I have access to my Azure AD Portal. I also have an external ASP.NET application which is accessing the Microsoft Graph API. For this purpose I add an App Registration which give me an Application ID and Key to be able to configure my ASP.NET application to authenticate itself against the Graph API.
I need the my ASP.NET application to read groups out of Azure AD. I can authenticate successfully but I get an error saying that I have not enough privileges. Then I go back to the Azure Ad Portal and add permissions to the App Registration I added. This works ok so in the end I have the Graph API response on my ASP.NET application.
Now it comes the issue. I selected too many permissions so I want to use the smallest set of permissions that are necessary for my ASP. So I go the Azure Portal AD again and remove some of the permissions. When I test my app again, I still receive the groups even if I have no permissions selected.
I think this is an issue. Or there's some kind of delay? I don't think so because when the API is working and has the proper permissions I can add a group in Azure AD Portal and instantly see it in my ASP.NET application.
This issue is specially annoying because you can't really test the permissions your app needs.
Thanks.
Related
I'm trying to plug Azure AD Authentication to my MVC project.
and each time I try to connect the service these errors appear to me.
I checked the previous authentication into "packages.config" -"Web.config" and everything is clear.
also, I checked the client id, clientSecret, Redirect URL, Azure Domain and everything was right!!
what's is the problem here so I can't move forward with it?
Actually this kind of service linking Azure AD with needs permissions more that User.Read ,
because maybe it will change something in the Azure AD App.
so I change the project to authorize directly to Azure AD without that Service by edit the code manually.
I noticed that were adding Read directory data permission to the application. So you must have checked the permission when configure Azure AD Authentication.
Try to login Azure portal with the account which you used to configure Azure AD Authentication in Visual Studio. Find your application and check if you can add Directory.Read.All permission successfully.
If you can add it successfully, try to create a new Azure AD application when configure Azure AD Authentication.
I am setting up a WebAPI that needs to collect events from a calendar, located in sharepoint. The WebAPI is registered i Azure Portal and does not support user login. Can i restrict the application to only that one calendar, or only have access to a specific users calendars?
This is what i currently have.
A WebAPI ( .Net Core 2.1 )
Azure AD with a bunch of users
Registered in Azure Portal, with Application "Calendars.Read" permissions
Using TenantID/ClientID/ClientSecret when authentication the app, and have not user login for the webserver, and would prefer not to have user login if possible.
As of now, i can pull the events with Microsoft graph by using something like:
https://graph.microsoft.com/v1.0/sites/root/lists/4bddc7ee-xyz-xyz-83cc-/blablabla
The problem is that i have access to all users calendars, and i need to restrict the app to only have access to that specific calendar.
I have seen several similar questions like this, the answer is No, Microsoft Graph does not support that currently.
How does one go about tying in AD authentication to an existing Web API? I've attempted to do this with Azure but Azure doesn't play nice with Web APIs. The constant redirects are a nightmare. Is there some way I can set it up to just hit a local AD sever, authenticate the user, and get back a token? It seems like it should be fairly simple but I'm finding no information on this.
You will always be redirected if you're using Azure AD. You shouldn't be able to do this locally to my knowledge.
I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.
Is there a mechanism in Azure AD to have a completely headless authentication? Most likely this would mean (in my mind) that the server running the API would have a perpetual authentication session to Azure.
If the purpose matters... We have a need to expose our thumbnailImage attribute from AD and I just need to make it so that the server doesn't care who requests the image. So basically we will have https://domain.com/api/Image/userid and the api will return an Image object (image/jpeg). I have this functioning internally and now I'm just migrating to Azure.
I found this question... I just want to confirm two things...
Daemon or Server Application to Web API is the method I should be looking at
Using this method will function as I'm expecting... a.k.a. WebAPI can access that attribute and use it like I currently use it while inside our internal domain.
Indeed. Azure AD supports the client credential OAuth flow. Yes, you are looking at the right help topic. The corresponding sample application is here: https://github.com/AzureADSamples/Daemon-DotNet.
If you haven't already, use Azure management portal to register your WebAPI as an application in your Azure AD directory and add a client secret (under the section named 'key' in the 'configure' tab of the 'application'). This key will be used as the client credential.
To configure permissions for your WebAPI to be able to call Graph API using client credential flow token, go to the application tab in the Azure Portal, under Azure AD and in the section titled 'Permissions to other applications', add an 'Application Permission' to 'Windows Azure Active Directory' to 'Read directory data'.
What you refer to as perpetual authentication session is basically your WebAPI caching the access token to Graph, and getting a new access token (using client credential flow) when the current access token is about to expire.
Hope this helps.