Users are created in azure AD for a native application that i built. I would like users to use their windows live ID if they have one, otherwise I would create an AD account for them.
AD accounts are able to login, but whenever a windows live account tries to login I get the following error message
No service namespace named 'timetray' was found in the data store.
I'm not sure what this means, what is the service namespace, or where can i find the datastore.
The name for the service namespace that i am using is the resource id uri for an application that I provisioned in the Active Directory
private Uri redirectUri = new Uri("http://TimeTray");
private string clientId = "{{Client-ID}}";
private AuthenticationContext _authenticationContext;
private string domainName = "common";
private string resourceAppIdUri = "http://TimeTray";
private string resourceBaseAddress = "http://timetray.azurohosted.com/";
public void Authenticate(OnLoginComplete onLoginComplete)
{
CredManCache creds = new CredManCache();
_authenticationContext = new AuthenticationContext("https://login.windows.net/" + domainName, creds);
AuthenticationResult authenticationResult = _authenticationContext.AcquireToken(resourceAppIdUri, clientId, redirectUri);
// _authenticationContext.AcquireToken(
UserEntity user = new UserEntity();
user.NTUserName = authenticationResult.UserInfo.UserId;
user.SID = authenticationResult.UserInfo.UserId;
onLoginComplete(user);
}
I assume you are setting up ADAL with AAD.
When creating AuthenticationContext:
Instead of https://login.windows.net/" + domainName (common)
Try
https://login.windows.net/[Guid for the web api configured on your client in Azure AD]/FederationMetadata/2007-06/FederationMetadata.xml
In its data store, Azure will now look for service namespace [guid] instead of what is deferred from the login name "billy"#timetray.onmicrosoft.com.
See in MSDN sample
http://code.msdn.microsoft.com/AAL-Native-Application-to-fd648dcf#content
It states "Set the authority to https://login.windows.net/common to defer choosing the AAD domain till the user signs in."
Also, use http://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/
I guess you also need to create users in Azure AD that are linked to existing Microsoft Accounts.
Related
I tried to find an Azure authentication mechanism that uses an access token as a parameter. but no luck. I just found ClientSecretCredential class that use tenant id, client id, and client secret as a parameter like below :
var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
the reason I need the that is the access token will be generated by another service and my service will only accept access token to be used to authenticate Azure AD.
Actually, I can utilize Azure Management RestAPI to do that. However to improve developer experience I'd like to utilize .NET client library if possible.
I have tried to find documentation in Azure Identity client library in https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet, but I couldn't find any class or method that I need.
If you want tokens from azure ad you can use using Microsoft.IdentityModel.Clients.ActiveDirectory; library to get the tokens.
I am assuming that you have already created an azure ad app registration and already possess the client_id , client_secret and tenant_id. Just save this as strings in code.
Now we can use the clientcredential along with authenticationContext we can acquire tokens.
Complete program :
string client_id = "";
string client_secret = "";
string tenant_id = "";
string endpoint = "https://login.microsoftonline.com/"+tenant_id;
ClientCredential credent = new ClientCredential(client_id , client_secret);
var context = new AuthenticationContext(endpoint);
var result = context.AcquireTokenAsync("https://management.azure.com/",credent);
var result = context.AcquireTokenAsync("https://management.azure.com/",credent);
Console.WriteLine(result.Result.AccessToken);
Here result.Result.AccessToken will give you a access token in form of a token.
I am trying to manipulate microsoft planner tasks (end goal is to create a task in a certain Scope and bucket).
I am already failing at listing a Plan or the buckets for a plan. I want to make this connection from a background service (daemon) so no interactive user login should take place. (with interactive login credentials i can make it work, but that's not what i need/want).
So i Created a new App Registration in Azure with the Api Permissions:
Group.Read.All (Delegated)
Group.ReadWrite.All (Delegated)
Tasks.Read (Delegated)
Tasks.Read.Shared (Delegated)
Tasks.ReadWrite (Delegated)
Tasks.ReadWrite.Shared (Delegated)
User.Read (Delegated)
Group.ReadWrite.All (Application)
Tasks.ReadWrite.All (Application)
User.ManageIdentities.All (Application)
User.ReadWrite.All (Application)
I also checked the "Allow public client flows" setting on the App registration Authentication tab.
I started by adding the ones prescribed on the official microsoft doc website about this topic. And then started adding some because i was still receiving Access Denied messages. Thus reaching this list. It should be enough according to microsoft.
Then i have this code to authenticate with Microsoft graph, giving me a graphclient instance which is successfully initialized:
private GraphServiceClient initializeTeamsGraphConnection(string TenantId, string ApplicationId, string ClientSecret)
{
// The client credentials flow requires that you request the
// /.default scope, and preconfigure your permissions on the
// app registration in Azure. An administrator must grant consent
// to those permissions beforehand.
var scopes = new[] { ScopeGraph };
// Multi-tenant apps can use "common",
// single-tenant apps must use the tenant ID from the Azure portal
var tenantId = TenantId;
// Values from app registration
var clientId = ApplicationId;
var clientSecret = ClientSecret;
// using Azure.Identity;
var options = new TokenCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};
// https://docs.microsoft.com/dotnet/api/azure.identity.clientsecretcredential
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret, options);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
return graphClient;
}
So authentication seems to be succesful, but when i then try to list a plan using the code below:
private void CreateTask(GraphServiceClient client)
{
var graphTask = client.Planner.Plans["Sdonp-JNB0aInPxDcxMowZgACZ59"]
.Request()
.GetAsync();
while (!graphTask.IsCompleted)
{
graphTask.Wait(10000);
}
var plans = graphTask.Result;
I get following error:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Access Permissions should be well above what is needed to do this. Any idea on what I am doing wrong?
Again this code is working because when i change authentication to some sort of interactive login type, i get this plan info no problem
Planner API currently supports only delegated permissions that's the reason why it returns 403 for daemon (background service).
According to this announcement, support for application permissions is coming soon.
I have a subscription to azure and an already developed application, I'm trying to use Azure AD as authentification mechanism.
I created the application in Azure, added Azure AD as authentification mechanism and when I try to log in I get this error.
AADSTS65005: The app needs access to a service
("http://rts.powerapps.com") that your organization
"123-32323-323232-3233" has not subscribed to or enabled. Contact your
IT Admin to review the configuration of your service subscriptions.
This is my Startup Class.
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
}
}
Any ideas?
EDIT 1:
After removing some app from my required permissions that appeared deleted now I get this error.
Error Img
EDIT 2:
Fixed after removing and adding the permissions again.
It seems that you were developing with Common Data Service, based on the service("http://rts.powerapps.com"). Please ensure that that your organization doesn't have the subscribed the service ("http://rts.powerapps.com").
Please note the prerequisites of Common Data Service:
If you've already signed up for PowerApps, you can go to PowerApps and sign in. If you haven't yet signed up, you can follow these instructions to sign up.
Make sure that you have admin access to an environment that contains a Common Data Service database. Go to the PowerApps portal, click the gear icon in the upper right of the page, and then click Admin center. If you don't have admin access to any environments that contain a database, follow these instructions to create a database.
And below is helpful document to help get started:
Get started with the Common Data Service SDK
Im am working with a REST service deployed in an azure environment. I want to run some integration testing by calling various API functions from a separate (console) application. But the REST api uses bearer token authentication. Im a total noob with azure authentications, so i don't even know if it should be possible.
I've tried to use the example found here but no luck yet.
In anycase, I have two applications. One is the console app that is running the code, and the other is the Rest service for which i need to use the bearer token to access the API calls. I will call them the ConsoleApp and RestService.
The code I run is as following:
HttpClient client = new HttpClient();
string tenantId = "<Azure tenant id>";
string tokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/token";
string resourceUrl = "<RestService app id url>";
string clientId = "<azure id of the ConsoleApp>";
string userName = "derp#flerp.onmicrosoft.com";
string password = "somepassword";
string tokenEndpoint = $"https://login.microsoftonline.com/{tenantId}/oauth2/token";
var body = $"resource={resourceUrl}&client_id={clientId}&grant_type=password&username={userName}&password={password}";
var stringContent = new StringContent(body, Encoding.UTF8, "application/x-www-form-urlencoded");
var result=await client.PostAsync(tokenEndpoint, stringContent).ContinueWith<string>((response) =>
{
return response.Result.Content.ReadAsStringAsync().Result;
});
JObject jobject = JObject.Parse(result);
The Json message I get back:
error: invalid_grant, error_description: AADSTS50105: The signed in
user is not assigned to a role for the application "RestService
azureid"
What does that mean, and how what needs to be done to get a bearer token out of this?
Please firstly check whether you enabled the User assignment required of console application :
In your azure ad blade ,click Enterprise applications ,search your app in All applications blade ,click Properties :
If enabled that , and your account not assigned access role in your app , then you will get the error . Please try to assign access role in your app :
In your azure ad blade ,click Enterprise applications ,search your console app in All applications blade ,click Users and groups , click Add User button , select your account and assign role(edit user and ensure select role is not None Selected):
Please let me know whether it helps.
I have to authenticate an application against Azure AD. I have created the web API and added it to the Azure AD application section. Changed the manifest file, created a web API and authenticated with the Azure AD and created a Windows form, containing the following code:
private async void button1_Click(object sender, EventArgs e)
{
string authority = "https://login.windows.net/test113.onmicrosoft.com";
string resourceURI = "https://test113.onmicrosoft.com/ftp";
string clientID = "5177ef76-cbb4-43a8-a7d0-899d3e886b34";
Uri returnURI = new Uri("http://keoftp");
AuthenticationContext authContext =
new AuthenticationContext(authority);
AuthenticationResult authResult =
authContext.AcquireToken(resourceURI, clientID, returnURI);
string authHeader = authResult.CreateAuthorizationHeader();
// don't do this in prod
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((s, c, c2, se) => true);
HttpClient client = new HttpClient();
HttpRequestMessage request =
new HttpRequestMessage(HttpMethod.Get, "https://localhost:44300/api/tasks");
request.Headers.TryAddWithoutValidation("Authorization", authHeader);
var response = await client.SendAsync(request);
string responseString = await response.Content.ReadAsStringAsync();
MessageBox.Show(responseString);
}
I have got an exception:
An exception of type
'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException'
occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll but
was not handled in user code
Additional information: AADSTS50001: The application named
https://test113.onmicrosoft.com/ftp was not found in the tenant named
test113.onmicrosoft.com. This can happen if the application has not
been installed by the administrator of the tenant or consented to by
any user in the tenant. You might have sent your authentication
request to the wrong tenant.
Trace ID: e782d60e-b861-46a3-b32b-f3df78396bd0
Correlation ID:
b4809815-2755-4de1-bd1b-0221d74fd0f0 Timestamp: 2016-03-17 11:20:08Z
Resource in the request means the resource which you want to access in the particular tenant. When a native client needs to get a token from Azure Active Directory, it needs to specify the resource it wants a token for. In this scenario the client application wants access to the Web API so the APP ID URI for the Web API is used as the resource name. After it has the token it also needs to know the URL where the resource can be accessed, in this case the address of the Web API.For example:
// Resource settings this application wants to access
private string resource = "https://cloudalloc.com/CloudAlloc.WebAPI";
private Uri WebAPIUri = new Uri("https://localhost:44313");
Both of these settings can be found in the single sign-on section of the CONFIGURE page for the Web API application in the Azure Management portal.
Click here for more details .