For an Azure Service Principal, we have below keys in config file
<add key="SubscriptionId" value="" />
<add key="ClientId" value="" />
<add key="ClientSecret" value="" />
<add key="TenantId" value="" />
Is there any azure key vault like service available, where we can securely keep these keys and use it based on demand?
The client secret is more important than the rest, which needs to be secure. Unfortunately, it is the gateway to call to your KeyVault even if you store it to KeyVault. There is not the only way to authenticate Azure AD with client secret. Instead of client secret, you can use your certificate when creating a key. Uploading that certificate will give you a thumbprint. You then need to upload your private key (aka PEM or PFX) somewhere in Azure, commonly in application or Azure App Service (ref https://learn.microsoft.com/en-us/azure/app-service/app-service-web-ssl-cert-load). Your application code just needs to read through the certificate (of course you need to set password for your certificate) and if thumbprint is matched, you are authorized by Azure AD.
Other sensitive information such as storage access key, database connection string, Redis cache key, VM password or your corporate certificate can be stored in KeyVault.
If you don't like the complex process to get access token, have a look at Managed Service Identity which lets an Azure service become a service principal itself. There is not a need for client app registration and client secret. MSI is currently in preview stage and available to some services.
Related
I need to configure passwords to be fetched from Azure KeyVault in Azure Web App connection string. Can someone explain how to configure it ?
Thanks in advance !
I tried to get the passwords from key vault in Application settings and it worked fine , but couldn't able to integrate it in connection string.
Create an Azure KeyVault.
Create Secret. Copy the Secret Identifier of the Secret (this has to be used in Azure Configuration Connection String).
Provide necessary grants by using Access policies.
In Azure App Service => Configuration => Application Settings => Connection Strings, add the new Connection string setting.
For .NET Core App, the key name has to be MyNewConn.
For .NET Framework App, the name in the Azure App Connection String must be same as the key name in Local Configuration.
Thanks #Anand Sowmithiran for the Comment.
The value of the Connection string has to be #Microsoft.KeyVault(SecretUri=Secret Identifier).
Replace the Secret Identifier value with the value which we have copied from the KeyVault Secret (In Step 1).
For .NET Core Web App
appsettings.json
"ConnectionStrings": {
"MyNewConn": "LocalValue"
}
string connectionString = configuration.GetConnectionString("MyNewConn");
For .NET Framework Web App
In Web.config file, you must have the below settings
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=*****" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="AzureKeyVault" vaultName="KeyVaultName" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral" vaultUri="https://YourKeyVaultName.vault.azure.net" />
</builders>
</configBuilders>
<connectionStrings>
<add name="MyNewConn" connectionString="Retrieves the value from Azure App Service Connection String" providerName="System.Data.SqlClient" />
</connectionStrings>
var conn = ConfigurationManager.ConnectionStrings["MyNewConn"];
Update
In Azure Key Vault, the step where we create the Secret, add the Secret value as the connection string.
.
Rest other steps are same.
We have a simple Azure App Service app and part of that app accesses a SharePoint doc library to upload files. This has worked for years but recently stopped working. We generated a new clientid and secret thinking that was the problem - still no luck. We have been working with Microsoft for 3 weeks on the problem and they have been useless - they don't even know what a doc library is most the time and all they do is "take screenshots and will get back."
I can get a token and use it to pull resources in Postman just fine.
The following is the code in web.config:
`<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:ClientId" value="spclientid" />
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:ClientSecret" value="spclientsecret" />
<add key="ida:Domain" value="ourdomain.com" />
<add key="ida:TenantId" value="tenantid" />
<add key="ida:PostLogoutRedirectUri"
value="https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession/" />
</appSettings>`
Errors:1
Error :2
Error: 3
At our rope's end with this one, any ideas?
Thanks in advance.
• You must use ‘AllowAppOnlyPolicy=true’ in your manifest file for the registered Azure AD sharepoint app to acquire token from the registered application in Azure AD on behalf of the service principal created through your ‘App Service’. Also, you can grant the required permissions for accessing the sharepoint online website through your ‘App service’ as shown below in the snapshot through the Azure AD app registration portal instead of the ‘App manifest’ file: -
Thus, when you are providing the correct permissions to the ‘Sharepoint’ portal through this ‘Service Principal’ in Azure AD for OAuth 2.0 as well as configuring the ‘Authentication’ token and protocols too correctly, the Azure App Service should be able to access the Sharepoint doc library to upload files.
• Finally, please once again check the correct value of the secret ID and its value that is being used to connect to the sharepoint website on behalf of the SP app in Azure AD. Also, do check the correct tenant ID, domain and AADInstance of the registered SP for your app service, the details of which you have mentioned in the ‘App settings.json’ file of the code.
For more details and clarification on this, kindly refer to the below links explaining the issues regarding the ‘Sharepoint’ token helper issues and CSOM platform issues regarding various browsers that are used to try to access the same: -
https://github.com/SharePoint/sp-dev-docs/issues/6955
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient
I have an asp.net azure web api site, say myapi.azuresites.net, and my custom domain is myapi.mycompany.net.
In my web api, I use owin middleware to validate incoming token
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = Constants.AzureActiveDirectoryTenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
// These values will be checked against what is received in the access token.
ValidAudiences = Constants.AzureActiveDirectoryValidAudiences
},
Provider = new OAuthBearerAuthenticationProviderEx()
});
I registered an app under azure AD and add some client secret in.
From postman, I can get an oauth2 token from Azure AD with the App id and the client secret.
I included this token in the header and sends to my azure web api.
My code uses owin middleware to validate the token
If I send the request to myapi.mycompany.net, the token validation works.
If I send the request to myapi.azuresites.net, the token validation fails.
I can't really figure out why the token validation fails when calling azure site directly. If I grab the azure site's web.config down to my local machine and it works there as well.
I suspected that my AD app didn't have the right redirect URLs, but verified that and can't see obvious issue.
So is there a way to log some information on why authentication fails? As it is a remote azure site, can I trap this failure as exception and throw some out?
Although not sure why my AD authentication works now, I did find a way to log owin failures for azure site.
Basically this will log owin information
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="d:\home\logfiles\Katana.trace.log"
traceOutputOptions="ProcessId, DateTime"/>
</sharedListeners>
<switches>
<add name="Microsoft.Owin" value="Verbose"/>
</switches>
</system.diagnostics>
I am in a bit of confusion how to get a bearer token that will work for a sharepoint sites as well as the graph api.
We are using MFA (Multi factor authentication) so we get a text message when the user tries to login. This all works and we get a token back but the resource I am pointing to is https://srmukdev.sharepoint.com/, how can we use this token to access the https://graph.microsoft.com/ api.
At the moment it doesn't work. I can make separate login requests, but we dont want to do this as it's required to access both parts with the same token? is there a method that can translate one token to another? something that works at least?
You can see the current difference is the ResourceUrl
The sharepoint api details I use
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://srmukdev.sharepoint.com/" />
The graph api details I use
<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="srmukdev.onmicrosoft.com" />
<add key="ida:ApplicationId" value="000000-0000-0000-0000-0000000" />
<add key="ida:RedirectUri" value="http://someuri/" />
<add key="ida.ResourceUrl" value="https://graph.microsoft.com/" />
Many thanks
Let's start by saying that you cannot get a token which will work for both the Microsoft Graph API and the SharePoint API directly. Tokens are created with specific audiences, and as a part of token validation by the Web API, they will check that the audience of the token matches their unique identifier.
I think one possible solution here is to realize that the Microsoft Graph token already gives you access to the SharePoint API. See the documentation here. You should be able to get a token for just the Microsoft Graph, and then use the Microsoft Graph specific endpoints to get data from your SharePoint. This is one of the problems the Microsoft Graph is trying to solve. A single endpoint and token to access all of your Microsoft data.
Another solution is to use the authorization code you receive to request two tokens to the two different endpoints. Depending on what libraries you are using, and the specific flow you are following, this may be harder than not to accomplish, but in general, the authorization code grant flow is used to sign in a user. After the user is redirected to the Microsoft Login Page, and then successfully signs in, your service receives an authorization code, which it then exchanges for an access token using the Token Endpoint. This authorization code can be used to get an access token for any resource the client has been configured to call, so you can call the token endpoint twice, with two different resource values, and get back two access tokens. I do this in one of my Python/Flask samples.
Finally, assuming you got back an access token and refresh token for a particular resource, you could then use the refresh token to get a token for a different resource the app has been authorized for.
The refresh token issued by Azure AD can be used to access multiple
resources. For example, if you have a client application that has
permission to call two web APIs, the refresh token can be used to get
an access token to the other web API as well.
See here for a look at how to do this.
I have a client app and Web API app hosted on different domains and want to utilize ADAL.js in my client app to login in my Web API app, but still getting Unauthorized error.
In web api web.config I've specified my AAD details:
<add key="ida:AudienceUri" value="http://clientappurl/" />
<add key="ida:FederationMetadataLocation" value="https://login.windows.net/...3596365/federationmetadata/2007-06/federationmetadata.xml" />
<add key="ida:ClientId" value=".....388ffcc3" />
<add key="ida:ClientSecret" value="....gBsD7o=" />
<add key="ida:Tenant" value="........onmicrosoft.com" />
<add key="ida:TenantId" value="........96365" />
<add key="ida:Auth" value="https://login.windows.net/" />
<add key="ida:GraphUrl" value="https://graph.windows.net" />
And updated Startup.Auth.cs with following:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = "http://myclientapp",
Tenant = "developertenant.onmicrosoft.com",
AuthenticationType = "OAuth2Bearer",
});
On the client I've specified endpoints (my api url), tenant and clientId. ADALjs redirects user to microsoft login page and looks like after sucessfull login it writes some data to local storage. But API app still respondes with Unauthorized error.
Are there any tutorials on how properly configure wep api and client apps hosted on different domains to utilize AAD?
How can I read authorized user details like AAD user group from my Web API app?
Here is an example which shows how to read AAD group claims from a web app:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
Once you have the tokens, you can then call a Web API, which is shown by this example:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
There's a good list of AAD examples here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/