I have added a Web Application in the Microsoft Application Registration Portal. I can view this app in old azure portal. When I try to configure this app as multi tenant and set the Sign-on URL and the App ID URI values, an error pops up saying one of the values is invalid and the save fails. I can connect to this application using OAUTH and get the required refresh and access tokens. Using these tokens in the graph API I can get mails,contacts and calendar events from my office 365 account. But this happens only for a single tenant. I need to able to do this for multiple tenants and so I want to set this app as multi-tenant. If I create the application in Azure AD itself then I am able to set all the values but I cannot connect to this app using OAUTH as the authentication fails with error message saying
error=unauthorized_client&error_description=AADSTS70001%3a+Application+%2791470123-7e7e-4139-9922-ac95b0a6b383%27+is+not+supported+for+this+API+version.
.I went through a few links like here , here and here but until now I haven't been able to find a solution. I am re-posting this as suggested here. Can anyone suggest what I must do to get through this ?
All applications created through the App Registration Portal have the Multi-Tenant flag set to True by default.
The issues you are facing here are likely due to the fact that the App Registration Portal created our new V2 Applications, while our old portals use our V1 Applications. As a result, switching between portals and trying to make configuration changes, you will likely run into issues where our app model has changed, and certain properties exist in one place, and not another.
Finally it is important to note that we now have a V2 endpoint as well, which lines up with our V2 applications. You need to make sure you are using the right kind of application for the right endpoint.
Let me know if this helps!
Related
I have been following the Microsoft tutorial/guide for setting up SSO between two Azure bots which is found here: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication-sso?view=azure-bot-service-4.0&tabs=csharp%2Ceml. I am doing all of the bot testing in the latest version of the Bot Framework Emulator with ngrok.
I have managed to get this working correctly via Azure AD (AAD), however as part of a proof-of-concept, I want to get this working via Azure B2C. Unfortunately, there doesn't seem to be much documentation around about how to set something like this up with B2C, and so far I have not been able to get it working. I have left everything set up the same as was asked in that tutorial/demo where possible (see section below for highlighted differences).
Currently, I am able to log into each bot individually via the above tutorial/demo, but when the SSO is attempted into the skill (child) bot, (via watching the traffic in Fiddler) I see that an error of "consent required" is returned. This tells me there must be some sort of relationship/configuration breakdown between the two bots which is preventing the SSO from succeeded. As mentioned, once this fails, I then get the option in the demo to manually log into the skill bot, which does succeed.
The main differences in terms of configuration capability in AAD vs B2C seem to be:
When configuring the Azure AD app registration for the skill (child) bot, you do not have the capability to set an Authorized client application. Also on this screen, you do not have the option to set the consent for both Admins and users, therefore the consent is set to Admins only
When setting up the API permissions, the delegated permissions available for the Microsoft Graph API are much more limited (only offering openid and profile whereas in the tutorial above more permissions has been asked for)
Thus far I have tried the following to get it to work:
In the app registration for the skill bot, in the API permissions section, I added an API which points to the app registration for my main (root) bot
Manually modified the Manifest for both app registrations changing oauth2Permissions.type from Admin to User to try and relax the scope added in the Expose an API screen (as changing this does change the 'who can consent' column from 'Admins Only' to 'Admins and Users'
Different tenant combinations for the app registration (note that both app registrations are current set up as multi-tenant)
Other things of note:
For the OAuth connection strings, these are set up the same way as the tutorial/demo above, including the Token Exchange URL just pointing to the skill bot scope
I am working under the assumption here that if Azure AD works, then B2C should equally be able to work without any code changes to the demo project, except for different values in the appsettings.json files for each of the two bots.
I am also assuming that B2C SSO in this way is actually a supported feature - there doesn't seem to be a definitive answer either way.
Can someone please provide some suggestions for why this may not be working and what may be required in order to get it working? If I haven't provided sufficient information in any area, let me know and I would be more than happy to provide it.
Many thanks!
I have a Web API project I created using this tutorial that I'm trying to secure using Azure AD.
According to the tutorial, when I create the project, I can select "Change Authentication" and enter my AAD information and the authentication supposed to just "work" as long as I have <Authorize> on the controller I want to secure:
According to the tutorial, I need to add the API as an app in the Azure portal but its steps and screenshots are confusing because they're old and the Azure portal has been reorganized. It says:
Next step is to add the "WebAPIServerSingleTenant" as an app you can access in your native app. Navigate to the "WebAPIClientSingleTenant" app and add "WebAPIServerSingleTenant" to your approved list (tick the checkbox too)
But adding the tenant info from Visual Studio when I created the project creates an app registration in AAD automatically, so I'm not sure what it's asking me to do.
Furthermore, when I try to call the API from Postman, for example, I just get "Authorization has been denied for this request" despite generating and passing an access token in the header of the request that looks right to me.
What steps do I need to follow to secure my web API using Azure AD?
The 'Next step is to add the ..." instruction you quote above is about adding a reference to your API app to the AAD registration of your native app. To register the native app, go to the Azure portal and use App Registration. The instructions for how to do that linked in your article are obsolete - AAD UI is totally different now. Rather use one of the official samples, in particular the one for native client accessing an API.
I am quite new to the wonderful world of Azure development. I currently work on a Xamarin.Form project with an Azure backend. After researching a lot, I found this post: https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-xamarin-native/
that explain how to do signIn in Azure from XF2.4.
But I am a little bit lost in all the portal offered by Microsoft. I create my backend on the portal.azure.com and at first I create the application in the portail.azure too. But I rapidly understand that I need to use the new apps.dev.microsoft.com to create the application. Now I am able to Singin from my XF project correctly.
My question: it is the correct way to do that? Now I try to add some Admin and "Normal user" application roles, then assigned roles to users. But the application created in the apps.dev.microsoft.com is not listed in the AzurePortal and the configuration available in apps.dev.micorosft.com is very simple.
How I can do that? Thanks
To register an app that works with the v2.0 endpoint, you must use a new app registration portal: apps.dev.microsoft.com . And refer to document :
The v2.0 endpoint does not support issuing role or group claims in ID tokens.
The workaround would be add users to different groups , use microsoft graph api in you application to get user's group membership , then model Role based access control on top of Security Groups.
In addition .If you want to use Azure AD B2C , you should register the app in b2c application blade . And refer to this thread for how to manually retrieve these claims the group claims(need register a separate application) and inject them into the token.
I'm creating a Node app that uses OAuth2 to login a user and use the Office365 API to send and receive email, and possibly contacts and calendar events.
I have no need for Azure Active Directory that I know of. However, I am unsure of whether or not I need to register the app with Azure for the OAuth flow.
At first I followed this tutorial, which involves registering the app in the "Application Registration Portal." The OAuth token I receive currently works with the REST API for Outlook. No Azure.
Then I saw this tutorial, which seems to suggest that any app using the Office365 APIs should register an app with Azure. I don't want to do this if I don't have to, mainly because of the cost.
It is not clear to me why I need to sign up for one or the other, and my main concern is that the first tutorial is dated to the point that my app's registration with the "Application Registration Portal" will become deprecated and I will need to switch over to registration with Azure at some point. I have seen plenty of outdated tutorials and information from MS that are not clearly marked as deprecated. Can anyone help clear this up?
Sorry for the confusion. The short answer is that both these methods are still relevant, so none of them are deprecated yet.
Firstly, you're right that you need to register your app to call the Office 365 APIs.
And, you're also right that there are currently two different places to register an app: the App Registration Portal and the Active Directory section under the Azure Management Portal.
Registering on either one of these is enough to get you to a comfortable state where you can call the Office 365 APIs.
However, the convergence of the Outlook.com stack with the Exchange stack means that you are now also able to use the Office 365 Mail, Calendar and Contacts API against consumer Outlook.com accounts in addition to Office 365 accounts. If you wish to take advantage of this, you should register your app in the Application Registration Portal and NOT the Azure Management Portal.
Another advantage of registering through the Application Registration Portal is the support of dynamic permissions scopes. You don't have to specify upfront when you register your app what permissions it requires; rather, you can request permissions at runtime using the scopes parameter.
This new v2 app model for apps registered in the Application Registration Portal is currently in preview. A reason not to register apps in the Application Registration Portal is if they will be using more than just the Mail, Calendar and Contacts APIs. e.g. if your app is also using the OneDrive for Business Files API, you wouldn't be able to request tokens using the v2 app model's endpoint. In that case, you should register your app in the Active Directory section under the Azure Management Portal.
I have created an Azure AD native client application and have given delegated permissions to Azure Service Management API. Now, I'm able to invoke the service management API using my id from a Windows Phone 8.1 app using ADAL library. However, another user can't invoke operations on their subscription even though I add them as co-administrator in my directory. I get the token for the user but when I try to make an API call, I get 'Invalid token:A security token exception occurred for the JWT token'. Is there a way to allow another user to access details about his subscriptions using ADAL authentication from an AD app hosted in someone else's AD? I have searched for any related information for quite some time and I'd gladly take any help.
Here is what I interpret what you are doing.
You have a native app and it is connected to your tenant and it works fine for accessing service management APIs in your tenant/subscription.
You gave the app to a friend and they are trying to use it to access service management APIs in their tenant/subscription.
The suggestion above in the comment is on the right track, but you need to look at the steps for making your native application multi-tenant. This way, the AD service will know to look for the tenant for the authenticated user. Changing the url to use 'common' instead of the tenant id is one of the steps required. Here are a couple of posts to help with that transition.
http://www.cloudidentity.com/blog/2013/04/09/walkthrough-3-developing-multi-tenant-web-applications-with-windows-azure-ad/
This is a native client example of multi-tenant for a windows store app. I could not find one in the repo for a phone app. Hopefully, this gets you on the right track.
https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore