powershell,azure-active-directory
The applications you see in the portal are projections of the Application entities in the directory. The apps created via powershell are only ServicePrincipals I believe. For a detailed explanation of the difference between the two see http://msdn.microsoft.com/en-us/library/azure/dn132633.aspx
azure,oauth,active-directory,azure-active-directory
If an admin creates an application in their tenant, and requests permissions to other applications, then users in that same tenant are pre-consented for that application. I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you...
The account used in your case is a Microsoft Account and not an Organizational Account / AAD Account. Unfortunately, Microsoft Accounts do not work at the common endpoint. If the Microsoft Account is a guest in an Azure AD tenant, then you can put that tenant name in the authority...
azure,single-sign-on,azure-active-directory
This version of the Identity&Access Tool performs a 'ChainTrust' validation each signing certificate found in the metadata. If any certificates fail the validation, this warning pops up. The metadata is retrieved over https when the channel must show proof of the private key, you should be OK. I would check...
azure,single-sign-on,azure-active-directory,adal
Nikhil, thanks for reporting this. We've identified the issue and are working on a fix - I shall update the thread as soon as it rolls out.
asp.net-mvc,session,azure,session-timeout,azure-active-directory
AAD access tokens expire in 1 hour. AAD refresh tokens expire in about 14 days if they are not used. Each new refresh token starts the 14 day clock over again. This works for a total of 90 days. But after 90 days, the user will have to enter credentials...
What worked for me was setting the passiveRedirectEnabled to true in the config file. Then the returnUrl parameter in the FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest call worked! <wsFederation passiveRedirectEnabled="true" ....> ...
javascript,angularjs,azure,azure-active-directory,adal
Your issue: I think you have an issue with the link. Your link should be like this:http://localhost:8081/test-ui#/dashboard <a href="#/home">Home</a> <a href="#/todoList">ToDo List</a> <a href="#/contactList">Contact List</a> Adal.Js uses requireADLogin keyword to interrupt the route change event. If you don't see any redirection, it could be related to the routechange event not...
asp.net,azure,active-directory,asp.net-identity,azure-active-directory
Absolutely possible. See the sample here, and specifically the SecurityTokenValidated handler in Startup.Auth.cs, for a good starting point. https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet -- Rich...
c#,sql-server,asp.net-mvc,asp.net-identity,azure-active-directory
I have a couple of options to suggest here. Option 1 - you can use your own application profile store, for storing additional user profile information for properties not present in the directory. Basically when your app gets a user token (or a JWT token) for the signed in user,...
c#,sharepoint,office365,azure-active-directory
You can write an application that can update all user (and group) properties that are stored in Azure AD through the Azure AD Graph API. You can either use direct calls to the REST API or use the c# and the .Net client library. For more information I would recommend...
asp.net-mvc,web-api,asp.net-web-api2,azure-active-directory,openid-connect
It turns out the following should be added to Startup.Auth: TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, // map the claimsPrincipal's roles to the roles claim RoleClaimType = "roles", } It is actually configuring 'roles' claim type in order to map it with the default behavior. Excellent explanation is...
powershell,azure,exchangewebservices,azure-active-directory
Here's the way to attack this problem the easy method, using the PowerShell module. Since you already have access to a great and fully featured PowerShell tool, there's really no reason to do this by hand with a REST API, in my experience. Using the MSONline Module We can do...
c#,asp.net,azure,azure-active-directory
Sorry for the late response. The following code worked for me. Not sure if you need to use the IUserFetcher interface, but your LINQ query fails because you are comparing the objectID of the assignment, with the appRole Id. What you need to compare is the ID of the assignment....
azure,azure-web-roles,adfs,azure-active-directory
krilovich, Azure AD login page does very basic disambiguation between Organizational and Live accounts and fails when the Live account doesn't look like the typical ones (@outlook.com/@hotmail.com etc.). We plan to improve this experience. However currently the only option is to show two login buttons in your app, one for...
azure,azure-active-directory,upn
You will get UPN in claims only if you are the user of that Azure Active Directory if you are listing as other user to that directory, you will not get UPN in claims. For experiment you can create a user in the directory with "New user in your Organization"...
asp.net,azure,active-directory,openid,azure-active-directory
I had the same problem just now! I have an application which have been working for a couple of weeks and hasn't been changed. I've got it working by upgrading "Microsoft.Azure.ActiveDirectory.GraphClient" from version 2.0.5 to 2.0.6
asp.net-web-api,odata,single-sign-on,azure-active-directory,powerquery
Here is the expected flow between PowerQuery and an OData service during authentication: When you enter the URI to your service in the builder, click ok, you will get a credential prompt asking for your credentials to access the service. Typically, you would choose Organizational Account if Azure Active Directory...
asp.net-mvc,owin,azure-active-directory
Varun, in the coming weeks we are planning to add a new claim in the token that contains the well-known identifiers of the directory roles that the user belongs to. Stay tuned for that. Until then the best option is to query the Graph API at login, determine the directory...
ms-office,office365,azure-active-directory
The Azure folks are working on implementing passing scopes in each request. In the meantime, the guidance they've given is that you do not include prompt=consent with every request. Instead, if you get an Unauthorized error, then you fall back on re-requesting with prompt=consent.
c#,azure,azure-active-directory
I finally figured out the answer. In order get to AppRoleAssignments off the ServicePrincipal you need to query the list directly rather than trying to expand it off the ServicePrincipal: await client.ServicePrincipals .GetByObjectId(servicePrincipalObjectId) .AppRoleAssignedTo .ExecuteAsync() Then you have to manually walk through the users and groups to get a final...
azure,oauth,jwt,azure-active-directory,adal
As of today there is no way for AAD to send a subset of the user's group. A possible trick would be to define a role for your app, and then assign that group to the role. In that case you'll see the role in the token only if the...
azure,oauth,claims-based-identity,azure-active-directory
So it turns out that I was using the Uri class to validate the App ID URI. Problem is, it adds a trailing slash onto to the end, which causes problems. As soon as I started using the string class to store the App ID URI, it was fine. So...
azure-active-directory,openid-connect,auth0
OpenID Connect has standardized the sub claim for the primary user identifier. Alternatively you may be able to use the mail claim, with the caveat that e-mail addresses can be reassigned, and sub should not be.
office365,azure-active-directory,outlook-restapi
Do you get a correlation id? what happens if you refresh the page?
windows,azure,windows-phone-8,azure-active-directory
this might be related to a known problem with the WebAuthenticationBroker on Windows Phone 8.1: it cannot be invoked until the full UX of the app has been loaded. Please take a look to this thread for a description of the issue and proposed workarounds: https://social.msdn.microsoft.com/Forums/vstudio/en-US/95c6569e-2fa2-43c8-af71-939e006a9b27/mobile-services-loginasync-remote-procedure-call-failed-hresult-0x800706be?forum=azuremobile HTH V.
c#,azure,azure-active-directory,change-password,http-patch
I found the error. I was using user_id as UPN and you cant use a password that have the UPN in it. So I changed the way I made the UPN and it works like a charm!
c#,wpf,azure,azure-mobile-services,azure-active-directory
That is the userID of Azure Active Directory. You need to create a service to expose your AAD info through a service and retrieve the additional information using the access token you get from your user. First: ServiceUser user = this.User as ServiceUser; var identities = await user.GetIdentitiesAsync(); var aad...
c#,asp.net-mvc,azure,azure-active-directory
The error message is correct, which is, that your extension property does actually exist in your directory. The problem is in your GetProperties method. When I authored the blog there was an issue in the Graph client libraries and apparently the problem still exists, which is, the ExtensionProperties property always...
azure,office365,azure-active-directory
The code you wrote there does not work in a web application. It might work while you are hitting localhost, but as soon as you deploy your web app to an actual server it will not be able to pop out the dialog. Did you get that code form some...
owin,azure-active-directory,openid-connect,adal
In general you cannot use a refresh_token to renew an id_token because an id_token represents user authentication, information that cannot be refreshed without the user present. The way to refresh an id_token is described in the Session Management draft of OpenID Connect (http://openid.net/specs/openid-connect-session-1_0.html) i.e. by sending the user (agent) off...
1 - sure you can. There is no endpoint to perform validation, but it's easy to validate incoming tokens - we offer components that automate it. See https://github.com/AzureADSamples/NativeClient-DotNet for an example. The same location on guthub has lots of other samples demonstrating different scenarios. 2 - I am not certain...
When user [email protected] signs in to the Access Panel, the directories that user has access to can be selected from the dropdown box in the upper-right corner of the panel next to the username (see example below). ...
authentication,azure,azure-active-directory
Without Auth you won't be able to exercise many scenarios in your app while development. Assuming from your tag that this is an Azure AD integrated app, you could add a localhost reply URL to the application in Azure AD and enable SSO in dev mode as well as prod...
You can only view subscriptions for a single directory at a time. If you click your name in the top right corner of the portal you can select which directory you want to work from. There is a suggestion on the Azure feedback site to add the ability to view...
RamLaki - have a look at the Graph API samples in the AzureADSamples org on Github: https://github.com/AzureADSamples. I believe the WebApp-GraphAPI-DotNet and/or ConsoleApp-GraphAPI-DotNet C# samples demonstrate retrieving a User by UPN/email. The Graph API doc has details on the User entity and the filterable properties: https://msdn.microsoft.com/en-us/library/azure/hh974483.aspx
azure,active-directory,azure-active-directory,adal
First, you're absolutely right, adal4j was failing to return UserInfo. The reason for this was that the token request did not include the scope=openid parameter, which is required if the caller wants an id_token in the response. I opened an issue, and it has already been resolved. So, an updated...
asp.net,azure,active-directory,azure-active-directory
It looks like you have a WebAPI secured using Azure AD (what you refer to as web application) and a WebApp (what you refer to as site) that needs to access the WebAPI. If this is indeed the case, you can register both the WebApp and WebAPI as applications in...
asp.net,iis,azure,azure-active-directory
You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token...
c#,azure,console-application,azure-active-directory,adal
Your test app is a native client. In OAuth terms it is a public client. Those terms apply to any client that does not have a client secret or certificate credential of its own. The admin consent feature does not apply to native clients and only works for web applications....
asp.net-mvc,azure,claims-based-identity,azure-active-directory
For organizational account authentication, the templates setup HTTP handlers to handle authentication of your users. If you look in your web.config you will see two modules that were added to your project, which are the WSFederationAuthenticationModule and the SessionAuthenticationModule. As such, it's an entirely different authentication and authorization dance than...
odata,breeze,asp.net-web-api2,single-page-application,azure-active-directory
After some tinkering with the HTTP requests, I found out that the Bearer token that we were expecting to be passed on to server was actually not happening. Reason being we were not using ajaxAdapter in breeze. We had to add that header ourselves and send the request. We had...
azure,windows-8.1,azure-active-directory,adal
The actual user session is determined by two different components: the token cache (under ADAL's control) and any session tracking cookies that might be present in the system (not under ADAL's control). As you point out, you can easily take care of the token cache part. However the logic you...
Your scenario requires daemon services to securely communicate with a web API. For this, the services need to be given an identity that the web API understands. Further, the services need to be given a credential using which they can get a token that proves their identity to the web...
c#,asp.net-mvc,azure,azure-active-directory,adal
You need to pass Authority to AuthenticationContext() instead of aadInstance: // Instantiate an AuthenticationContext for my directory (see authString above). AuthenticationContext authenticationContext = new AuthenticationContext(authority, false); ...
You are missing your domain in the URL you posted. It should be https://graph.windows.net/[your Azure AD domain]/users To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would...
powershell,azure,office365,azure-active-directory
Unfortunately, as you had guessed, this functionality is not currently available through Azure AD PowerShell. It is something that we'd like to add in the future, but I don't have an exact timeframe for this yet.
powershell,azure,azure-active-directory
The 'value' field for the key credentials is always returned as 'null' for applications and service principals.
The 2nd time you are hitting the cache.
c#,win-universal-app,azure-active-directory
Did you use the Windows Phone sample https://github.com/AzureADSamples/NativeClient-WindowsPhone8.1 as starting point? Does the sample work on its own, before integrating it in the universal app solution? I would recommend adding breakpoints in the App.xaml.cs code to ensure that the continuation events are correctly hooked up.
web-api,azure-active-directory,openid-connect
Mixing authentication for MVC (as in web UX) and Web API requires special care. See here for an example of how you can combine the two. I know you already read a lot about the theory behind this, but you you want yet another (not required, the sample above alone...
powershell,azure,azure-active-directory,adal
Please try using Password as the key type: New-MsolServicePrincipalCredential -AppPrincipalId $appId ` -Type Password ` -StartDate ([DateTime]::Now.AddMinutes(-5)) ` -EndDate ([DateTime]::Now.AddMonths(1)) ` -Value "$newPassword" Hope this helps...
azure,asp.net-web-api,azure-active-directory
In your service start up you register OWIN and when your controller is decorated with Authorize attribute then the authentication challenge will happen and OWIN will try to validate the token on each request.. The token validation happens because you have OWIN Dll references AND you have the startup.auth class...
teamcity,office365,azure-active-directory
I'm working on this integration at the moment. Will announce it via @lodkin twitter account. update: plugin home page https://github.com/ekoshkin/teamcity-azure-active-directory
oauth,ews,azure-active-directory
You have a choice: Call the separate service apis - Your problem is that you acquired a token to call AAD, and then tried to use that to call Outlook - you need to make a separate call to acquire a token for outlook.office365.com through ADAL or through the token...
azure,active-directory,azure-active-directory
You can achieve your goal with your current setup by using the Azure AD Graph API. Using the Azure AD Graph API Client library as a base and create a local area in your application, where given Administrator user for your application can manage users and groups in the Azure...
azure,visual-studio-2013,.net-4.5,azure-active-directory
No, Windows authentication depends on Kerberos (or NTLM), which needs an Active Directory domain to authenticate the user in. Azure Active Directory does not handle Kerberos tokens. You can have your users authenticate against ADFS using the Kerberos protocol and federate the security token in ACS....
python,azure,azure-active-directory
Your token request is failing because of the query parameter at the end of your redirect uri. OAuth redirect URI's should not have any query parameters or fragments. You can use the state parameter instead. I don't think that the authorize call should have succeeded either, but clearly it did....
asp.net-mvc,azure,office365,azure-active-directory
Chris, your first assumption is correct. Customers that have an Office 365 subscription do not necessarily have an Azure subscription too. However this doesn't prohibit them from signing up for applications like yours using their Office 365 Azure AD and using single sign-on with their Office 365 accounts. During sign-up...
c#,xamarin,monodroid,azure-active-directory,assembly-references
So I found out what was the problem. I had to use a specific version of the package since it's a pre-released version. I had to install 3.0.110281957 exactly then it recognize the reference as I needed.
The AAD Graph API currently returns 100 items per page. If the request you make is for more than one page of data, the response will contain a link to the next page of data. From Supported Queries, Filters, and Paging Options in Azure AD Graph API: A response that...
asp.net-mvc-4,azure,azure-active-directory,logoff
The answer depends on what protocol and identity middleware/framework you're using to sign in to Azure AD. If you built your app in VS2012 and used the Identity and Access tool to connect it to Azure AD, you're probably using WS-Federation (protocol) and Windows Identity Foundation (WIF) 4.5 (framework). The...
azure,active-directory,office365,azure-active-directory,azure-acs
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried...
active-directory,openid,azure-active-directory
Indeed. Get the ObjectId of the user from the objectidentifier claim, using: ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value UPN property is set by default for regular Organizational accounts - whereas you are signing is as an MSA (Microsoft Account) external user. MSA external users do not have the UPN property set by default. That said,...
azure,azure-active-directory,ws-federation
You need to add those "organisational" accounts as co-administrators via the Azure Management Portal. See here: http://msdn.microsoft.com/en-us/library/azure/gg456328.aspx
api,azure,office365,azure-active-directory
Thanks for reporting the bug. Fixed in Graph Client Library 2.0.5.
cordova,mobile,oauth-2.0,uri,azure-active-directory
After some further research, I managed to find a solution to the authentication problem. The problem with authentication through Azure is that Azure expects a valid return uri. I had at first considered implementing a custom url scheme for it to return to, but this was also not considered valid....
ms-office,owin,office365,azure-active-directory,adal
This was recently fixed to use the sign on url of the web application rather that the reply address. Can you try that please and let us know if this now works for you? Thanks...
c#,json,azure,single-sign-on,azure-active-directory
I got the saluting :) Add this block in your global.asax protected void Application_PostAuthenticateRequest(Object sender, EventArgs e) { ClaimsIdentity id = ((ClaimsIdentity)User.Identity); Claim claim = id.FindFirst(ClaimTypes.Email); if (claim != null) { string email = claim.Value; id.AddClaim(new Claim(ClaimTypes.Name, email)); } } ...
angularjs,azure,asp.net-web-api,azure-active-directory
If I understand your question correctly you have the following Setup: In AAD, you have a single tenant where there is a single Web API registered. In the same tenant, you have multiple, equivalent client applications registered, which correlate to the different environments you have set-up on your end. This...
azure,azure-active-directory,ws-federation,adfs3.0
It's the normal adfs/ls. You just need to configure the URL and URI. Refer: Azure AD as IdP with AD FS as RP....
The REST method for achieving transitive group retrieval is documented in http://msdn.microsoft.com/en-us/library/dn424889.aspx The Graph Client 2.x supports transitive group retrieval as well. HTH V....
c#,linq,azure-active-directory
Couple of things going on here - and I'm afraid I don't have any decent answers for you. Firstly our client library doesn't support the kind of construct you are attempting, but I believe we're fixing that pretty soon. A bigger issue is that our service side doesn't support querying...
authentication,azure,azure-active-directory,azure-sdk-.net
You can't register a new application using the Graph API from an unregistered client. The only reason the VS2013 flow works is because VS2013 is already registered in a special way within Azure AD -- it's a first party application and has unique permissions. In my Fiddler trace, VS2013 uses...
thanks for your question! You can query /groups with a filter expression to get the Group object for your group and then grab the objectId property to use for the isMemberOf function from that. For example: https://graph.windows.net/myorganization/groups?api-version=1.5&$filter=displayName%20eq%20'Example%20Group' You can learn more about the filterable properties for groups here: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#GroupEntity Hope...
single-page-application,claims-based-identity,azure-active-directory,adal,office365-apps
http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/ In OAuth2 and OpenId Connect you do so by passing the target domain in the “domain_hint” parameter. In ADAL you can pass it via the following: AuthenticationResult ar = ac.AcquireToken("https://developertenant.onmicrosoft.com/WebUXplusAPI", "71aefb3b-9218-4dea-91f2-8b23ce93f387", new Uri("http://any"), PromptBehavior.Always, UserIdentifier.AnyUser, "domain_hint=mydomain.com"); In the OWIN middleware for OpenId Connect you can do the same in...
azure,azure-mobile-services,azure-active-directory
One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login. You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through...
security,azure,azure-active-directory
I would recommend starting by reading up on the Claims-based Identity model. The current version of WIF (Windows Identity Framework) supports claims based identity. In a nutshell this model is much more extensible (say Federation) and you don't have to worry about the nitty gritty details of security code. You...
api,azure,graph,azure-active-directory,graph-api-explorer
In graph API, "applications" represent application configuration that developers register in their tenant. Gallery apps are no different (and happen to be registered in a special tenant). When you acquire an application (like a gallery app, or consent to a custom application someone else has developed), an application instance gets...
oauth,ms-office,ews,multi-tenant,azure-active-directory
Ah-ah! Forget the use of your tenant ID when talking with the Graph API if you develop a multi-tenant app with OAuth! The equivalent to "common" when requesting a token for a user in or outside your tenancy is... "myorganization"! This will work: https://graph.windows.net/myorganisation/me?api-version=2013-11-08 Oh, it was clearly written in...
c#,azure,authorization,azure-active-directory
Yes. The getMemberObjects API returns all groups (transitive) of which the user is a member: https://msdn.microsoft.com/en-us/library/azure/dn835117.aspx . Also, using the checkMemberGroups API you can check whether or not the user is member of a group (transitively): https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx However for your requirement the application roles feature of Azure AD might be...
asp.net-mvc,azure,asp.net-mvc-5,owin,azure-active-directory
I think HttpModules is the old way of handling things like AuthZ in the pipeline. HttpModules are part of the infrastructure that was built at the same time as web forms. If you are making a modern web api like Web Api or an MVC app, i suggest forget about...
asp.net,oauth-2.0,azure-active-directory
Azure AD supports the OAuth2.0 flow that you can execute once the user has signed in using passive authentication, to receive access tokens to make delegated calls to WebAPIs on behalf of the user. You can use the Active Directory Authentication Library (ADAL SDK) to execute the OAuth flow. This...
azure,oauth-2.0,azure-active-directory
It seems like this won't work, we choose to use OpenIdConnect instead which worked fine.
Yep. You simply need to specify your home realm using a different syntax. See http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/
azure,active-directory,office365,azure-active-directory
Indeed. Use the tenantDetails API (https://graph.windows.net/{tenantDomain}/tenantDetails?api-version={version}), to get the display name of the directory and all verified domains associated with it. Documented here: http://msdn.microsoft.com/en-us/library/azure/hh974467.aspx. Below is the trimmed output for my tenant. Hope this helps. { "odata.metadata": "https://graph.windows.net/dushyantgill.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.TenantDetail", "value": [ { "odata.type":...
asp.net-web-api,oauth-2.0,azure-active-directory,katana
Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the...
azure,azure-mobile-services,azure-active-directory,adal
In Mobile Service Identity configuration, for Azure AD as you ask, following parameters are requested App URL Client ID Allowed Tenants Package SID is related to MSA account authentication. Azure AD is last at the bottom. Refer to: Register your apps to use an Azure Active Directory Account login In...
The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.
azure,single-sign-on,soa,azure-active-directory
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms. The following should see you through:...