We have set up an application in AAD.
The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal.
Still We get Access denied error when trying to access
https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders
for my userid (myId). The URL works fine in graph explorer when I'm logged in as my own user.
Also, decoding the JWT at jwt.io shows the application id, name and "aud" (https://graph.microsoft.com) - but no roles/scopes.
What have we done wrong?
Ok so I submitted a ticket to Microsoft Support. I haven't received any response yet, but now it all works just fine. I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday.
These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app.
The effective rights are the intersection of the user rights and and the rigths of the app.
"Effective permissions are the permissions that your app will have when making requests to an API.
For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (through consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."
The user also needs permission to use the app in AAD.
If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users.
Related
I am following the tutorial to accomplish SSO with chat bot in Teams, SBS bots with SSO: https://learn.microsoft.com/en-us/microsoftteams/platform/sbs-bots-with-sso?tutorial-step=5
At "Test in Web chat" section in Azure, I authenticated and then got the access permission window request displayed:
I accepted the request and got the token.
It seems this permissions consent window will be displayed only once and never again.
As I am testing this feature I would like to reset these permissions to visualise the flow again without needing to create/use a new account every time to sign in in Teams.
Is it possible to reset the permissions granted? So the permissions request window can be displayed again.
I'm working on a .Net application in which user can authenticate with a form using an Id or a Microsoft account (Azure Active Directory). The problem is that a user who doesn't yet have an account on my application can still connect via AD. After authentication, I would like to redirect him to a registration page for his account to be approved first. Since he is already authenticated, is there a way to prevent access to other pages?
I need some help, Thank you.
A requirement is set upon me to implement impersonation for developers, of course only for development environment. I was wondering if it is possible to request a token for any AAD user without knowing the password. The flow I would want is:
Developer goes to web application to select a user he wants to impersonate.
The web application checks if the developer is in the AAD.
The web application checks if the developer has the necessary rights to impersonate.
The web application returns a token valid for the user the developer selected.
The developer can use this token to authenticate against the API, and for all intents and purposes is the impersonated user.
Any good alternatives to this approach are also welcome.
No, you cannot impersonate a user like this.
You can acquire an access token if you know their password and they don't have MFA etc. with the Resource Owner Password Credentials grant flow.
But if you want to do it in a better way, you could have the users who you wish to impersonate login to your app.
Acquire an access token + refresh token for them.
Then store the refresh token securely.
Now you can use the refresh token at any time along with your app's client credentials to acquire a token for that user.
Refresh tokens can and do expire though, for example if the user's password is changed.
But this could allow you to implement what you want.
I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.
Using facebook C# SDK for a native app to be used in kiosk mode.
Scenario:
User logs in to facebook.
App request permission.
User deny permission.
Unable to programatically log user out of facebook since no access token has been granted.
(see: https://developers.facebook.com/docs/authentication/)
What is the best approach in the above scenario where the next user of the app should start from scratch?