I've got a user who signs in at 12 PM to an asset exchange using AAD for authentication. At 1 PM I discover that they're violating the exchange rules and I go into the Azure Portal and block the sign-ins for that user. As nearly as I can tell, this user's token is good for at least another hour. Is there any way to force a User out of the system without deleting his account?
You can disable the user's ability to sign in and access services in the Azure Portal. This will disable the user from signing in again or exchanging their refresh token for a new tokens.
Keep in mind, the user will still be able to access the resource as long as their access token is still valid (lifetime of 1 hour). To combat this, you can reduce the time of access tokens. Steps of how to change the lifetime.
Related
We are using Azure Active Directory B2C to authenticate users into our app, we use a user flow to let the user enter their credentials. after receiving the access token from azure we generate an app token that contain app related information.
we recently added the keep me sing in feature but it seems that there is no way to know in the response if the user has checked it or not? even the returned access token still expires after 60 minutes. this causes a problem for us since our app logs-out the user automatically after the token time's out. but if the user choose to stay signed in we want to stop this behaver. SO how can we tell if the user checked the keep me signed in?
I've read a lot in Microsoft docs and searched a lot with no luck to find a way!
the one thing I found was a KMSI attribute but it can only be added in custom policy's. witch is kinda hard to do now.. is there a way to get such an indicator from the user flow?
You can get the KMSI Boolean in the token using custom policies and claims resolvers.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
However, this shouldn’t be needed in your scenario. When access token expires, the refresh token is used to redeem a new access token. If the refresh token is expired, then the B2C cookie is used to perform single sign on via the B2C login page.
The user is only logged out if all of the above are expired/invalidated.
More to read here What does KMSI in Azure B2C actually DO?
I have a file>new .net core web app which is using Azure AD for authentication which works fine out of the box.
I have a requirement to create some auth policies so I have the following code which check the groups in the users claims and sets up an "Admin" policy which I can use on my endpoints.
services.AddAuthorization(options =>
{
options.AddPolicy("Admin", policy => policy.RequireClaim("groups", "XXXXX"));
});
This works fine too. The problem is once the user is logged in, how can I:-
Revoke access if I needed to? (e.g. a user is removed from AD or has his access revoked)
Refresh the auth so that if there has been any change in claims, roles, groups etc, it is detected.
I took a look at https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access but it doesn't give much. It actually says "It's possible that the app may never send the user back to Azure AD as long as the session token is valid."
How is the best way to handle this?
To summarize the comments and post as an answer:
As I said in the comments, if you need to revoke a user's access rights, then you can do this by revoking the user refresh token. After revoking the user's permissions in Azure, then revoke the refresh token and redirect the user to the login page.
After the user is authenticated, he will receive the access token and the refresh token.
First, you need to revoke the user's refresh token. The lifetime of the refresh token is 90 days by default, so you need to revoke it during its lifetime. You can use AAD Power Shell:
Revoke-AzureADUserAllRefreshToken -ObjectId "a1d91a49-70c6-4d1d-a80a-b74c820a9a33"
But as far as I know, the access token cannot be revoked. The default expiration time of the access token is 1 hour. After 1 hour, the user will automatically lose access to AAD.
If you want to terminate user access immediately after the user permissions is revoked, you can try the continuous access evaluation provided by Microsoft, which helps ensure invalidation of access tokens in near real time. However, as the documentation says, this may cause security issues, so I think it is not the best method.
So I think the best way is: just revoke the refresh token, and then wait 1 hour for the access token to expire, the user will automatically lose access to AAD. Then refresh the authentication and redirect the user to the login page.
We are developing an application that uses Azure Active directory for sign-in process. Azure AD is configured with MFA(multi-factor authentication). Now we are facing an issue with QA automation where we need to manually update the MFA code. Is there any way to get it done automatically or some other alternative for this.
Generally automated processes require a bit more work when MFA is involved.
You have 2 options that I can think of right now:
Don't use a user account, use a service principal/app registration + application permissions
Allows you to use client credentials to authenticate, no MFA
Run the authentication flow once with a user to get access token + refresh token, use refresh token to get new tokens whenever needed in the automated process
You will get a new refresh token as well every time you use a refresh token, be sure to replace the one you have with the new one
Refresh tokens can and do expire, so you may need to redo the initial authentication again
Take special care in storing the refresh token securely
We implemented the second case for a customer's background process: https://joonasw.net/view/adding-opt-in-feature-to-azure-ad-app
Oh, and in case you are talking about UI automation, the Azure AD product team has said to me many times that you should not try to automate the login page itself.
It has invisible checks and may block your automated login.
In these cases, you may need to have a user with no MFA, use the ROPC flow to get tokens, and somehow inject those tokens to your UI.
Or use the refresh token approach to get the tokens and then inject them.
TLDR:
is it possible to have guest account, like guest#organization.onmicrosoft.com, at company's MS Office 365 cloud that will have "read" permission to organization's users calendars and events with constant access token? By constant access token I mean that I sign in once for this guest user and receive constant access token from Azure AD (like application access authentication but as guest account).
I have my own company's MS Office 365 account with some users in it. There is one global administrator account and few regular users.
There is second company, let's call it XYZ, with their own MSO365 account with many of administrators and users. Big company.
Now I'm writing simple app where I need to have access to read XYZ company's users calendars and events. I have list of required users in my app with proper MSO365 ID's.
I think that 'read' privilege is enough since we can send invitation for events through ordinary email message.
My App will read user events through MS Graph API etc. with some logic and realease it (send invitations for events etc.) with CRON jobs.
And here is my problem with authentication.
I don't want to have "application access" Azure AD privileges at my App. I know the XYZ company security policy won't apply it since "application access" gives access to all accounts at organization. Application access means that XYZ company's global administrator apply application privileges for my App by single sign in into Azure AD. If he do so i have Access token which i can use for API calls at my app withoud need of additional authentication.
I can't use "user access" Azure AD authentication neither.
Due to my CRON jobs and API calls which fire then.
User access means that user need sign in at Azure AD login service what gives me Access token and Refresh token for API calls. Those tokens are 1 hour lifetime.
So I though about: if there is possibility to have a guest account at XYZ company's MSO365 that would let me use authentication mechanism like the "application access"?
By this I mean that XYZ company's global Admin creates me a guest account like guest#xyz.onmicrosoft.com which will have access to read users calendar and events. What is more I need this account to have constant access token which I can use in my cron job's api calls with no need to sign in at Azure AD.
The question is: is it possible? If so how to do it?
The only way there (AFAIK) is to use refresh tokens.
Application-level access is more robust but requires organization-wide access.
So you use delegated access (user access), store refresh tokens somewhere.
You can use those tokens basically indefinitely,
however certain events can expire the refresh token.
It doesn't happen often, but it can happen.
In that case you would need the user to login again so you can get a new refresh token.
You should also store the new refresh token that you get when you acquire tokens using a refresh token.
This new token can overwrite the old token for that user.
And of course keep in mind refresh tokens are user-specific so you gotta store one for each user.
This is the approach that one of our bigger apps takes.
If we fail to acquire a token in the background process,
that user gets a flag set on them that their token does not work,
and they'll get a notification that they need to re-authenticate for the feature to start working again.
I'm not sure I'm understanding this properly, but here goes:
Since MSA and Google tokens expire every hour, the only way for my app to reflect changes in the user's permissions on the MSA and Google site would be to refresh the EasyAuth B2C token on roughly the same interval, right? If they revoke access to my app, then they probably don't want unexpired tokens rolling around for days.
And each time I need to refresh that token, another refresh call is made to B2C and then on to the identity provider, right?
And each time that happens I'll be charged (based on the info on the Azure pricing page). So if my app (it's a financial app with the ability to charge credit cards) gets popular and scales, the fees will be actually quite large, as there will be tons of logging in/out and refreshing if everyone is responsible.
Do I have this right? Any suggestions for mitigating the fees responsibly?
Does the refresh token store get purged when someone logs out? If so, then I could just assume (I know - bad word) that if they want to disable access to the app, they just logout. Any subsequent login or use of a refresh token would then be blocked.
Since MSA and Google tokens expire every hour, the only way for my app to reflect changes in the user's permissions on the MSA and Google site would be to refresh the EasyAuth B2C token on roughly the same interval, right?
Based on my understanding, web application used the id_token to authenticate the user. After the web application authenticated, it contains its own session and the default web application session time is 1440 minutes, we can config it. You can refer here for the detail.
And if you were using the OAuth 2.0 flow to authorize the application to access the resource which protected by Azure AD, since the life time of token is one hour if it is expired we need to renew the token as you mentioned.
And each time I need to refresh that token, another refresh call is made to B2C and then on to the identity provider, right?
And each time that happens I'll be charged (based on the info on the Azure pricing page). So if my app (it's a financial app with the ability to charge credit cards) gets popular and scales, the fees will be actually quite large, as there will be tons of logging in/out and refreshing if everyone is responsible.
Do I have this right? Any suggestions for mitigating the fees responsibly?
You were right. Azure Active Directory (Azure AD) B2C usage will be billed monthly based on the total number of both: Stored Users, Authentications: Tokens issued either in response to a sign-in request initiated by a user, or initiated by an application on behalf of a user (e.g. token refresh, where the refresh interval is configurable).
Does the refresh token store get purged when someone logs out? If so, then I could just assume (I know - bad word) that if they want to disable access to the app, they just logout. Any subsequent login or use of a refresh token would then be blocked.
Did you mean revoke the token? The log out the web application won’t revoke the token. Azure AD doesn’t support revoking the token at present. However, we can clear the token cache if you doesn’t want users to user the token.