Azure Mobile Services Authentication Error - azure

I have created a Mobile Service application, and deployed the default template to Azure. When I try to access it prompts me with a Windows Authentication popup.
I have then configured it to use the Azure Active Directory (according to the documentation here: http://azure.microsoft.com/en-us/documentation/articles/mobile-services-how-to-register-active-directory-authentication/ and here: http://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-xamarin-ios-get-started-users/#add-authentication) by adding an application to the AD and specified client-id's. and app uri's between the two and set the domain as tenant for the Mobile Service. I also installed Backend Security and set AzureActiveDirectoryExtendedLoginProvider as login provider in the backend.
However, it still prompts me with the Windows Authentication popup, but now when I go to .azure-mobile.net/login/aad it sends me to the Active Directory login page as expected, but with the following error
AADSTS70001: Application with identifier xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx was not found in the directory yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
The application identifier is the correct identifier, but the directory identifier does not belong to my active directory, which is the only directory I have and which is configured as tenant in the mobile service. When I try to login to the mobile service from a mobile application it just gives me a blank page.
I also tried creating another AD with a different domain/tenant, but it still gives the same directory guid in the error message.

Related

Azure App Service Authentication with Active Directory

I have a dotnet core api in an app service on Azure.
When I run this locally, with authentication switched on, I can generate a bearer token and use that to successfully access the end points.
On azure, when authentication is switched off I can access the end points, but when I switch authentication on in azure, I can't access any end points with a token. Postman is just returning the standard response "The page cannot be displayed because an internal server error has occurred".
I can't see anything in application insights so I'm really in the dark.
Hoping someone will know of any common issues that could be behind this.
Thanks in advance
You cannot access your web app authenticated with Azure AD using B2C token.
On local, created web app using Visual Studio only have three authentication choices:
As we can see, using Individual User Account is connecting to an Azure AD B2C account.
On portal, you could configure your app service with choices below:
If you are using Log in with Azure Active Directory, you should concern it is not same as B2C. Follow this page to configure Azure AD authentication with web app.
Get the AAD bear token:
Navigate to the app registrations page in your Azure Active Directory, choose the one you created in configuring authentication step. You would see the information like this:
Go to Certificates & secrets page to create a secret, and copy that value, cause you would not see it after leave this page.
Open Postman to get the access token, here is the required parameters:
Use the bear token you got from last step to access your web app:

Live SDK Applicaition - Unable to Complete Request?

I have my website integrated with Live SDK applications to allow customers to login to their MSN, Hotmail, Outlook, etc. email accounts and invite friends to my website by reading the contacts. This used to work properly but now it's not working anymore.
When I use the App ID / Client ID from the old Application Registration Portal (https://apps.dev.microsoft.com) I get the following message when I try to login using my Microsoft account.
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
I see from the Application Registration Portal that I can now use Azure to manage my App Registrations, so I basically setup the same app under Azure with the following criteria.
Authentication: Selected Web and setup the same Redirect URI I was using previously when this was working.
API Permissions: I added "Microsoft Graph" with email, Contacts.Read, openid, profile, and User.Read.
And when I try to login to my Microsoft account using my Azure app Client ID / App ID I get the following message.
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Should I try making this work using Azure instead of Application Registration Portal credentials? If so, why is it saying "unauthorized_client" when I try to login?
Thank you!
Register your Azure AD app as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

What happens to registered users if I change the Active Directory App that my webapp uses for authentication?

I have a webapp that authenticates users using Active Directory OAuth 2.0 with a request like this (skipped some querystrings):
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
response_type=id_token+code
client_id={clientid}
scope=openid+offline_access+profile
If I'm not mistaken, that is the Implicit Grant Flow and it had been working fine until now that the login started returning a 302 with message:
unsupported_response_type&error_description=The+provided+value+for+the+input+parameter+'response_type'+is+not+valid.+Expected+values+are+the+following:+'code'%2c+'token'%2c+'none'.+'id_token'+is+disabled+for+this+app
The solution to this is to edit the App Manifest in Active Directory inside the Azure Portal, but the thing is I don't have access to that App Registration and don't even know who the owner of the app is. I can't even find it searching in All Apps.
So I was thinking just registering a new app in the same AD and tenant and then just change my webapp to request the auth to the new clientID. My question is what happens to all the users that were already registered and does this solution affect them?
Your uses will be effected in the sense that they will have to re-grant the permission for the app to act on their behalf.
If you have set the Enterprise application to only allow a preset of users you will need to make sure these users are set against the enterprise application - however this is not turned on by default and any user can authenticate against the application.

Microsoft Azure Active Directory - Cant Add App From App Directory - OpenID Connect-based Sign-on

I have a purchased account of Microsoft Azure portal, but I cant add an Application from Enterprise Application directory specifically that Application who is having single sign-on mode: OpenID Connect-based Sign-on, it shows Add button as disabled., however, i can add any other application who is having any type of single sign-on modes like SAML-based Sign-on or Password-based Sign-on
URL
screencast1
screencast2
is there setting anywhere that I have disabled unknowingly?
PS : its not only about one app, i can't add any live app whose SSO is openId connect, in screencast i have given an app just to show disability of add button. so its not about infonix specific an app its General.
By default, Infolinx works with Azure AD. To get started, sign up for Infolinx using an account in your instance of Azure AD.
Suggest you to contact Infolinx, in case if you have any difficulties in sign up.

WAAD authentication with SAML: LiveId is not supported

I am developing a web application with Windows Azure Active Directory (WAAD) authentication support. In WAAD I added a user which already has a Microsoft Account.
I use SAML 2.0 protocol for authentication request.
In my app upon accessing a protected resource, I redirect the user to:
https://login.windows.net/<id>/saml2/SAMLRequest=...&RelayState=...
This is URL I copied from the WAAD management console:
The decoded SAML token looks like:
<samlp:AuthnRequest ForceAuthn="false"
ID="b6f579bb-c7fc-49b1-a8f1-bbe2ad99da5d"
IsPassive="false"
IssueInstant="2014-07-25T06:38:11.303Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:Issuer>....onMicrosoft.com</samlp:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
This is working great, I am redirected to
https://login.microsoftonline.com/...
https://login.live.com/...
However, upon autheticating with a Microsoft Account user (which is also imported into WAAD), I get this error message:
ACS20031: Sign-in with LiveId is not supported for this application.
What am I missing?
On the WAAD web admin console I did not see such a setting. I tried both Single Tenant / Multitenant options
Is there a possibility to login with a simple WAAD user (not LiveId) with foobar#<tenantid>.onmicrosoft.com ?
To my knowledge no.
Up to today, the only way to get users signed-in with Live ID to your Application are the following:
Use Azure Active Directory Access Control Service (or better known as ACS)
Use the LiveID Web Authentication SDK
Use the Azure Active Directory with a remark. The remark is:
** You can only use LiveID to sign-in with Azure Active directory, if you first provisioned that user in your directory tenant. Provisioning happens when you create a new user in your Azure Active Directory Tenant and in the process of adding, add it as a LiveID e-mail. Then you will have this user in your AAD but marked as "Sourced From" -> "Microsoft Account":
The type of federation you are trying to enforce currently only works for Microsoft Internal applications, and not for customers. The only federation service that currently works for Customers is the Access Control Service.
Here you can read a bit about the future of ACS and the plans to merge these federation capabilities into next versions of AAD. But we still haven't got to that future.

Resources