I have a multitenant application js client with masal and Web Api all is working good. User can log in and use the Api.
I'm trying to read the ad groups user belongs to with Graph Api.
It works fine for the user on the same tenant where the app has been registered but if I'm using user from different tenant I have 403 (Insufficient privileges to complete the operation.) error, trying to access /users/{userId}/memberOf endpoint.
After I registered applications on azure for client and server I set the appropriate permissions in Api permission section (Application permission) which I thought is the case but it must me missing something else.
Any idea what I'm missing?
Please refer to aricle below :
Understand user and admin consent
For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue. A delegation is also created in the directory that records the user’s consent to the application.
Your application uses permissions(/users/{userId}/memberOf) that require admin consent, if an ordinary user tries to sign in to an application that requests a delegated permission that requires administrator consent, your application receives an error.
In Azure AD V2.0 , you can redirect the user to the Microsoft identity platform admin consent endpoint:
// Line breaks are for legibility only.
GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/calendars.read
https://graph.microsoft.com/mail.send
See document : Admin consent on the Microsoft identity platform
Related
Hi have not been able to find an answer on stackoverflow or online hoping someone has experience of a similar setup.
We have .NET Core 3.1 user management application which obtains user information from a Windows 2016 Active Directory server (application access is done via the groups defined in AD) fairly rudementary the idea is:
Start application > Redirect to WSO2 (version 5.9.0) IAM Logon page
Attemp to logon with a valid AD user (which has been set to 'user must change password at next logon'..)
WSO2 appears to attempt to authenticate and then logon however fails
Kibana shows logon failed message for this particualr user
The WSO2 logon page shows an error message
However what we were expecting to happen was for a redirect to occur back to the .NET Core application and we customised the logon.jsp related pages as per the WSO2 Customisation guide.
WSO2 does not have an identity providers it uses a service provider with SAML SSO configured.
The custom logon.jsp page has some code that checks the incoming RelyingParty value and performs the appropriate redirect as required.
The issue:
The redirect is not working as expected instead of redirecting back to the .NET Core application that made the initial call to the WSO2 IAM the above occurs i.e. the logon page shows an authentication error.
What we would like for the server to do is redirect back the .NET Core application IF the 'user must change password at next logon' radio button is enabled on their AD account - this needs to happen at the server side i.e. WSO2 (well that's my limited understanding if you know better please do advise).
Ideal scenario:
.NET App startup > WSO2 logon page
SAML SSO flow > LDAP query to AD return user
detect the 'user must change password at next logon' is true and then redirect back to the .NET app where the app will take over query AD display the change password views (nothing special about these standard change-password actions)
.NET App > call WSO2 again perform valid logon return with SAML SSO response back to .NET APP.
Thank you in advance :-)
As per your issue description, I believe that you have made the following configuration in the AD.
I believe you have initiated the Admin Forced Password Reset flow by setting the "User must change password at next login" option in the AD for the user. But unfortunately, it is not possible as once the "change password at next login" is selected in the AD, it marks the password as expired and the WSO2 IS treats it as Authentication Failed (LDAP error code 49). Therefore, it will require API level customization of WSO2 IS basic authenticator and the user store manager to achieve your requirement.
But in the WSO2 IS Admin Forced Password Reset flow, the user will be given an OTP through email to log in to the IS and the password reset flow will be initiated as similar to your requirement without using the AD. Hence, it is recommended to use the Admin Forced Password Reset flow available in the WSO2 IS to reset the password of the user.
I have webapp to make changes in ADF (kinda deployment of objects in ADF). I want to authenticate user against ADF. I am able to detect who is accessing web app. I get Azure AD Id like user1#company.com. I want to validate if the same user has access to ADF and if yes, generate bearer token to make changes in ADF (using rest api) or using SDK.
You can use the way below to get the access token when the user login to the web app, no need to validate if the same user has access to ADF, because if he does not have the access, the token will not be able to call the rest api, he will get the 401 unauthorized error.
1.First, make sure you have configured your web app to use Azure AD login, then navigate to the resource explorer -> find your web app -> add ["resource=https://management.azure.com"] to additionalLoginParams like below -> PUT.
2.Navigate to the Azure Active Directory in the portal -> App registrations -> find the AD App corresponding your web app -> API permissions -> add the permission user_impersonation of Azure Service Management like below.
3.Then when the user login the web app, after he consents the permissions, you can get the token with endpoint https://webappname.azurewebsites.net/.auth/me, and use the token to call the data factory rest api.
4.Make sure the user has an RBAC role e.g. Contributor in your subscription/ADF, then the token will be able to call the rest api successfully.
For example, I test with Pipelines - List By Factory api, it works fine.
I created an application in ASP.NET with Azure AD login. My problem is when I'm trying to login using my company user (User type: Member). I have to mention that I don't have admin access. I successfully created an application in the azure portal.
The error that I receive when I try to login is :
"AADSTS90093: Does not have access to consent."
I know that you may have to grant application permissions, but is there anything that I can do on my end ? Is there another way to do this and grant access to login using company profile ?
There are 3 things you could check:
Permissions at Azure AD Level: An Azure AD administrator can restrict users to grant access to apps.
Permissions at application level: Please check the "User Assignment Settings" at the application level. Combined this with the permission above, a user may not be able to access the application.
Code: Please check your code and see if you're doing prompt=admin_consent when sending the request to Azure AD for authentication/authorization.
Portal: You can grant consent via the Azure Portal by clicking the Grant Permissions button inside the app's blade.
I have a design requirement for an ASP.NET MVC 4 (.NET 4.6.1) app hosted on the company server (Not Azure) to do the following:
Check is user is authenticated via Windows Authentication
a)Yes - designate user as "authenticated"
b)No - use OpenIdConnect (OWIN) to authentication using Azure Active Directory.
Once authenticated use the standard [Authorize] attributes on controller methods etc. I have implemented Windows and Azure AD authentication alone is individual MVC apps but never together.
I have found several sources describing how to mix Windows and Forms authentication, but none for this combination.
Does anyone have insights on how this might be achieved?
I had a similar requirement a year ago and my approach was :
The users are redirected to input their AD credentials (https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/)
Once they are sucessfully logged in on the AD you will get a token.
Then I call the Azure AD API on their behalf using the token I just got. I woulds just call the /me endpoint that will return me the user personal details.
With the above response I just need to check if the email address matches the email address that was initially requested.
If it matches it means the user was successfully validated against the AD.
Then you can proceed and issue that user a token or cookie to access your application.
I have a Web API and an Azure Web App that access the same database. This database has all user information. I'm using ASP.NET Identity for user management. I'm having an issue where when a user is created by the web app the Web API requires a restart, or at least a relatively long while before the user becomes authenticated by it. This, of course, is entirely impractical. How can I update the environment immediately on the Web API so that the user can access their resources?
UPDATE 3:
Turns out it WAS authenticating with the API, but I didn't hold the correct claims because my user was not associated with a Google account. See Answer below.
Wow. Nevermind. We require Google accounts to sign on one kind of client, and we SHOULD require it on the web client, but I haven't set that up yet. If an account is set up without an associated Google account, AND that email has a Google account set up on the client then it will try to authenticate with those Google claims that don't exist in the DB. So while I CAN authenticate with that claim through the Google SSO, there are no claims set up in the DB, resulting in 401 errors. Authenticated, but unauthorized.
This means my auth filter is probably misconfigured because it should not authenticate with Google if my account does not have an associated Google account, no matter what my client requests. It also means that I need to refactor my SPA on my Web App that statically calls for Google authentication with the API.