I want to make multi-tenant application on https://apps.dev.microsoft.com.
This work fine with single tenant but
My process for making multi-tenant app ----
LogIn with Other Tenant and appear consent window and got code successfully which code I passed for getting token
Token successfully generated:
Call graph API for office 365
But error genrate --
"We do not recognize this tenant ID 21f3be0a-xx-4b7f-ab05-xxxxx6. Please double-check the tenant ID and try again.
]2
When access data for office 365 report why this tenant id not recognized error raised?
Need to edit in manifest ?
My App on https://apps.dev.microsoft.com. Have Three 3 Microsoft Graph Permissions
Delegated Permissions - user.read , Reports.Read.All (Admin Only)
You can check whether a tenant is valid or invalid using the Well Known OpenId Configuration endpoint:
https://login.microsoftonline.com/<tenant>/.well-known/openid-configuration
Doing this for your tenant id gives this result:
https://login.microsoftonline.com/21f3be0a-713c-4b7f-ab75-3cc5ca25846/.well-known/openid-configuration
error: "invalid_tenant"
error_description: "AADSTS90002: Tenant
21f3be0a-713c-4b7f-ab75-3cc5ca25846 not found. This may happen if
there are no active subscriptions for the tenant. Check with your
subscription administrator.\r\nTrace ID:
bdd561b1-bc36-44ce-b3ab-33e53fda0100\r\nCorrelation ID:
c6ce0c0d-6550-4f5f-a398-a82f085e28c1\r\nTimestamp: 2017-11-01
17:38:31Z"
So simply stated, the tenant id that you are using is not valid for the AAD Worldwide endpoint.
Is it possible you are getting a token for a different instance of AAD? Can you share the contents of your Access Token (removing any sensitive details)?
I did some mistakes thats why this Error raised then need not do anything becoz this Portal app by default Multitenant and send request to common platform ..
Login with other tenant get code
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=XXXXX-XXX
&response_type=code
&redirect_uri=http://localhost:49876
&response_mode=query
&scope=Reports.Read.All
&prompt=consent
&state=12345
then get token
https://login.microsoftonline.com/common/oauth2/token
client_id =XXX
scope =
code= which you get
grant_type=
client_secret=
after get token use for Graph API & get office365 data for -https://graph.microsoft.com/beta/reports/getMailboxUsageMailboxCounts(period='D7')
Related
We are implementing SSO in outlook adding. Let's presume, there is two tenants for simplicity.
Home Tenant
Customer Tenant
We have added Customer Tenant's user as guest in Home Tenant. Hence, we can manage guest user with certain accessibility.
We have created multi-tenant app registration in Home Tenant to get user consent and authentication from Customer Tenant. And we have put application (client) id and application id uri in Outlook-addin xml as show in below.
</OfficeApp>
...
...
<WebApplicationInfo>
<Id>928cd908-multi-tenant-application-id</Id>
<Resource>api://company-domain.com/928cd908-multi-tenant-application-id</Resource>
<Scopes>
<Scope>Files.Read.All</Scope>
<Scope>offline_access</Scope>
<Scope>openid</Scope>
<Scope>profile</Scope>
</Scopes>
</WebApplicationInfo>
</VersionOverrides>
</VersionOverrides>
</OfficeApp>
Let's assume consent has been done on before,
In order to do SSO, I'm following steps,
Executing OfficeJs.auth.getAccessToken and get access token which is issued by Customer Tenant.
Passing Customer Tenant token to application server through api call.
Exchanging Customer into Home Tenant AD token by using on-behalf-of (OBO) request.
POST /2e627697-home-tenant-ad-id/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&client_id=928cd908-multi-tenant-application-id
&client_secret=.m_7Qxxx
&assertion=eyJ0eXAiOiJKV1Q-customer-tenant-ad-token
&requested_token_use=on_behalf_of
&scope=api://company-domain.com/928cd908-multi-tenant-application-id/access_as_user openid
Received accesstoken from Home Tenant AD, since Customer Tenant's user exist in Home Tenant AD as guest.
Allowing user to access server resource.
Send response to Outlook-addin from server.
So far all good, The problem is,
If I enable Per-User MFA for the guest user, then I started to get below error when I do on-behalf-of request from server.
{
"error": "invalid_grant",
"error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '928cd908-multi-tenant-application-id'.\r\nTrace ID: 706875e8-bfe7-44b8-a9f9-402b1f4a2201\r\nCorrelation ID: 8a4bde4c-9222-4aa0-a4d6-cd0748ff3816\r\nTimestamp: 2022-06-29 18:00:31Z",
"error_codes": [
50076
],
"timestamp": "2022-06-29 18:00:31Z",
"trace_id": "706875e8-bfe7-44b8-a9f9-402b1f4a2201",
"correlation_id": "8a4bde4c-9222-4aa0-a4d6-cd0748ff3816",
"error_uri": "https://login.microsoftonline.com/error?code=50076",
"suberror": "basic_action"
}
There is two options to make user interations,
OPTION 1
Get Customer Tenant token by calling Officejs.auth.getAccessToken.
Send Customer Tenant token to server.
Create on-behalf-of request from server.
Get 50076 error and then send error response to addin.
Open authorize popup for MFA from addin by using following url. This will do MFA against Home Tenat AD.
const authorizeUrl =
`https://login.microsoftonline.com/2e627697-home-tenant-ad-id/oauth2/v2.0/authorize?client_id=928cd908-multi-tenant-application-id
&response_type=id_token+token
&redirect_uri=https://company-domain.com/928cd908-multi-tenant-application-id
&scope=openid api://company-domain.com/928cd908-multi-tenant-application-id/access_as_user
&response_mode=fragment
&state=12345
&nonce=678910`
window.open(authorizeUrl)
Close authorize popup on after MFA completed.
Call Officejs.auth.getAccessToken to get Customer Tenant token (2e627697-home-tenant-ad-id MFA Passed).
Pass Customer Tenant token with MFA to server.
Create on-behalf-of request from server with Customer Tenant token (2e627697-home-tenant-ad-id MFA Passed).
Get Home Tenant AD token successfully.
OPTION 2
Get Customer Tenant token by calling Officejs.auth.getAccessToken.
Send Customer Tenant token to server.
Create on-behalf-of request from server.
Get 50076 error and then send error response to addin.
Call Officejs.auth.getAccessToken to get Customer Tenant token (MFA Passed). Here I don't have clear understand to force OfficeJs to get Customer Tenant token on after passing MFA for 2e627697-home-tenant-ad-id.
Questions
Option 1 is getting MFA through window.open from Outlook-addin code, instead of getting MFA through OfficeJs. is this correct way?
If Option 2 is correct way, how do I force OfficeJs to perform MFA for 2e627697-home-tenant-ad-id?
To ensure MFA is satisfied use the message returned by MS Graph as the Office.AuthOptions.authChallenge value. E.g.
let exchangeResponse = await getGraphToken(bootstrapToken);
await Officejs.auth.getAccessToken({
authChallenge: exchangeResponse.claims
});
We´re trying to get the token for Oauth using the official docs request:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id='my client id'
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&code='my auth code obtained in previous auth request'
&grant_type=authorization_code
&client_secret='my client secret'
But when we make the request it responds with this error:
AADSTS65001: The user or administrator has not consented to use the application with ID 'mya app id' named 'my app name'. Send an interactive authorization request for this user and resource"
Thing is, we already gave them this permissions on Azure portal AD and app registration even with the admin consent but still:
is there any permission missing there ?, any clue about this ?
I have tried in my environment and got the access token successfully.
Please check whether you followed the same steps as below:
1) Go to Azure portal -> Azure AD -> App registrations -> Your app -> Authentication -> check the below options -> Save.
2) To resolve the error, make sure to grant below Api permissions along with permissions you have given:
3) To get the token, I used postman by giving parameters like below:
4) I successfully got the token like below:
After every change, try refreshing your Azure Portal and Postman.
For more in detail, please refer below links:
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs
azure - AADSTS65001: The user or administrator has not consented to use the application with ID ' - Stack Overflow
I have Java application which provides some reports in plain HTML.
I want to secure these reports with Microsoft SSO (OAuth).
I was able to do this in browser - I created new "AppRegistration" in Azure AD, get client_id, client_secret, Oauth 2 authentication_url, configured correct redirect_uri in this application and implemented Oauth flow in browser - it works as expected.
But users don't want to check reports in browser, they want to process them in Excel 2019.
It has "Organizational account" authentication.
I believe, that it uses the same OAuth 2 flow.
So, I added WWW-Authenticate: Bearer authorization_url="https://login.microsoftonline.com/256be541-f611-4412-975e-cb56ee6fb03b/oauth2/v2.0/authorize"
I'm trying to access URL like: https://localhost:8443/report/1
Now Excel asks me to enter login and password, but after successfull authentication the error is shown:
invalid_resource: AADSTS500011: The resource principal named https://localhost:8443 was not found in the tenant named 256be541-f611-4412-975e-cb56ee6fb03b. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 57324bfe-ab46-4c2e-9128-a336aa287e00
Correlation ID: d9c4c732-76cc-4659-9d8a-d27abec617d3
Timestamp: 2021-02-02 16:50:13Z.
https://localhost:8443 - is address of my application and this address is included to redirect_uri in App registration.
But I don't think that mentioned "resource principal" is about redirect_uri.
So, how can I create "resource" principal in Azure AD and give it name "https://localhost:8443" ?
In fact, this is the case. According to your error message, it says that the resource body of https://localhost:8443 cannot be found, which means that you set the scope to: https://localhost:8443 when requesting an access token.
However, you only set it to redirect_uri at the beginning, and did not set the Application ID URI to: https://localhost:8443 in the Expose API tab, so when you request the resource, the error message will report that it cannot be found the resource.
By the way, scope is different from redirect_uri. The scope puts the resource you want to access, while redirect_uri is just the callback url that is not the resource you want to access. This is why you still get an error when setting the url in redirect_uri.
I'm trying to get a subscription created with the callRecord resource (https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions?view=graph-rest-beta&tabs=http)
In the app registration section of the Azure portal, I've created a multi-tenant app with a client secret. That app has permissions for application-level "CallRecords.Read.All" as well as the default delegated "User.Read". The statuses also have a green checkbox for being granted against my organization by an admin.
I am able to get an access token with the following HTTP POST request to https://login.microsoftonline.com/common/oauth2/v2.0/token:
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
client_secret:<client_secret>
client_id:<client_id>
code:<code>
redirect_uri:http://localhost:3000
However, that token is not able to generate a subscription to my callRecord resource. I get a response with this message: "Operation: Create; Exception: [Status Code: Forbidden; Reason: The request is not authorized for this user or application.]"
The message suggests that the app has not been granted admin-level authorization, but in fact it has. This used to work for me. I'm wondering if there has been a regression on the MS Graph side.
Further, when I examine the JWT, I see that the scope is "User.Read profile openid email". There is no mention of the application-level permission (specifically, CallRecords.Read.All)
Thanks.
Because when you use the auth code flow, just the Delegated permission will take effect. So even if you grant the Application permission, the token you got will not include the permission.
From the doc, to call this API Get callRecord, just the Application permission is supported.
To get the token which include the permission, your option is to use the client credential flow.
Note: You need to use <tenant-id> instead of common in this flow.
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
client_id=xxxxxxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxxxxx
&grant_type=client_credentials
Decode the token in https://jwt.io, the roles includes the CallRecords.Read.All permission:
I have a backend process that doesn't directly interact with the user. I want to access reservations associated with my Azure account but I'm having trouble with the authentication step. I was following the guide here and I managed to get the authentication request to work by calling
https://login.microsoftonline.com/{tenant-ID}/oauth2/token
as a POST with the following x-www-form-urlencoded body:
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=http://myapp42
However, when I attempt to call:
https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
with the bearer token I received during the authentication step, I get the following error message:
The access token has been obtained for wrong audience or resource 'http://myapp42'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/', 'https://management.core.windows.net', 'https://management.azure.com/', 'https://management.azure.com'
However, if I modify the resource on the request to be one of these, http://management.core.windows.net/ for instance, the authentication then fails with:
AADSTS500011: The resource principal named https%3A%2F%2Fmanagement.core.windows.net%2F was not found in the tenant named {tenant-ID}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b54cedea-3804-41cf-bd27-fcf0ed1c4700\r\nCorrelation ID: 2371d375-6c89-4f05-83c9-c4629b3340a8\r\nTimestamp: 2020-02-05 01:59:57Z
How do I authenticate so that I can then get my reservations without having to login?
Update:
The service principal has both the Owner and Contributor roles assigned.
Update 2:
Thanks to #Jim Xu, I was realized that I needed to refrain from url-encoding the URL. That allowed me to get the access token with a value of https://management.azure.com/ for the resource field. However, at this point, when I attempt to call the REST API with the resulting bearer token, I get the following error:
The client '{Object-ID}' with object id '{Object-ID}' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/reservations/read' over scope '/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}' or the scope is invalid. If access was recently granted, please refresh your credentials
Note: The object ID returned by this error is the one associated with the service principal.
Update 3:
I checked the reservation and it seems that the principal does not have a role in that reservation's access control. However, I also cannot assign the principal a role because it does not show when I search for principals during the role-assigning process.
If you want to call Azure Rest API to get the information of reservation Orders, you need to assign Owner\Contributor for the service principal.(the action needs Microsoft.Capacity/reservationOrders/read permission).
The steps are as below
Get access token
POST : https://login.microsoftonline.com/{tenant-ID}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=https://management.azure.com/ or https://management.core.windows.net
Call the api
GET : https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
Authorization: Bearer <token>
For more details, please refer to the issue and the issue
update
If you have assigned role but you still cannot get access token, please try to encode your url.