We've got a Windows Service which sends emails using EWS API and is using Basic Authentication for that. As well as that it uses EWS API to check some folder in the mail box to retrieve certain email which is going to be used as template. To be honest I'm not pro in mail-servers and not sure if retirement of basic auth approach will affect us.
Another thing to consider is that our team doesn't have control over Azure tenants and it's our client's IT department who has it and they are going to create new Azure tenant for that and as far as I understood by default basic auth will be disabled for it.
So should we updated our service to Graph API in this case or would it be possible somehow to reenable basic auth for that new tenant?
Thanks!
We've got a Windows Service which sends emails using EWS API and is using Basic Authentication for that. As well as that it uses EWS API to check some folder in the mail box to retrieve certain email which is going to be used as template. To be honest I'm not pro in mail-servers and not sure if retirement of basic auth approach will affect us.
The Change to Basic Authentication has been deferred now to 2021 rather then October
https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508
Another thing to consider is that our team doesn't have control over Azure tenants and it's our client's IT department who has it and they are going to create new Azure tenant for that and as far as I understood by default basic auth will be disabled for it.
It sounds like you don't quite understand how Office365 and AzureAD work as most of what your saying is incorrect. The only thing you need for oAuth is an Azure Application registration https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app . If your app is going to be used by lot of different clients then make it multi-tenant. What each client would need to do is Grant Consent for your application to be used in their tenant https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent (this is just a one off thing).
So should we updated our service to Graph API in this case or would it be possible somehow to reenable basic auth for that new tenant? Thanks!
If you use the Graph API you will still need the same registration/consent to use oAuth
Related
Is it possible to pull work items from the DevOps API without needing a user to be logged in to get an access token every time?
I am trying to create a back-end service that pulls work items from the API every so often to generate a report. Can I just generate a one-time access key to use with that back-end service?
I've looked around the documentation, but it seemed like it all requires either a PAT or Azure Active Directory authorization/authentication.
Here's the docs for the API: Link
you can do something like this https://learn.microsoft.com/en-us/azure/devops/organizations/settings/manage-authorizations?toc=%2Fazure%2Fdevops%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdevops%2Forganizations%2Fbreadcrumb%2Ftoc.json&view=azure-devops
and
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
Basically authorize applications to use devops based on your credentials using oauth. similar to an app registration.
Thats the only way I can see without PAT and manual login each time.
Instead of your personal account, you could create a fake AAD user then add it to your Azure DevOps Service.
Use that account to create a Personal Access Token. Similar to Build Service account to pull source code/work items. This should be a easy way to track everything.
But the limitation here is also obvious: this needs involvement of IT department, and also causes additional costs, since every user is billed.
Allow personal access tokens that do not expire is not supported right now. There is a related user voice.
As an alternatively way you could use OAuth just as alphaz18 suggested. Details please refer-- Authorize access to REST APIs with OAuth 2.0
I want to enable multiple AD authentication using OAuth Prompt in my BOT that i have developed.Currently, there is only one connection that it is taking through which our project AD is getting hit and the credentials are validated. But, i want the same O-Auth prompt to work for different AD's at a time in the BOT which was created using MS Bot framework V4 SDK in C#.
To clearly explain my query, let me take and example and also let me tell you the steps i have followed for enabling the Authentication in my BOT:
MS Bot deployed to AZURE
In the setting of WebApp Bot created OAuth Connection setting with Name: OauthConnection by providing my AZURE AD client ID and secret during creation. Tested the connection it was successful.
In my BOT code, used OAuthPrompt method for enabling the authentication and to it passed the Connection name as "OauthConnection" which was created in STEP #2
Added this Prompt method to the Dialog stack
Now my Bot code when executed gives me sign in option where if i enter the required credentials, it gets validated against the AZURE AD using the connection name provided in the OAuth Prompt method where in turn the required client ID was given
Now if we observe, The credentials are validated against the AZURE AD of which the connection name was given
What I Want to achieve is:
How to make the OAuth Prompt method such that it supports Multiple ADs simultaneously at a time?
Meaning, if my AD uses the domain as #axct.com and another AD uses domain as #avabt.com currently the oauth prompt if configured using above steps either supports the authentication of AD which uses login as #axct.com or #avabt.com at any given point of time but not both at a time in parallel.
I want to enable it such that it uses both AD for authentication at any given time in parallel such that if i use
john.doe#axct.com and its password during login it should successfully authenticate and return the respective Token at the same time if I use john.john#avabt.com as login credentials with proper password it should still successfully authenticate and return me the Token such that i can retrieve the user name from using the returned token using graph API.
How to achieve this is my query or issue as i am not sure how to do it?
Similarly, how to enable for any given AD like social networking sites, google or any other credentials using single Oauth Prompt method.
Is this can be achieved using Oauth Prompt? If yes please explain in detailed guide step by step manner in solving this issue as i am new to BOT and coding
or this is wrong expectation we have to use another method and not Oauth prompt?
Please explain in detailed guide step by step manner in solving this issue as i am new to BOT and coding.
Language: C#
Bot SDK: V4
Thanks in Advance
Regards
-ChaitanyaNG
Expected Result: Enable multiple AD authentication at a any given point of time using OAuth prompt in BOT SDK V4 code done in C# such that it works in parallel
Actual Result: Only one AD authentication works
Update to the query: 14 Aug 2019 -
To make my query more easily understandable-
How to make/convert my BOT using OAuth Prompt for authentication such that it works as a multi-tenant SaaS application using Azure AD?
Please help me with this query or issue so that i can implement it in my BOT having Water Fall Dialog.
The sample bots are configured to only look for one connection string. This leaves you with two options:
1) you can configure your dialogs to branch based on user input of what type of domain they're going to be using. Then, based on the dialog, for example axctDialog.cs or avabtDialog.cs, an auth prompt could be created, and it would use the connection string you have for it in appsettings. This would mean, however, asking your users to select their domain before signing in, something they might find tedious and extraneous.
2) When you create your Azure AD application (what you created in order to create the connection string on the bot), you create it to be multi-tenant. Much simpler. If you've already created your AAD app, you can go into the app manifest and change the values. For example, signInAudience would need to be set to either AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount and the endpoint would be common instead of the tenant domain. More details about this can be read here.
Beside your Bot registration (Bot app id and app password), you must have a separate AAD app registered for your bot service.
If that's the case, just register your AAD app as multi tenant.
One thing to note, when you create the OAuth2 settings for this app in your Azure bot service registration (or channel registration), you need to set the "TenantId" setting to be "common" - this doesn't seem to be documented anywhere.
BTW if you just want to build relatively simple bots, check out my recent Github repo. It has built in generic code written to handle auth and token exchange for you and a lot more.
I'm building a .net backend for my Azure Mobile Service.
I would like to execute code whenever someone authenticates with one of the default providers (i.e. Microsoft, Google, Facebook etc.).
Some examples of what I would like to do during authentication:
Associate their MS/Google/FB Account ID with my own user accounts
Add claims to the ServiceUser
To sum it up: is there any way to hook into the server side execution of MobileService.LoginAsync(provider) in a .net backend?
Yes, you should look at the custom authentication feature of Mobile Services, which should be flexible enough for your use case: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/
You might also be interested in the new AAD B2C offering, which has a lot of features that might fit your scenario: https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/
I am just starting out with a windows azure mobile services .net backend, and am running into so many headaches as a new programmer. I have gone into my azure mobile services account and downloaded the todoitems demo app (c# for .net backend). I then followed the tutorials regarding adding facebook authentication, but I am absolutely not pleased by this method, as it shuts down the app for a few seconds. As such, I set out determined to create a custom authentication login page which ties to my mobile backend.
I found this article and thought, "Great!" only to realize that I had no clue how to catch a user created account from a textbox and to pass it along to the public class RegistrationRequest. The example at the end of the link shows how to connect to a local machine - but I want it to connect to my actual database at the following location: https://mycustomapp.azure-mobile.net, return a token, and continueon.
What is frustrating is that I am able to obtain a facebook authentication token, as well as user information. BUT, I have no idea how to generate a windows azure mobile auth token so that the client may write/retrieve data from my azure table.
Essentially my question is this - using the above link, how in the world may I take a user's username and password from a textbox, run it through the RegistrationRequest, and not have to pop advil on this? Do I need to pass my facebook token? I assume not?
I am also not using a facebook SDK or anything like that - simply put, I am using the above site's code trying to get an auth token from my azure mobile services, despite having one from facebook already, to authenticate a user against my azure mobile services data table.
If you already have a FB token, the easiest way to login to your mobile service is by using the FB token, then you don't need to make a custom UI/etc.
This can be done by calling
var token = new JObject();
token.Add("access_token", "access_token_value");
await client.LoginAsync(MobileServiceAuthenticationProvider.Facebook, token);
see: http://azure.microsoft.com/en-us/documentation/articles/mobile-services-windows-dotnet-how-to-use-client-library/#authentication, Client Flow for more
if you want to login to your service with a Facebook account, you do not need to implement a custom authentication and to capture user name and password in your own textbox controls.
You should be able to use MobileServiceClient.LoginAsync() and pass as parameters the provider that you want to use. Check this article fro more information.
I have an Azure account and currently a Mobile Service setup with a SQL Database so that my Windows Store app can communicate with the database.
I have developed sites using ASP.NET WebPages authentication. And I need something similar for my Windows Store app.
I have successfully gone through the documentation and tutorials on the Windows Azure website and implemented ACS (Windows Live ID, Google, Yahoo!, and Facebook) - but the thing is - I don't want Google, Yahoo!, Facebook or even Windows Live ID or Microsoft Account) logins - I want my OWN login but it seems that they don't give you this option (correct me if I am wrong).
I need to allow users to signup from within my application (that means, providing their name, DOB, email, phone, address, etc) and shove it all in my database.
Now, after implementing Microsoft Account login with my Azure service, I found out that you can't even get the most basic information about any user who has logged in to your application - not even an email address.
I have spent hours searching online for something that could possibly help but I am running out of keywords - and have not hit a single related result yet.
Does anyone know if this is possible? How would we go about integrating login and signup with a Windows Store app that set/gets this data into/from a Windows Azure service?
Any code, samples, links, tutorials, documentation, etc would be highly appreciated.
You have gone down the road of hooking up external identity authentication, which in my opinion for an external facing web application is a better approach. Benefits are:
Your application is only responsible for Authorization not Authentication. There is a whole lot of work involved in Authentication and a large number of best practices. Best let those who know best take the burden of this. This doesn't mean you shouldn't try and understand it though.
If your site gets hacked you don't have to tell them that their username / email and password combo has been compromised and they will probably have to change there passwords on other sits.
You are also making sure that your users don't have to remember / manage yet another username / email address password combo
If you really want to do the Authentication then that is fine but you will need to do it yourself. Have a look at examples on Asp.Net Membership. This is not the only way and nor is it the best way but there are lots of examples.
Now if you decide you want to use external authentication I can give you some pointers to help with your current implementation.
First thing to note that the Id you get back from Live, Google, Facebook can only be assumed to be unique for that provider. Therefore if you want to keep a profile in your system for that identity and you want to use more than one provider you will need to implement it in such a way that you can keep the id unique in your system and help you associate it with a provider.
Website Authentication with Social Identity Providers and ACS Part 2 – Integrating ACS with the Universal Profile Provider
As you have found out not all of the Authentication providers return the same "claims". A claim is something that user claims to have, such as an email address, name, date of birth, etc. All the ones you can use by default via the ACS return Uid and some return a name and email address. What you have to do is fill in the gaps. When someone registers you will need to pull the relevant claims and then ask them to fill in the missing ones. You may also want to map the different claims in the ACS to a common name that you can use in your app as one provider might use slightly different names.
Federated Identity with Windows Azure Access Control Service
Just because you do not handle Authentication you still need to be responsible for keeping your application secure. Half of the work has been done for you so your code should be a lot lighter but you will still need to make use of roles.
Windows Azure Role Based authentication (ACS)
The really nice thing about this approach is you can implement your application the same why SO have done with there identity model. You can allow users to associate multiple identities against their profile meaning they can login how they want to.
If you choose not to use the built in providers for ACS you will need to implement your own Identity Provider using SAML, OpenId, etc...
You can look into the Windows Identity Foundation (WIF) for implementing WS-Trust or WS-Federation.
There is also ADFS which has the same set of support but uses Active Directory with WIF and Azure has its own version of AD that can be used.
There is also thinktecture identityserver which can jumpstart your venture into IdP land, but I have not used it myself yet.
If you want to go the OpenId route there is DotNetOpenAuth.
If you're looking to add custom identity to your Mobile Services app, check out Josh's post on custom auth: http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx