How to Add users to Azure Active Directory with Graph API - azure

I am trying to understand how Azure Active Directory Graph API works for adding users to the directory. According to this:
http://msdn.microsoft.com/en-us/library/azure/dn130117.aspx
I need to acces the graph API URL and pass in something called a "bearer token" in the "Authorization" header so that it will allow me to add the user specified in the request's body. However, I have no idea where I can get one of these tokens. All my research points to the user having to be already authenticated to get a token, which kind of beats the point, since I want to add the user so he can authenticate.
I have configured my app in the Azure Management Portal, and thought the bearer token was the "Client ID" that I get when I go to my added applications in the Directory. But when I pass this number to the Graph API, I get "Access Token Missing or malformed". I am testing this using the Fiddler Web Debugger app.

These 2 posts describe very thoroughly the steps to get the required token in 2 different scenarios:
Authorization Code Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
Client Credentials Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If you want to use the Client Id and Client Key to authenticate your client to Azure Active Directory, then you should read the 2nd article. The first one is to authenticate an already existing user.
If you want to programmatically get the OAuth2 token, then you could use the AAD authentication libraries: http://msdn.microsoft.com/en-us/library/azure/dn151135.aspx

Related

Azure easy auth get user role based on AD user Id ASP.net core app WebAPI

I'm following link to make authentication and authorization.
I able to create successfully token based on https://login.microsoftonline.com/{tenantID}/oauth2/token
After that I calling GET API using sayhello. It's everything fine, but I want based on token and UserId/Password of AD user get user role.
I search a lot but not getting any concrete solution.
To decode the Azure Active Directory JWT token using the tool, you can use this online decode tool JSON Web Tokens - jwt.io.
Here is an example covered of how to verify and decode Azure Active Directory Token, refer this article.
If you want to manually decode a bearer token using azure active directory, you can use JwtBearer or AddAzureADBearer middleware to validate the access token.
Please refer this thread which contains code to decode a bearer token.

How to access token through Powershell or Postman by User ID rather than Client ID

Is there a way either in powershell or Postman to get access of myself either through login to particular tenant. I see lot of samples around getting access token either client ID or secret. But I want to run either commands or make REST call to get access token once myself get authenticated.I tried looking into graph explorer but no luck .
The client id is required for AAD authorization.
If you want to get an access token including your own information, you should implement OAuth 2.0 authorization code flow. It will perform interactive login as #Gaurav Mantri-AIS mentioned.
We can simply get the access token in Postman like this:
After clicking on "Request Token", it will pop up a login window. Enter your username and password. Then you will get the access token.
When we log into Graph explorer, we will see the access token here:
In fact, Microsoft has registered an Azure AD application and provided the client id in the login request URL.
In short, we have to use the client id.

Best way to create user login in mobile app with azure

I'm creating a Xamarin.forms mobile app with Azure. I have enabled Authentication/Authorization in Azure to protect the APIs in Backend.
What I need is that to ask user to login with Facebook or Google and get some information of the user such as name, email and... and then save this data in a table as user information. I like to ask user just once for login and get the data and I don't need to keep the token provided by Facebook for example and refresh it always (which I red refreshing is not supported by Facebook), but also need to keep the user logged in and has access securely to Backend APIs. I am new in this and completely confused of using Azure AD, facebook and...
What is the best way to do that? I have followed this tutorial and now am able to login with Facebook.
Maybe what you are looking for is Azure AD B2C (Business to Customer), which will provide facilities to allow your customers to create an account for your app, but also login with Facebook (see here) or Google (see here).
Since Azure AD B2C implements OAuth2, integrating it in a Xamarin.Forms app by means of Xamarin.Auth should be possible (see here). Once you have acquired the OAuth2 token, you can include the token in the headers of your HTTP requests in the Authorization header with the Bearer type (see here)
Authorization: Bearer <token>
On the server side you can then validate the token. I have not used Xamarin.Auth with Json Web Tokens (JWT), but maybe you'll be able to retrieve a JWT with Xamarin.Auth, which you'll be able to validate on yourself. Otherwise, if Xamarin.Auth is restricted to access tokens, you might have to contact the authentication server to verify the token. If the token is verified successfully, you can grant the user access, otherwise, answer them with a 401.

Why do I get two different bearer tokens in two different situations? Azure Active Directory (also microsoft blockchain workbench)

trying to under something in Azure Active Directory.
I am trying to understand why I don't get the same bearer token when using the same user in these two situations:
1) By going to this blog post:
http://blog.pomiager.com/post/using-rest-api-in-azure-workbench-blockchain
I downloaded the project and the only thing that matters is that there is a sign in for an azure active directory. I sign in with my correct account and when debugging I can see my bearer token.
2) When I am inside my microsoft workbench app I go to inspect on chrome and in the network I can actually see the bearer token
these 2 bearer tokens are different although I do these 2 actions at the same time. The bearer token on the second option is the correct bearer token that lets me get access to my blockchain workbench app. I want to make actions on my microsoft workbench app when I sign in to my user.
How can I receive the correct bearer token?
Thanks
The tokens you see are Jwt tokens. they will be unique everytime with limited validity (in case it gets compromised) but azure ad can validate them. on very high level if you are using azure ad open id connect authentication flow then you will be getting access_token (use to access api) and id_token(use to access user basic info) . you will always use access token to access api resources for which token is generated however in certian cases where you client is requesting token for its own backend then you may require id token.
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens

azure active directory & postman

I have an Azure web API application which is secured by an azure active directory tenant. Through Postman I am trying to obtain the OAuth2 access token using Postman's OAuth2 Helper. The get access-token requires four bits of info: The tenant auth endpoint, the tenant token endpoint, the client id and the client secret of the associated tenant application. It also seems that the tenant application reply url must include https://www.getpostman.com/oauth2/callback which is where postman is supposed to retrieve the token into the helper.
I can't get this to work. The get access token button reports back an error but it is very hard to decipher what the error is: the debug url reveals nothing really.
Has anyone had any experience attempting to get an AAD Oauth access token with postman's OAuth2 helper? If so, do you have any hints as to where I should look to debug what is going on?
The extension sadly lacks one critical field for Azure AD. AAD must know what resource you want the token for, since a token will not work for all APIs that your app has permissions for. The authorization code is actually retrieved successfully, but the request to the token endpoint fails with an error message about the missing resource identifier. So you can't use it with AAD, neither authorization code or client credential flow works.
Update: The Azure AD v2 endpoint allows you to use the scope parameter instead of resource, which Postman does support!
You can set the resource ID as a parameter to the Auth URL.
Auth URL: https://_______________?resource=https://_________
I am attempting the same authentication flow with the postman app (vs extension). Watching fiddler it appears that the authorization grant is coming back as I see a response from AAD of the form, GET https://www.getpostman.com/oauth2/callback?code=AAABAAAAiL9Kn2Z27UubvWFPbm0gLTo3oWq....
I'm assuming the "code" is the authorization grant because if I attempt to use it as the access token it is unauthorized. Also the fiddler session responds with a 301 Moved Permanently to https://app.getpostman.com/oauth2/callback...
This is my experience with AAD and Postman. You should first validate that you successfully authenticated through AAD and Postman.
Adapted from this post
set up a dedicated 'postman-test' app registration in AD tenant,
with permission to access your target API. Ensure it has the postman callback url previously mentioned.
fill in Postman's OAuth helper form with following details:
Token Name – Any name to save the token.
Auth Url – https://login.microsoftonline.com/{tenant}/oauth2/authorize?resource={testing-appId-uri}
Access Token Url – https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID – Client Id from configure tab of “postman-test” app.
Client Secret – Client secret copied from configure tab of “postman-test” app.
Grant Type – Authorization Code
Note:
tenant It can be either the name of the active directory or TenantId of the admin who created the active directory.
testing-appId-uri is the App ID Uri of the application you are testing. Should include the http:// or https:// and does not need escaping

Resources