I have a working Xamarin Forms app that uses Azure AD B2C to login to providers such as Microsoft, Google, LinkedIn, Apple, etc. The login process works smoothly except that I get the message "Let this app access your info? unverified". See picture below:
I know how to resolve this issue for an Azure AD application. See Publisher verification and app consent policies are now generally available
The Azure documentation clearly states that this is not supported for Azure AD B2C Apps. Is there an alternate way to get past the "unverified" messsage? This is causing a massive adoption problem for my app as downloaders are hesitant to login to an app with an "unverified" publisher.
Any and all help will be appreciated.
• Sorry, there is no way through which we can mark an Azure AD B2C application publisher as verified. Though, you can register that application as an internal Azure AD application and ensure that it is publisher verified which will in turn make the ‘unverified’ tag go away during the login process.
a) Also, ensure that the domain of the mail ID used to register for MPN (Microsoft Partner) account verification should be the same one configured as a custom domain and verified in your Azure AD tenant in which you wish to register the Xamarin form application.
b) The user account should be assigned one of the following roles: - MPN admin, Accounts admin or a Global admin in partner center account and application admin, cloud application admin or a global admin in Azure tenant.
c) This user account must sign into the Azure AD tenant using MFA and the publisher should agree to the Microsoft Identity Developer Terms of Use.
Please refer the below link for the documentation on marking an application publisher as verified in Azure AD: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/mark-app-as-publisher-verified
Would also suggest you to please refer this below SO thread for more information as it explains further publisher domain verification in Azure AD: -
Mark an app as publisher verified in Azure AD B2C
I finally succeeded in marking my Azure AD B2C application as publisher verified. Now I no longer get the "unverified" description in the access screen. To do this, I followed the instructions here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-user-flow#verify-the-applications-publisher-domain
It is especially important to know that the MPN id cannot be set by a user interface but you have to use Graph Explorer to set it.
The code below is an example of using Graph Explorer to set the MPN Id:
Where appObjectId is the object id of your AD B2C App. It is NOT the app id but the object id. The VerifiedPublisherID is your MPN Id that you wish to set.
POST /applications/appObjectId/setVerifiedPublisher
{
"verifiedPublisherId": "12345678"
}
Related
We are using Azure B2C for login/authentication of our users. This works fine on our website (social and email login etc).
Our mobile app is built in Xamarin forms and we are trying to build a native login experience (using native app controls vs. a web view within the app that B2C presents) that integrates natively with the device biometrics for login (FaceId, TouchId, fingerprint login).
As you can imagine, doing this in the webview that Azure B2C requires doesn't allow a native login experience.
The overall goal here is 2 fold:
Build a native login experience
Integrate with biometrics.
Question:
Does Azure B2C have an API that enables this, especially so we can use authorization code flow without a UI. ROPC exists but does it integrate with social accounts too?
If not, is there a way to integrate biometric login with Azure B2C on mobile when the login screen is presented in a webview? So that when the B2C login page in the webview is presented, a user can login with touch/faceId and save that information to they keychain (on iOS and the equivalent on Android)
You need to use Webviews, and you can enable Biometric integration with webview type experience.
You cannot integrate any service with Social Accounts and ROPC. Any integration with Social IdPs will need a webview.
Yes, enable Keep Me Signed In for long lived sessions. Wrap the biometric code around the acquireTokenSilent() methods.
Then you have two options:
You can hide the KMSI button, and use JavaScript to force select the KMSI checkbox in the login page using page customisation.
You can rename the KMSI label on the login page to ask the user if they want to enrol in to biometric. Then after the login, your app will receive a claim in the token whether the user opted in, use claim resolver to achieve that.
Now you have a user logged into the App, with:
1 hour access token
Potentially up to infinity long refresh token
Multi day/year Azure AD B2C session cookie
Then, when the user re-attempts to open the app, or perform some action in the app, you will need to call acquireTokenSilent(). This MSAL method obtains a fresh access token for the required API resource/scope.
If the token is expired, or requires a different scope, the a new token is fetched.
You can wrap any action in your application with the biometric SDK.
if (performingSomeAction && requiresBiometric)
if (challengeBiometric succeeds)
acquireTokenSilent()
//do someAction
Now if the refresh token has expired, then the web view will pop up, the long lived session cookie will be used to get new tokens. The acquireTokenSilent() method handles all of that already.
So I'm trying to create custom roles in Azure AD for an Asp.net mvc5 web app. I did a lot of reading up, but basically it fails due to lack of auth. I issue the PowerShell command New-AzureRmRoleDefinition -InputFile myNewRole.json but it fails saying that my (current logged on user) does not have authorization to perform action 'Microsoft.Authorization/roleDefinition/write" over scope...
Well, the error message is clear. At the same time, if I list my user's roles I am 'owner'. What privileges is needed to create custom roles in Azure AD if owner doesn't suffice?
Hi in your assignable scopes section can you confirm that there aren't any typos and the scope is your subscription GUID. We have come across this scenario where there was something awry with the scopes section.
I want to be able to access other users Google Calendars through a service account so I am not prompted for authorization. I am doing this in a simple .net c# console app. When I attempt to create my credentials in the Google API Manager, it gives me the following alert when I specify I am using a non UI app and I want to access User Data. Isn't the purpose of using the service account to access other users data without a UI?
"User data cannot be accessed from a platform without a UI because it requires user interaction for sign-in."
You may have misunderstood the meaning of using a service account to impersonate a user. To help you with Authentication, you might want to check this tutorial : Google Calendar API Authentication with C# by Daimto.
Things to take note of :
To be able to access other calendars by service account, users who own the calendar should share it to the service account.
To impersonate a user, you must know the email address.
From the tutorial:
If you are only accessing data that you own there is no reason to ask a user for permission to access it. You can use a Service account. (Privacy)
If you want to be able to access data owned by someone else you will need to be authenticated.
Hope this helps!
I'm using .NET backend on Azure Mobile Service. It's easy to set up authentication with social identity provider, so that the client can use e.g. Facebook iOS SDK to login, as illustrated in the official tutorial
In custom authentication, as I need to maintain my own Account table according to the official tutorial, I have full control over the registration & login.
I'd like to have a centralized User table to store information about all users, no matter which channel they used to authenticate.
My question is, is there a way for the .NET backend to be notified when a user register or login with a Facebook token? So that a new row can be added to the centralized User table even when the user is using Facebook to authenticate?
Thank you!
Yes - the User.GetIdentities() method contains the token and mechanism that was used to authenticate the user. You can use this to update your table. For an overview of how to use this token, see this blog post by the team: https://azure.microsoft.com/en-us/blog/custom-login-scopes-single-sign-on-new-asp-net-web-api-updates-to-the-azure-mobile-services-net-backend/
I am trying out the multi tenent features in Azure Active Directory for my company. We want to offer single sign on and claims based authentication and authorization for users of our web applications. Some customers have their own Azure AD, while others will get users in an Azure AD that we own. We would like to allow all users from other approved Azure tenants to authenticate, but only specific users should be authorized since we charge the customer per user per application. Hopefully, our Azure AD groups can be used for this purpose. I have succesfully created a test app that allows users from both my Azure AD and from another tenent to log in to our application.
My question is this: Is it possible to add users from another Azure AD (that we do not control) to groups in our Azure AD, so that we can use the group membership of users to allow access to different applications that we build? Is this possible or have I missunderstood something fundamental? :) Should we abandon Azure AD groups and use our own sepperate database to store claims that can be assigned to users from all tenents during the ASP security pipeline instead?
The application I tested got read access to the other Azure AD and read/write access to our Azure AD. I was unable to assign users (from another Azure AD) to our groups through the Azure managment portal ("No user exists with this user name in a directory to which you have access.") and I have thus far been unable to do it with the graph api from the application. Adding users that I create in our Azure AD to our groups works fine.
Fundementally, you will need a database to keep your user mapping.
As we're here, consider Stackoverflow - you can create an identity with stackechange, but you can also use your existing identity from google, yhaoo or facebook. This means that SO needs to keep a record of your identity in some database, and next to it what you're allowed and not allowed to do.
In many respects though, you could consider WaaD simply as a database for that matter and automatically create the user record, but keep in mind that the user will not be authenticated to your AD. you will simply be using the graph API to query based on a key and this may be done more efficiently on a dedicated database or, arguably, something like Azure table storage.
Given that you will need to query the WaaD graph API to get group membership anyway (it is not provided with the initial claim-set) you could query table storage instead.
for your specific case of "No user exists with this user name in a directory to which you have access", YES, this can be met and you can add the user of one Azure AD(abc.onmicrosoft.com) to another(def.onmicrosoft.com).
Necessary Condition:
1. you have to be at least a global-admin-user & co-admin in the Azure AD in which you have to add the user from another Azure AD.
2. you should be explicitly added in the other Azure AD, whose user you are registering in the current Azure AD, with at least a "User" privilege.
Boom!! User added with "Sourced from: Another Azure AD" tag.
You can try B2B invitation from your Azure AD to the members of different domain. As you said you have to allow people from multiple tenants, create a group and add the users via B2B invitation and map that group to your app. This is really handy because that will work for a single go as well as being easy to maintain.