I am using https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-iwa-v2/active-directory-dotnet-iwa-v2/#step-2-register-the-sample-with-your-azure-active-directory-tenant https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-iwa-v2/active-directory-dotnet-iwa-v2/#step-2-register-the-sample-with-your-azure-active-directory-tenant to generate token and I have followed the procedure as mentioned in the above link. I have provided clientID in appsetting.json file and it keeps keeping
Failed to get user name error.
I have used the admin account to generated the app.
screenshot of error:
Based on our discussion, this issue should have been resolved. I will summarize the solution here.
As the sample overview says:
This sample demonstrates how to use MSAL.NET from apps that run on a
domain joined or AAD joined Windows machine.
So you need to use an AAD joined Windows machine to test this sample.
Firstly, you need to add your Windows machine into your AAD domain.
Then when you run this sample, you may encounter the following error: The user or administrator has not consented to use the application with ID '{appId}' named '{appName}'.
This is because you haven't got user consent for this app in your AAD. You need to call AcquireTokenInteractive instead of AcquireTokenByIntegratedWindowsAuth in line 93 in PublicAppUsingIntegratedWindowsAuthentication.cs file. And then call AcquireTokenByIntegratedWindowsAuth again.
Now you can get the user signed-in on the Windows machine successfully.
Update:
Based on Constraints, IWA supports federated users only, meaning users created in Active Directory and backed by Azure AD. Users created directly in Azure AD, without Active Directory backing (managed users) can't use this authentication flow.
So if you want to use IWA(Integrated Windows Authentication), you need a federated account to test it.
Related
I need help.
I need to create an app, which takes all events from different calendars from my company, and display them in computers in conferences rooms. This is created, works good. To authenticate I use Oauth 2.0 like google wants, but I tested it only on my computer. When the app was launched on the computer in the conference room, the app needed logging into google account, which surprised me, because I put my oauth 2.0 credentials into my code, so I thought that this would be enough.
How can I skip that part, to authenticate only from code level and not display Oauth popup message to user?
When you run your code locally you are authorizing it. If you are using the official Google api .net client library then it is storing your authorization credentials in the %appdata% folder on your machine. Once you move this to the computers in the conference rooms they have not been authorized and there for will require that you authorize them. So you should be able to just run it once on each machine and authorize it and it will be all set.
If you do however have a google workspace account, I would recommend you look into using a service account and configuring domain wide delegation this would stream line your process a bit.
The following example shows how to use a service account with domain wide deligation.
var credential = GoogleCredential.FromFile(PathToServiceAccountKeyFile)
.CreateWithUser("user#yourdomain.com") // delegate to user on workspace.
.CreateScoped(new[] {CalendarService.ScopeConstants.Calendar});
I'm trying to setup authentication against Azure DevOps using MSAL. I've followed Microsoft's sample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:
This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.
In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
What am I doing wrong or missing?
When configuring the application to use your app registration, you need also find the key ado:OrganizationUrl and replace the existing value to the URL of your Azure DevOps organization. Please note: This must use HTTPS. As it mentioned in Configure the application to use your app registration.
If you already replaced the ado:OrganizationUrl, you may have a try to change the Supported account types back to "Accounts in this organizational directory only" to see if it works for troubleshooting.
I spent a little bit time to get the samples working and the key steps required to accomplish this are:
the Microsoft personal account need to be added to an Azure active directory tenant. As MSAL uses Azure AD as a fundamental infrastructure.
https://learn.microsoft.com/en-us/answers/questions/228067/invite-or-add-personal-ms-account-to-azure-ad.html
Link the Azure Ad tenant (with the Microsoft personal account) to the Azure DevOps service Instance.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
To complete the sample, I used my MS personal account to sign up a free Azure account (so that I can test the Azure AD stuff), and used the same account to request a free Azure devops service account.
Thanks
In your question you mention:
"I'm trying to setup authentication against Azure DevOps using MSAL. "
So, the goal is to let Microsoft Account users logon to some part of Azure DevOps using MSAL? I'm curious what the exact use case is, but let's assume I understand you correctly.
The first thing that comes in mind is, are those users already invited to the AzDo organization? Please read here how to do this.
Doing this will add them to the Active Directory as a guest like this:
Alternatively if you just want to invite these users to Azure, please use the invite from: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
This site suggests this error occurs when the user doesn't have multi-factor authentication setup. You may need to have your Microsoft account setup with MFA.
I have access to my Azure AD Portal. I also have an external ASP.NET application which is accessing the Microsoft Graph API. For this purpose I add an App Registration which give me an Application ID and Key to be able to configure my ASP.NET application to authenticate itself against the Graph API.
I need the my ASP.NET application to read groups out of Azure AD. I can authenticate successfully but I get an error saying that I have not enough privileges. Then I go back to the Azure Ad Portal and add permissions to the App Registration I added. This works ok so in the end I have the Graph API response on my ASP.NET application.
Now it comes the issue. I selected too many permissions so I want to use the smallest set of permissions that are necessary for my ASP. So I go the Azure Portal AD again and remove some of the permissions. When I test my app again, I still receive the groups even if I have no permissions selected.
I think this is an issue. Or there's some kind of delay? I don't think so because when the API is working and has the proper permissions I can add a group in Azure AD Portal and instantly see it in my ASP.NET application.
This issue is specially annoying because you can't really test the permissions your app needs.
Thanks.
I'm working on project where I need to access an Active Directory and get user data from there, like a phone book. With the Windows Authentication [WA] set at the creation of the project, It somehow automatically gets my account that is currently logged in to the computer in the following format:
[DOMAIN][username]
I don't know whether it's already communicating with the AD or just the current Windows login. My goal is to be able to log into the AD from both an internal and an external connection, and get data based on the roles the AD gives.
The default program gets the information like this with Razor:
#User.Identity.Name
So I'm able to extract the username like this:
AppUser temp = new AppUser
{
Username = ClaimsPrincipal.Current.Identity.Name
};
But this is obviously not enough to get by, and this won't authenticate me to the AD. The credentials are the same on the computer and on the AD, so in theory it should be possible.
My goal is to authenticate with the Windows Authentication the internal site without the need to log in again, but when accessing from an external site it still requires the credentials. This is an extension of a currently active project, so most of the backend is written, so it would be great if this was possible by using the current interfaces with new services underneath.
Thanks.
I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.