph.microsoft.com/v1.0/me
But I'm getting back this:
784: unexpected token at '{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'a6787ee0-4ba1-421f-a19c-beadf693b9eb' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "c767c4ee-0912-4744-a7e4-59a8a23626fe",
"date": "2016-10-22T01:26:54"
}
}
}'
What am I missing here?
Just to make sure, can somebody confirm that what I plan to do is possible:
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
From the error message, it seems you were using the app-only token which acquire using client credential flow to call the Microsoft Graph. There is no user context info in the app-only token. So it is not support to call this REST using this kind of token.
And based on the description, you were authenticating the users with OpenId connect protocol. To get the user info, we can retrieve these information from the id_token. And if you were developing ASP.Net web application, you also can get there information from ClaimsPrincipal class easily.
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
The app is protected by Azure AD. So if you mean that the users already signed in to MS with Azure AD account, yes your app could detect this and sign-in the users.