Azure AD App Authorization with active roles - azure

I've got some trouble with Azure AD authorization for APIs with active roles. Here are my steps:
I've created an Azure AD App and activated the option "User assignment required"
In the manifest I've created the roles
In my WebApp I've used ADAL and my assigned users can log in. Everything works fine
My problem:
Now I have another API/Batch which should "log in" into my AD-App.
Easy I thought -> I've created an secret key and my Parameters for my request looks like:
URL for Login: https://login.microsoftonline.com/MyTenantID
ClientID: myAppID of the AD-App
Key: MyKey
ResourceID: MyAppID of the AD-App
-> Error: Application 'xxx' is not assigned to a role for the ...
So what I am doing wrong? How can I assign the APP to login 'by itself'?

As User assignment required option noted as follows:
If this option is set to yes, then users must first be assigned to this application before being able to access it.
If this option is set to no, then any users who navigate to the application will be granted access.
This option is only enabled when the application is configured for the following sign-on modes: SAML-based SSO or WIA with Azure AD Authentication.
So what I am doing wrong? How can I assign the APP to login 'by itself'?
Based on your description, I assumed that you are using the Service to Service Client Credentials Grant Flow without user interaction. For your scenario, you need to define the Application roles for Application member, details you could follow this similar issue.
Moreover, you could refer to my test steps as follows:
Define the Application roles:
Create another AAD app and configure required permissions to access another AAD app:
Acquire the token:

Related

Is it possible to manipulate tenant from another tenant in Azure?

I am new to Azure, and one question bothers me.
 
Is it possible to create a multi-tenant logic in Azure with one "General" AAD that contains function apps and other tenants (more than 20) that should use these apps to manipulate their own tenants?
For example, there is an app for managing users (UserManagement). When this function is "called" from another tenant (Tenant "B"), let's say for adding a new user, it should add the user only in the called AAD (Tenant "B").
I try to accomplish this by storing app registration credentials in a table or service principal - app registration logic, but it has no effect. 
Thank you .
I did a test in my side with Azure AD Multi-tenant application with an asp.net core application, the feature is allowing users from different tenant to sign in then using Microsoft Graph API to query all the users.
My Azure AD application is registered in tenant A which is a multi-tenant application. Then I used user in tenant B to sign in the application, then the query result is that all the users in tenant B is listed in the query result.
Here's the sample I followed. And in the contoller, my request is like this: var users = await _graphServiceClient.Users.Request().GetAsync();
Do not forget to set the tenant id as common for enabling the multi-tenant feature.
I agree with #Tiny Wang, you need to create Multi-Tenant Azure AD Application to achieve your scenario.
I tried to reproduce the same in my environment and got the results as below:
I created an Azure AD Application in TenantA:
Now, I tried to sign-in with the TenantB user using the below authorize endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The user will be prompted the screen as below:
Once the user Accepts the consent, the TenantB user will be authorized successfully.
I generated the access token by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
If you want the Personal Microsoft accounts to access your App, then Register your application as below and make use of common endpoint:
Based on your requirement, you can assign the Azure AD API Permissions and permit the users to access the Application.

Allow Azure B2C App Registration access to regular organization AD App Registration

I have the following scenario:
An organization has an internal application, X, which is registered under the 'main' tenant, allowing employees to utilize it.
App X has an API exposed for other applications (which are also registered under the main organization tenant) to used, and thus, this is all setup in AD.
A new B2C tenant has been created, where another public facing application, Y, will be registered.
How do I allow my App Registration for Y in my B2C tenant to use the exposed API of X?
Any feedback would be appreciated.
Edit 1:
I'm assuming I'd need to setup a Daemon auth flow, as the backend of Y will be authenticating with X as the app itself, and not as or on behalf of the user logged into Y.
Edit 2:
After some looking into this today, I'm considering creating an AD App Registration for Y in the main organization of X, allowing me to set up any connections that need to be made there, and I'd update the backend of Y to make a call as a Daemon to X, passing all the relevant information and client secret.
Seems a bit unusual, so will look for alternatives, but would also appreciate some feedback from someone who has more experience :)
Edit 3:
To clarify, I am looking to facilitate the communication between backend applications between two tenants, where one is a B2C tenant, and the other is an internal organization tenant.
This can be achieved using multi-tenancy. Both the applications need to register as multi-tenant application.
1.In Tenant A - Create an app registration as multi-tenant application in tenant A (eg: TenantA) and expose it as an API (api://app-id) and add the app roles in the application.
2.In Tenant B - Create an app registration as multi-tenant application in tenant B and note the client-id of the application.
3.The client id of application in Tenant B need to be added in known client application in the manifest of application registered in tenant A.
4.Provide consent to the application and permission in Tenant B to create the service principal using https://login.microsoftonline.com/common/adminconsent?client_id=clientIdOfTenantA&redirect_uri=redirectURIOfTenantA
5.In Tenant B, service principal of Tenant A has been created under Enterprise applications
6.Now tenant A is available in Tenant B. You can go ahead and make the API exposed in tenant A to the tenant B.
• Yes, you can surely allow the App registration considered Y in Azure AD B2C tenant to use the exposed API of another ‘App registration’ named X in an Azure AD tenant. For that purpose, you will have to configure the ‘Application Y’ registered in Azure AD B2C tenant as a ‘multitenant’ application and use it to start an authentication request to the authorization endpoint via a user flow. Thus, in here, the user flow defines and controls the user experience. After users complete the user flow, Azure AD B2C generates a token and then redirects users back to your application.
For this purpose, you will have to configure a user flow in your Azure AD B2C application.
Please refer to the below snapshots and steps defined for more details on this: -
a) You might be having a front end and a back end to your application registered for authentication purposes with your web app. The backend application might have the authentication with the application registration X in an Azure AD tenant while the frontend application might have the authentication with the application registration Y registered in the Azure AD B2C tenant.
Then, you will have to modify the front-end code for the web API and the back-end code for the web API as given in the below relevant link: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-back-end-api-from-front-end
For further configuring the authentication and authorization for the two apps, you can configure the front-end app to generate an access token that you can use to make authenticated calls to the back-end app. For this purpose, you will have to configure Azure AD as the identity provider with the app service configured for the front end as well as the back end as given in the link below: -
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
b) Once the above has been done, ensure that you are granting front end app access to the back end as below through the ‘Authentication’ section in the Azure AD app: -
Then configure the app service to return a usable access token for the front-end app to access the back-end app with the required permissions for configuring the App service authentication and authorization on behalf of the ‘App registration Y’ in the Azure AD B2C tenant for it to access the ‘App registration X’ in Azure AD tenant as below by adding the scope parameter to the authentication setting ‘identityProviders.azureActiveDirectory.login.loginParameters’. Replace and in the below commands: -
authSettings=$(az webapp auth show -g myAuthResourceGroup -n <front-end-app-name>)
authSettings=$(echo "$authSettings" | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid profile email offline_access api://<back-end-client-id>/user_impersonation"]}')
az webapp auth set --resource-group myAuthResourceGroup --name <front-end-app-name> --body "$authSettings"
The commands effectively add a ‘loginParameters’ property with additional custom scopes. Here's an explanation of the requested scopes: -
openid, profile, and email are requested by App Service by default already.
For information, see OpenID Connect Scopes: -
api://<back-end-client-id>/user_impersonation is an exposed API in your back-end app registration. It's the scope that gives you a JWT token that includes the back-end app as a token audience.
offline_access is included here for convenience (in case you want to refresh tokens)
Thus, thereby you can call the back-end API (Azure AD app registration) from the front-end API (Azure AD B2C app registration) by injecting a X-MS-TOKEN-AAD-ACCESS-TOKEN header to each authenticated request as shown below: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-api-securely-from-server-code
Thus, in this way, you can surely expose an API for an application registered in Azure AD B2C for it to access the application in Azure AD.

Azure AD error while parsing OAuth2 callback: invalid_client

I have an application registered in Azure AD using https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
When trying to login to my app to connect to Microsoft Login. I am getting invalid client error. In logs I seen following error.
error=invalid_client&error_description="AADSTS650052 The app needs access to a service (https://aks-aad-server.azure.com) that your organization xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions"
Note: I have Microsoft Office 365 standard subscription plan,
AADSTS650052 The app needs access to a service (https://aks-aad-server.azure.com) that your organization
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx has not subscribed to or enabled.
Contact your IT Admin to review the configuration of your service
subscriptions
To resolve the above error, please check the below workarounds
While registering the application in Azure AD, check the supported
account type you have selected
If you selected “single tenant” you can’t login to your application
from different tenant
To access your application from different tenant update supported
account type to “multi-tenant”
To know how to do that in detail refer this link:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant
After registering the application, navigate to Exposing an API
and set App ID URI and Add required scopes such as read, user
impersonation etc.
Add Client ID of your Application to knownClientApplications
parameter in the Manifest
Your admin needs to accept the consent prompt to access this application use the below URL by updating the ClientID parameter with your application client-id
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code
When your admin granted those permission, you can login to your
application successfully
Reference :
https://learn.microsoft.com/en-us/answers/questions/28697/invalid-client-aadsts650052-the-app-needs-access-t.html
Found the wrong scope in the oauth2-proxy configuration which sending incorrect request to azure and after updating the scope to correct the issue is resolved.

How to use aad authentication or managed identity to access resources with torus system in azure?

We previously used keyvault and connectionstring to access resources in azure. However it will generate many parameters needed. We want to simplify the process.
We wanted to use aad authentication.
Firstly, we tried certificate-based aad authentication https://learn.microsoft.com/en-us/azure/cosmos-db/sql/certificate-based-authentication first, it works. But the thing is, in keyvault the certificates are set auto-rotation, but in aad app, we can only manually upload new certificate each time (I know there are methods like VM extension or extra software can do auto renewal, but it's complicated. We just want change configs in azure portal and change service code to access.) In this situation, when certificates becomes more and more, it's not suitable to manually renew each cert in each aad app. I notice in some places it says setting tls/ssl settings which makes auto-renewal, but currently in azure portal, it just can manually upload certificates. Only in function app can do tls/ssl settings.
Secondly, then we notice another one as managed identity. It simply says azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"); to get token. But the thing is, current login tenantid is microsoft.onmicrosoft.com, but the resources and the subscriptions are all in prdtrs01.onmicrosoft.com through torus account.
Even I try with string accessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/", prdtrs01tenantid) still does not work, saying AADSTS50020: User account '{EmailHidden}' from identity provider '...' does not exist in tenant 'PRDTRS01' and cannot access the application '...'. It seems just cannot get token from prdtrs01 tenantid.
Also, I tried to replace the aad app used in first method with the function app used in second method to do certificate-based authentication. However the function app does not have a clientid, just principalId and user managed identity's clientid. Both ids fail with ClientAssertionCertificate credential = new ClientAssertionCertificate(clientId, cert); in certificate-based authentication. It finally says "Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client".
In all, I described several ways we tried, but all failed. Can anyone help?
Thanks
AADSTS50020: User account '{EmailHidden}' from identity provider
'...' does not exist in tenant 'PRDTRS01' and cannot access the
application
As per this first error , it means that the account you are using to access the application is not a part of the tenant that the application is hosted on.
Make the application as a Multi-Tenant Application :
You can convert the application to accept users from multiple tenants. In this way you can give access to users who are not in your tenant without having to add them to the tenant where the application is in.
Maybe account type is set to Accounts in this organizational directory only.
You may have to change it to Accounts in any organizational directory.
Go to Azure portal -> Azure Active Directory -> Manage -> App Registrations --> your app name -> Supported Account Types
(or)
Add the user to the tenant as guest :
You may need to add the user to the tenant that the application is hosted in. You can follow this document to add the user with your domain as a Guest User to the tenant. And grant access to the application for the said user.
However, if your authentication call is for specific tenant i.e., https://login.microsoftonline.com/yourtenantname or_id, users from other organizations won't be able to access the application and are required to be added as guests in the tenant specified in the request.
In your case, try to authenticate request like https://login.microsoftonline.com/organizations or https://login.microsoftonline.com/common

MS OpenidConnect : Multitenancy on a nodejs web application

I have registered an app on my tenant as multitenant app.
using this article.
I am able to login with users only if the users are on my tenant. Any other tenant user, I am unable to login.
I have set validateIssuer to false too.
The error I get is
User account 'xxx#tenantY.onmicrosoft.com' from identity provider https://sts.windows.net/{tenantId}/'
does not exist in tenant 'Default Directory' and cannot access the
application 'App Id' in that tenant. The
account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory
user account.
Not sure if there is a sample to make other tenant users to access the app.
Role delegated permission is set to 'Sign in and read user profile' alone
There are four steps to convert your application into an Azure AD multi-tenant app:
Update your application registration to be multi-tenant
Update your code to send requests to the /common endpoint
Update your code to handle multiple issuer values
Understand user and admin consent and make appropriate code changes
Please verify if above steps are followed.

Resources