We are using Azure AD B2C and I'm trying to implement the changePassword function for signed-in users. We have followed this tutorial https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet, and we have succeeded to make it worked.
But we want signed-in users to have the possibility to change their existing password (directly in applications). We found this method (https://msdn.microsoft.com/fr-fr/library/azure/ad/graph/api/functions-and-actions#changePassword) but we failed to make it work...
What is the standard workflow for using AD Graph API in AD B2C with signed-in users ?
I have an application linked to a B2C tenant. I have created both Android and iOS apps and I am able to connect and get tokens thanks to the sign-up or sign-in policy, this point is OK...
In parallel I have created a service app in order to use the AD Graph API (thanks to the first link above).
We have suceeded in testing some operations like get the lists of users, find a specific user, change some.... But now I want to use the method "changePassword" for the connected users (second li) and I have failed using it. I don't know which access token to provide, both tests (using the token from the app service credential or using the access token received thanks to the signin policy) have failed ??
Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??
Thanks ;)
Other question, is it normal that the app service I have created with PowerShell is not visible in the Azure Portal ??
We can locate the service principal which created by PowerShell by searching the appPrincipalId like below:
Update
To perform the change password REST API of Azure AD Graph, we need to provide the delegate access token. In this scenario, we can use resource owner password credentials flow which require users' username and password for the authentication. To use this flow we can register the service principal like below:
$app = New-AzureRmADApplication -DisplayName "appPS2" -HomePage "https://adb2cfei.onmicrosoft.com/appPS2" -IdentifierUris "https://adb2cfei.onmicrosoft.com/appPS2" -Password "123"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Then we need to login the Azure classic portal to grant the delegate permission Directory.AccessAsUser.All as figure below:
Here is the code to acquire the token using the resource owner password credentials flow:
Post: https://login.microsoftonline.com/adb2cfei.onmicrosoft.com/oauth2/token
resource=https%3a%2f%2fgraph.windows.net&client_id={ $app.ApplicationId}&grant_type=password&username=fx%40adb2cfei.onmicrosoft.com&password={currentPassword}&client_secret=123
Then we can use this token to change the password of the sign-in user like below:
POST: https://graph.windows.net/adb2cfei.onmicrosoft.com/me/changePassword?api-version=1.6
authorization: bearer {access_token}
content-type: application/json
{
"currentPassword":"{currentPassword}",
"newPassword":"{newPassword}"
}
Related
I am new to Azure, and one question bothers me.
Is it possible to create a multi-tenant logic in Azure with one "General" AAD that contains function apps and other tenants (more than 20) that should use these apps to manipulate their own tenants?
For example, there is an app for managing users (UserManagement). When this function is "called" from another tenant (Tenant "B"), let's say for adding a new user, it should add the user only in the called AAD (Tenant "B").
I try to accomplish this by storing app registration credentials in a table or service principal - app registration logic, but it has no effect.
Thank you .
I did a test in my side with Azure AD Multi-tenant application with an asp.net core application, the feature is allowing users from different tenant to sign in then using Microsoft Graph API to query all the users.
My Azure AD application is registered in tenant A which is a multi-tenant application. Then I used user in tenant B to sign in the application, then the query result is that all the users in tenant B is listed in the query result.
Here's the sample I followed. And in the contoller, my request is like this: var users = await _graphServiceClient.Users.Request().GetAsync();
Do not forget to set the tenant id as common for enabling the multi-tenant feature.
I agree with #Tiny Wang, you need to create Multi-Tenant Azure AD Application to achieve your scenario.
I tried to reproduce the same in my environment and got the results as below:
I created an Azure AD Application in TenantA:
Now, I tried to sign-in with the TenantB user using the below authorize endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The user will be prompted the screen as below:
Once the user Accepts the consent, the TenantB user will be authorized successfully.
I generated the access token by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
If you want the Personal Microsoft accounts to access your App, then Register your application as below and make use of common endpoint:
Based on your requirement, you can assign the Azure AD API Permissions and permit the users to access the Application.
I have a c# service, the service is running somewhere in the azure cloud without an user interface. some specific events should trigger new messages to a team channel.
According to this documentation, the Create Message https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http is only supported by delegated account, not by the application tokens.
How can i create a delegated token for my service application without specific user account and without a login interface in the cloud?
Which Authentication Provider is the right one? https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=CS
As you mentioned in the question : chatMessage , supports only the Delegated Permission type.
What exactly is Delegated Permission Type?
A permission which specify scope-based access using delegated authorization from the signed-in.
The reason on the emphasis of the above point is being that - for Delegated permission we would need the context of a user account
Coming back to your questions :
How can i create a delegated token for my service application without specific user account
You can obtain a token without a specific user account but this will not help your cause.In order to overcome this, I would suggest a creation of service account - this account has permission over the teams.Part 2 of this questions suggests which provider can help without the login prompt.
The steps include :
Register your app.
Configure permissions for Microsoft Graph on your app.
Get administrator consent.
Get an access token.
Use the access token to call Microsoft Graph.
Detailing of the steps is included in the article here : https://learn.microsoft.com/en-us/graph/auth-v2-service
without a login interface in the cloud
Now you could use the below option :
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials
In this provider, you will be passing the creds of the service account.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<YOUR CLIENT ID>
&scope=user.read%20openid%20profile%20offline_access
&username=<YOUR USERNAME>
&password=<YOUR PASSWORD>
&grant_type=password
You can generate the token for your service account by above request and application can consume the chatMessage API.
I have been able to create Azure Functions App to manage Azure B2C Users. I can create new users, and update profiles flawlessly using the client_credentials Flow. However, when I change the password using a PATCH request with body:
{
passwordProfile: {
password: 'password-value',
forceChangePasswordNextSignIn: false
},
passwordPolicies: "DisablePasswordExpiration"
}
I get this error:
{code: 'Authorization_RequestDenied', message: 'Insufficient privileges to complete the operation.'}
I have done some research on this, and figured out that updating password requires Delegated Permission "Directory.AccessAsUser.All". From the Front End Application, I am signing in using the B2CLogin Flow, therefore the access token is not compatible with Graph API. Also, "Directory.AccessAsUser.All" does not exist at the Application level in the B2C application. Therefore, I cant use the Patch Request with the client_credentials Flow as well. According to some suggestions, the process can be done by Azure AD PowerShell by assigning "Company Administrator" Role. But, I have not found a solution to reset password through the Azure Function. A step-by-step solution(if it exists) would be really helpful for me as I am relatively new to Azure Services.
The easiest way is to assign the Global Admin role to the service principal on Azure portal.
Go to Azure Portal - Azure Active Directory - Roles and administrators.
Search for "Global admin" and select it.
Click on +Add assignments. And then search for your service principal.
Please note that "Applications are allowed for active assignments only.".
So after clicking on "Next>", select "Active" for the Assignment type.
After the assignment is finished, you are able to update the password using client_credentials flow.
Add-AzureADDirectoryRoleMember which is mentioned by #Jas Suri can also do the same thing.
I am new to Microsoft Graph API. I have read many articles on the web to understand the usage of Microosft Garph API for managing users in Azure AD. I am creating a Springboot based REST API service, which needs to create users in Azure AD.
I have registered my application in Azure Active Directory. I have also 'Directory.ReadWrite.All" permission for Microsoft Graph API. I wanted to first try to create the user from Microsoft Garph explorer. In the Graph Explorer, I have to give authorization token in the Request header. In order to create authorization token, I have followed the instruction given in the link https://learn.microsoft.com/en-us/graph/auth-v2-user. I have created the following URL based on the instruction, for obtaining Access token.
https://login.microsoftonline.com/{mytenantID}/oauth2/v2.0/authorize?client_id=validclientID&response_type=code&redirect_uri=https://localhost:4200&response_mode=query&scope=Directory.ReadWrite.All&state=12345
When the above URL is accessed from the web browser, I get a message which says "Need Admin Approval". I am not the admin of the Azure AD and I do not have access to the admin of my client, so I am really stuck. Can anybody help me understand whether I will have to get admin consent each time I need to access "create user" functionality of Azure AD through MS Graph API? . I would also also need the create user functionaltiy in the Springboot API. In this case, how would Admin Consent work?. Is there anyway that the create user functionality can work without Admin consent.
I have read the following two questions in SO before posting this question
How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?
Create user using Microsoft Graph
if you just want to create a user in your tenant , you can follow the steps below :
Create a new Azure AD app in your tenant, ask your tenant admin to grant "Directory.ReadWrite.All" permission to this app :
Create a app secret for your Azure AD app :
Use this secret and this Azure AD app ID to get access_token to call Microsoft Graph API :
Request URL :
POST https://login.microsoftonline.com/<-your tenant name->/oauth2/v2.0/token
Request Header :
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type:client_credentials
client_id:your client Id
client_secret: Your application secret
scope=https://graph.microsoft.com/.default
You will get an access_token from this API calling.
See the screen shot below:
3. Using the access_token we just created to call Microsoft Graph API to create a user :
As you can see , a user has been created :
If you have any further concerns , pls feel free to let me know : )
I need to be able to get an identity/access token to a backend API for a native client, where the native client must use native UI to collect username and password.
I want to use Azure AD B2C but I cannot get clear, explicit info if the Resource Owner Password Grant flow is supported. Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
Azure AD B2C does not support the "Resource Owner" password grant yet.
You can support this feature ask and get updates on its progress by voting for it in the Azure AD B2C feedback forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C.
Is it possible to get a token from Azure AD B2C by programmatically posting username and password somewhere?
You can use the Azure AD Client Credential Flow to obtain a token. See this SO Post.
ROPC might be the right OAuth Flow for you, but before you start using it, you might want to check out this blog post:
Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications.
Resource Owner Password Credential flow is now supported in Azure AD B2C.
Do note however that confidential client flow, where the application secret is verified, is not supported.