Azure AD Graph vs Microsoft Graph App Authorization Tokens - azure

i have an application currently using the Azure AD Graph API. I would like to start migrating the app to Microsoft Graph. However, i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
how can i accomplish this? as currently it seems as if the apps must be registered in different portals for the different api's respectively.

it seems as if the apps must be registered in different portals for the different api's respectively
This is not consistent with my experience. I have registered my Application in Azure Active Directory.
Using the Azure portal, I am able to get permissions to both the Microsoft Graph Api and the Windows Azure Active Directory API.
i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
You cannot use the same token for both the Azure AD Graph API and Microsoft Graph API.
In my code, I receive an access token via the following call:
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
authorizationCode,
redirectUri,
CreateClientCredential(),
resourceString
);
The resourceString parameter is either https://graph.windows.net/ for the AD Graph API, or https://graph.microsoft.com for the Microsoft Graph API.
They are distinct resources, so you must manage two tokens, applying the appropriate token for each API call.

Related

Azure Graph Booking API for public application

I would like to use MS Graph Booking API for publicly available application.
Users are going to login with identity providers but obviously are not in our Azure AD.
Per my understanding, it's possible to access this API only with delegated AD user permissions.
Also as I see Azure B2C AD users seem to not have access to MS Graph API.
Question: Is there a way to expose and use MS Graph Booking API by users who are in our database or in Azure B2C AD?
I am afraid there is no such way. To use Microsoft Graph API, we need to provide the appropriate access tokens for the corresponding operations, and we must get the access token from the Microsoft identity platform(formerly Azure Active Directory for developers).
The steps are:
Register your app with Azure AD.
Get authorization.
Get an access token.
Call Microsoft Graph with the access token.

Get AccessToken to Microsoft Graph from Azure App Service Easy Auth

I have a .NET core application hosted on Azure App Service. The application is secured with Azure App Service Authentication.
I need to get an access token to access Microsoft Graph.
Since I have Azure App Service Authentication turned on, and all the users that access the web application should already be authenticated, I was wondering if it is possible to get the access token from /.auth/me or Request.Headers["x-ms-token-aad-access-token"].
I tried to follow the example posted on here
, where I configured my additionalLoginParams /config/authsettings to ["resource=https://graph.windows.net"] (or ["resource=https://graph.microsoft.com"] as per Rohit suggestion), which in turn should give me an access token to MS Graph either via /.auth/me on client side or Request.Headers["x-ms-token-aad-access-token"] on C#.
However I checked both server side and client side, and there were no access token found. Any idea what went wrong?
since this was tagged azure-gov I presume the App Service is running in Azure Government? If so, what AAD authority are you specifying in the authentication context or /config/authsettings when calling Graph? If it's in Azure Gov, and you're planning to authenticate Azure Gov users, the AAD authority should be login.microsoftonline.us. What was the HTTP response to the request?
Also, as others have mentioned there are two "Graph" APIs (Azure AD Graph and Microsoft Graph) available at the moment. Microsoft Graph will ultimately replace Azure AD Graph but for now either can be used.
The resource uri for AAD Graph in Azure Gov, for now, is the same as Azure Public: graph.windows.net.
The resource uri for Microsoft Graph in Azure Gov, however, is graph.microsoft.us compared to graph.microsoft.com in Azure Public.

Is it possible to get all the user informations in a tenant by Azure AD Graph API or Microsoft Graph API?

From the Azure Active Directory v2.0 authentication libraries we can see lots of samples about how to use libraries to connect Active Directory. It seems all of them should create an application at apps.dev.microsoft.com first. Then use the Application ID and a new password to act the clientID and clientSecret in a client or server middleware application.
This way, one user can use the application to login by oauth 2 or openid through the Azure Active Directory API. Also can get the personal information such as user profile correctly.
But, if I want to get all the users information in a tenant one time, is there an API can do?
But, if I want to get all the users information in a tenant one time,
is there an API can do?
You can use Microsoft Graph API - specifically List Users API.
https://graph.microsoft.com/v1.0/users
For a quick test, try using Microsoft Graph Explorer
Similarly you can list users with Azure AD Graph API as well, but it would be recommended to use Microsoft Graph API.
Read Microsoft Graph or Azure AD Graph and this SO Post (Only case to use Azure AD Graph API would be if you need something very specific that you aren't able to achieve with stable version of the newer Microsoft Graph API.)
Azure AD Graph API to list users (not recommended)
https://graph.windows.net/myorganization/users

Manage user from Azure AD B2C using AD Graph API - secure access

We are building a Xamarin Native mobile apps and using Azure AD B2C for authenticating users using their social logins.
We decided use MSAL native library (Xamarin) for authenticating using B2C. And our mobile app required to manage(full access) the signed-in user profile. Since this feature isn't available in MSAL we have decided to go with ADAL for the time being. Followed the instruction provided in the link below and the sample works. But I started experimenting by deleting the API access provided in the application (created in b2c tenant) and the ran the application with "Get-user" parameter. And the application is still able to get the users from AD. Not sure how secure is this thing?
Then deleted the application key from the B2c tenant application and ran the console application sample. And received an error AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.
Trace ID: cef09957-06bf-462e-a0c3-4ed6bae11e00
Correlation ID: afab126d-8694-479a-8a21-c12eb7cb176c
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Any Idea why this is happening. I would like to implement this on a xamarin.ios app and any guidance much appreciated.
The answer to this is very similar to the answer to your other question: Exception access Azure AD B2C using ADAL library for user management, which can be summarized as:
Azure AD B2C does not yet support delegated permissions to the Azure AD or Microsoft Graph. The correct way to work around this limitation at this time is to have your native client application call a web API (using MSAL) which would in turn call the Graph API (using ADAL). This web API is an API you build which has authorization logic to scope the user management operations.
Once user management in Azure AD B2C is supported via the Microsoft Graph, you won't need this API and will be able to use delegated permissions (vs application permissions using client credentials) to have your native client application talk directly to the Microsoft Graph. In the interim, you'll have to stand up your own Web API as per the guidance above.
UPDATE: the Azure AD v2.0 endpoint and Microsoft Graph API now support client credentials flow, so you can also use MSAL for your Microsoft Graph API calls. However if you need to call the Azure AD Graph, then you will still need to use ADAL.

Which Azure Active Directory Graph API should I use?

I recently figured out that there are two Graph APIs availble for Azure Active Directory. There is the unified graph.microsoft.com and the AAD specific graph.windows.net:
Azure AD Graph API functionality is also available through Microsoft
Graph, a unified API that also includes APIs from other Microsoft
services like Outlook, OneDrive, OneNote, Planner, and Office Graph,
all accessed through a single endpoint with a single access token.
Source
Is there any reason to use the unifed Graph API when I only need to browse AAD objects? Will the AAD specific graph.windows.net GraphAPI get deprecated?
There has been no announcement of Azure AD Graph API's deprecation and we (and others) use it in production every day.
If you can get what you want through Azure AD Graph API, I'd say use it. If you need something else from the Microsoft Graph API (like emails or contacts), use that one.

Resources