Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Authentication using a registered app

May 2, 2019, 3:43 am
$
0
0

Hi Community,

My end goal is to be able to connect to PowerBI REST APIs and to that end, I have created an app in Azure. 

I have an Azure Function App which does that for me, but I first need to be able to log in using the registered app.

I have tried all ( or most of the solutions available) that teach us how to log in using a user name and password, and I see that there are 2 errors that are thrown, depending on what sample I try out:

1. 

Failed to call the Web Api: Forbidden
Content: {"error": {"code": "Authorization_RequestDenied","message": "Insufficient privileges to complete the operation.","innerError": {"request-id": "d426325e-fae3-4da1-978e-18f4c4dcf689","date": "2019-05-02T09:20:47"
    }
  }
}

2. 

  Federated service at https://opal.abcd.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized.
{Microsoft.Identity.Client.MsalClientException: Federated service at https://opal.abcd.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized. ---> Microsoft.Identity.Client.MsalServiceException: Federated service at https://opal.abcd.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized.
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudienceUrn, UserAuthType userAuthType, String username, SecureString password)
   at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.FetchAssertionFromWsTrustAsync()
   at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByUsernamePasswordParameters usernamePasswordParameters, CancellationToken cancellationToken)
   at up_console.PublicAppUsingUsernamePassword.GetTokenForWebApiUsingUsernamePasswordAsync(IEnumerable`1 scopes, String username, SecureString password) in C:\Users\dpradh1\Desktop\active-directory-dotnetcore-console-up-v2-master\active-directory-dotnetcore-console-up-v2-master\up-console\PublicAppUsingUsernamePassword.cs:line 96

A few of the samples that I have tried are:

Documented sample 1

Documented Sample 2



Can someone please help ! 

TheStarSailor


Search

AADConnect - How to list orphaned user objects from O365/Azure AD

May 3, 2019, 12:14 am
$
0
0
Sometimes the deleted objects from On premises AD is not getting deleted from Azure AD. So how do we find the list of orphaned user objects from Azure AD so that we can delete the same.

Regards, Nidhin.CK

Azure AD Connect Synchronization Problem

April 24, 2019, 8:56 am
$
0
0

Hello,

We are in a hybrid Exchange Environment. We use Azure AD Connect to synchronize our local directory with Office 365. I faced a problem in distribution group synchronization. When i add a member in delivery management in this distribution list from Exchange on-premises, the DL is not synchronized in Office 365. When I checked the Azure AD Connect Metaverse, I found the object is updated. I checked also the Rule applied. It's an updated value from the Synchronization Rules Editor.

Any idea?

Regards,




Main Azure account holder?

May 6, 2019, 8:29 am
$
0
0
So i'm logged in to azure with an organization login with very limited access. I see that the custom domain was also verified but i'm not aware of it. How can i find out which account is the main holder? thanks

Verify Microsoft SignIn response

May 3, 2019, 7:26 am
$
0
0

Hi,

Sorry if this is not the right forum.

In our service (back-end in Java/Spring, front-end in React) we implemented Google Sign in.

The end result of the Sign In process is that the front-end receives an object from Google which it re-sends to the back-end. The back-end verifies (with a Google Library) that the object is valid and extracts user info from it. Like this:

public void authenticateGoogleUser(Object googleInfo){
        LinkedHashMap<String, String> map = (LinkedHashMap) googleInfo;
        String tokenId = map.get("tokenId");        
        GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(...).build();
        GoogleIdToken googleIdToken = verifier.verify(tokenId);// verify that the tokenId is valid
        GoogleIdToken.Payload payload = googleIdToken.getPayload();
        String userId = payload.getSubject();
String email = payload.getEmail();
// etc.
}
Now we want to implement the same functionality with Microsoft Sign in. 
The front end shows the Microsoft SignIn button, user signs in, 
front-end receives the Microsoft SignIn response object and re-sends it to the back-end server.
Our question is: How do we validate this response in the back-end server?
Is there a library that does it, like the GoogleIdTokenVerifier?
Thank you



Workday SSO with Azure AD: Mobile App Login Redirect URL and Timeout Redirect URL?

May 1, 2019, 6:55 am
$
0
0

I am trying to configure Workday to use Azure AD for Single Sign-On (SSO). I am following Microsoft guidance:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workday-tutorial

There are two settings on Workday that are not documented, and I would like some guidance on:Mobile App Login Redirect URL and Timeout Redirect URL.

Currently, my Login Redirect URLis set to https://impl.workday.com/<workdayTenantName>/login-saml2.html. This works just fine. However, when I try to set theMobile App Login Redirect URL to the same value, I get an error of “Invalid user name or password”. Why is this error happening? Should the Mobile App Login Redirect URL be different from the regular Login Redirect URL? And if so, and what should be the Mobile App Login Redirect URL?

Also, for testing purposes, I have tried setting our Timeout Redirect URLto both our Login Redirect URL (https://impl.workday.com/<workdayTenantName>/login-saml2.html) and ourLogout Redirect URL (https://login.microsoftonline.com/<azureAdTenantId>/saml2). None of these values seem to result in a session timeout for a user logged into Workday. What should be the Timeout Redirect URL?


MSAL 3x : AcquireTokenByUsernamePassword not working as documented : Microsoft.Identity.Client.MsalServiceException

May 6, 2019, 9:57 am
$
0
0

Hi 

WPF, VS2017, MSAL 3x version.

I am trying an sample to test function AcquireTokenByUsernamePassword().  Following is the code example.I am getting error 

Error Acquiring Token:
Microsoft.Identity.Client.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

  private async void MSALUsingScopeUserNamePasswordVersion3_Click(object sender, RoutedEventArgs e)
        {
            string[] scopes = new string[] { "<ResourceID XXXXXX>/user_impersonation" };
            string targetAPIUrl = string.Format("https://xxxxxxxxx.azurewebsites.net/api/TestFunction1");

            string ClientId = "3c278a32-0202-111c-8b03-xxxxxxxxxx";   
            string Tenant = "xxxxxx-7665-xxxx-8ce2-xxxxxxxxxxxx";


            IPublicClientApplication _clientApp;
            AuthenticationResult authResult = null;

            _clientApp = PublicClientApplicationBuilder.Create(ClientId)
               .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
               .Build();

            try
            {
                var securePassword = new SecureString();
                foreach (char c in "RealPassword123")        // you should fetch the password
                    securePassword.AppendChar(c);  // keystroke by keystroke

                authResult = await _clientApp.AcquireTokenByUsernamePassword(scopes, "ADUser@CompanyName.com", securePassword)
                    .ExecuteAsync();

                outputBox.Text = await GetHttpContentWithToken(targetAPIUrl, authResult.AccessToken);
            }
            catch (MsalException msalex)
            {
                outputBox.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
            }
        }

Please Advice.

Regards

AAD - The user ID you entered does not exist. Please check that you have typed your user ID correctly.

May 3, 2019, 12:07 pm
$
0
0

Hi,

I am not able to log into Azure portal and cannot reset my password by using SSPR.

When I try to reset the password, i got the error:The user ID you entered does not exist. Please check that you have typed your user ID correctly.

I have done a full sync on both our azure servers but it didn't help.

Does anyone knows why?

Thank you.


Search

AuthenticationContext.AcquireTokenAsync crash with a given password

May 2, 2019, 5:00 am
$
0
0

Hi!

I have this "simple" code:

        public static async Task<string> RetrieveTokenAsync()
        {
            var authContext = new AuthenticationContext("https://login.windows.net/MYTENANT.com/", true, new FileCache());
            try
            {
                AuthenticationResult result = null;
                result = await authContext.AcquireTokenAsync(Resource, ClientId, new Uri(RedirectUri),
                        new PlatformParameters(PromptBehavior.Auto), UserIdentifier.AnyUser, "domain_hint=MYTENTANT.com");
                if (result == null)
                {
                    throw new InvalidOperationException("Failed to obtain the JWT token");
                }
                // store token for reuse
                Console.WriteLine("AccessToken=" + result.AccessToken);
                return result.AccessToken;
            }
            catch (Exception ex)
            {
                throw new InvalidOperationException("Could not retrieve token.", ex);
            }
        }

        static void Main(string[] args)
        {
            try
            {
                RetrieveTokenAsync().Wait();
            }
        }

When calling await authContext.AcquireTokenAsync in a computer that is not connected to Office 365 and I use an account belonging to an office365 account and I enter the user and password it crashes.

This only happens with that user and password... if I use another user but the same password then there is the same crash. So it seems that the problem is related to the password I use... quite strange. It's a simple password of 8 characters.

I tried compiling it against different versions of the Identity package but it's the same.

Any clue?

Thanks


Current Hybrid AD -> migration to Azure AD

May 6, 2019, 11:40 am
$
0
0

Currently have a Hybrid AAD env. 

We are testing autopilot, intune with the goal of managing devices solely in Azure. 

We rely heavily on GPO.

I want Azure AD to eventually replace our on-prem AD. Since we currently do not have devices managed by Azure - but are testing deployment and piloting Azure AD, inTune MDM/MAM - my question is I dont want to proceed w/ autopilot and intune in a hybrid scenario if we plan on moving away eventually and going full Azure AD. 

Is there any reason why I cannot just move forward with device management in pure Azure AD join devices and managed the GPO via inTune? 

If you have any resources for research that would be helpful as well. All of the documents are hybrid - do this, Azure AD - do this. But nothing really clear on if you have hybrid (for SSO and AD on prem integration) but plan on moving to full Azure = you can proceed with Azure AD management (AutoPilot and inTune) with devices, keep hybrid in place for account management. 

Thanks,

SJMP

Cannot enable password writeback with Microsoft 365 Business and Azure AD Connect

May 6, 2019, 6:03 pm
$
0
0

 I'm using AD Connect 1.2.70.0 and have configured all steps outlined in "How-to: Configure password writeback".







Xamarin, Azure B2C, EF

May 1, 2019, 5:52 pm
$
0
0

Hi,

My code stopped working on the weekend, there has been no code/config changes.

Xamarin Forms App using Microsoft.Identity.Client 1.1.4-preview0002 for login, Azure Mobile App Service with Entity Framework.

Xamarin Login Code

                    AuthenticationResult authenticationResult = await App.PCA.AcquireTokenAsync(Constants.Scopes,
                        GetUserByPolicy(App.PCA.Users, Constants.PolicySignUpSignIn), App.UiParent);

                    accessToken = authenticationResult.IdToken;

                // Log in to the mobile services
                var payload = new JObject();
                payload["access_token"] = accessToken;

                var user = await DataManager.DefaultManager.CurrentClient.LoginAsync(
                    MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
                    payload);

Backend Code for database access

var principal = this.User as ClaimsPrincipal;

string provider = principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

The above backend code now returns null, it was returning the oid of the Azure B2C user that was logged in via the Xamarin Forms app.

Any ideas on how to fix this, I have tried update to Microsoft.Identity.Client Version="2.7.1", with the same result.

Thank,

J

Authentication and authorization for Azure Time Series Insights API using App registration from different subscription

May 6, 2019, 11:03 pm
$
0
0

Hi, 

Based on the this link 

https://docs.microsoft.com/en-us/azure/time-series-insights/time-series-insights-authentication-and-authorization

We know that we able to add application into the Time Series Insights -  Data Access Policies based on steps no. 6. 

My question would be is it possible that we able to add application which created from different subscription compare to the TSI?   

Azure B2C Authentication for Asp.net core Web and API

May 5, 2019, 12:32 am
$
0
0

Hi, 

I have created a asp.net core web and API projects and registered with my B2C Active directory and I am able to do the authentication in the asp.net core web and getting the token based on my B2C user flow configuration. Now, I want to access the asp.net core API (which is secured through B2C active directory). 

Please let me know how do I create the access token to access the API ? I want to get the user information also in the API. 

Thanks,

Selva

   

Selvakumar Rathinam

AZURE Authentication

May 7, 2019, 1:16 am
$
0
0
 I have an application where i have to implement AZURE AD (for internal user) and AZURE AD B2C(for external user) both , how can i do this?
Search

programmatically check if a computer has an office365 user that uses ADAL to connect

May 2, 2019, 7:02 am
$
0
0

Hi!

The scenario is this: When you install Windows and you select an Office 365 account then you install Office and no password is asked when using Office for first time (because the current Windows user is an Office 365 user). The same for OneDrive for business.

In such case then if you use ADAL programmatically and you do AuthenticationContext.AcquireTokenAsync you get an ADAL panel and it offers you the choice to use the user that has been logged inside windows... you clicked on that user and no password is required (and it gives you a token).

I want to know BEFORE calling AcquireTokenAsync if such option (that the user password will not be used) is available.

In other words, I need to programmatically know if the current windows logged user is an office365 user.

Thanks.

App pasword support for MSOnline module and AzureAD module.

May 7, 2019, 4:29 am
$
0
0

Team,

I need to automate powershell scripts without interaction to manage my azure ad environment. By policy, all global admins must have MFA enabled for security reasons. When using app password in MSOnline/AzureAD module error is thrown. What is the solution to this?


App Registration: CustomKeyIdentifier is NULL

May 7, 2019, 4:55 am
$
0
0

Hi

I'm comparing the manifests for two App Registrations in AAD. One of them works* and one doesn't. 

Looking at them side by side, I can see two passwordCredentials entries with values like this (in the working one)

"customKeyIdentifier": "***************************" (the value is actually a long string of characters)

In the one that isn't working (I just get "Unauthorized" every time I call it) the values are null:

"customKeyIdentifier": null

This seems like it might be the cause of my problems so I was wondering what I'm doing wrong? How can I get a sensible value in there through the Azure UI?

Thanks

* i.e. our logic apps can use it to call a custom API (using JWT/OAuth) hosted on-premise)

Asp.net core 2.1 + windows authentication + AzureAD

May 7, 2019, 6:45 am
$
0
0

Hi,

I have my asp.net core 2.1 web app deployed on AWS instance/ docker cluster. 

This is a private network and need this web app to be authenticated using Integrated Windows Authentication on AzureAD.

Could someone please let me know if this is a valid scenario or suggest me how to proceed.

Thank You.

Regards

Chaithanya

Getting AADSTS50020 when trying to sign in to feedback.azure.com

May 7, 2019, 6:46 am
$
0
0

Hi,

I'm trying to sign in to https://feedback.azure.com using my MS account to post some feedback, but sign in fails with the following message.

Request Id: 0454e37c-25a3-4b22-a42e-d8873a9b7d00
Correlation Id: 5fcdc32e-cd52-4af9-8583-921beb138b91
Timestamp: 2019-05-07T13:26:36Z
Message: AADSTS50020: User account '****@*******.com' from identity provider 'live.com' does not exist in tenant 'UserVoice, Inc.' and cannot access the application '91a42e81-999b-4cf1-aa36-bb33f25ff53b'(windowsazure.uservoice.com) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

I think that I was able to sign in to feedback.azure.com in the past. I'm able to sign in to other MS services (like https://azure.microsoft.com, or https://microsoft.com itself) using my MS account, but for https://feedback.azure.com it fails.

Not sure if I ask in the right place. Please direct me where should I ask, if it would it be better to ask it in the different place.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>