application created with New-MsolServicePrincipal not showing up in Azure portal
powershell,azure-active-directory
The applications you see in the portal are projections of the Application entities in the directory. The apps created via powershell are only ServicePrincipals I believe. For a detailed explanation of the difference between the two see http://msdn.microsoft.com/en-us/library/azure/dn132633.aspx
Azure Active Directory Login: Web App Permissions, User Consent not triggered
azure,oauth,active-directory,azure-active-directory
If an admin creates an application in their tenant, and requests permissions to other applications, then users in that same tenant are pre-consented for that application. I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you...
AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials
The account used in your case is a Microsoft Account and not an Organizational Account / AAD Account. Unfortunately, Microsoft Accounts do not work at the common endpoint. If the Microsoft Account is a guest in an Azure AD tenant, then you can put that tenant name in the authority...
Azure Active Directory warning the security token service signing certificate validation failed ID1118
azure,single-sign-on,azure-active-directory
This version of the Identity&Access Tool performs a 'ChainTrust' validation each signing certificate found in the metadata. If any certificates fail the validation, this warning pops up. The metadata is retrieved over https when the channel must show proof of the private key, you should be OK. I would check...
Getting Roles for Group Membership Azure AD
azure,single-sign-on,azure-active-directory,adal
Nikhil, thanks for reporting this. We've identified the issue and are working on a fix - I shall update the thread as soon as it rolls out.
Is there a default value to the Azure Active Directory token expiration timeout?
asp.net-mvc,session,azure,session-timeout,azure-active-directory
AAD access tokens expire in 1 hour. AAD refresh tokens expire in about 14 days if they are not used. Each new refresh token starts the 14 day clock over again. This works for a total of 90 days. But after 90 days, the user will have to enter credentials...
Windows Azure Active Directory Application Setup
What worked for me was setting the passiveRedirectEnabled to true in the config file. Then the returnUrl parameter in the FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest call worked! <wsFederation passiveRedirectEnabled="true" ....> ...
Adal.js not triggering the authentication
javascript,angularjs,azure,azure-active-directory,adal
Your issue: I think you have an issue with the link. Your link should be like this:http://localhost:8081/test-ui#/dashboard <a href="#/home">Home</a> <a href="#/todoList">ToDo List</a> <a href="#/contactList">Contact List</a> Adal.Js uses requireADLogin keyword to interrupt the route change event. If you don't see any redirection, it could be related to the routechange event not...
Confirmation required - Multiple authentication with ASP.net Identity
asp.net,azure,active-directory,asp.net-identity,azure-active-directory
Absolutely possible. See the sample here, and specifically the SecurityTokenValidated handler in Startup.Auth.cs, for a good starting point. https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet -- Rich...
asp.net azure active directory user profile data
c#,sql-server,asp.net-mvc,asp.net-identity,azure-active-directory
I have a couple of options to suggest here. Option 1 - you can use your own application profile store, for storing additional user profile information for properties not present in the directory. Basically when your app gets a user token (or a JWT token) for the signed in user,...
Is it possible to manage userprofiles in azure AD by c#?
c#,sharepoint,office365,azure-active-directory
You can write an application that can update all user (and group) properties that are stored in Azure AD through the Azure AD Graph API. You can either use direct calls to the REST API or use the c# and the .Net client library. For more information I would recommend...
Azure AD application roles
asp.net-mvc,web-api,asp.net-web-api2,azure-active-directory,openid-connect
It turns out the following should be added to Startup.Auth: TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, // map the claimsPrincipal's roles to the roles claim RoleClaimType = "roles", } It is actually configuring 'roles' claim type in order to map it with the default behavior. Excellent explanation is...
Modify Users via Exchange Online REST Api
powershell,azure,exchangewebservices,azure-active-directory
Here's the way to attack this problem the easy method, using the PowerShell module. Since you already have access to a great and fully featured PowerShell tool, there's really no reason to do this by hand with a REST API, in my experience. Using the MSONline Module We can do...
How to check if an azure active directory user is already in an approle
c#,asp.net,azure,azure-active-directory
Sorry for the late response. The following code worked for me. Not sure if you need to use the IUserFetcher interface, but your LINQ query fails because you are comparing the objectID of the assignment, with the appRole Id. What you need to compare is the ID of the assignment....
Cant use my microsoft account to log into my test app using active directory
azure,azure-web-roles,adfs,azure-active-directory
krilovich, Azure AD login page does very basic disambiguation between Organizational and Live accounts and fails when the Live account doesn't look like the typical ones (@outlook.com/@hotmail.com etc.). We plan to improve this experience. However currently the only option is to show two login buttons in your app, one for...
Not getting upn (unique principal name) in claims in Azure AD authentication
azure,azure-active-directory,upn
You will get UPN in claims only if you are the user of that Azure Active Directory if you are listing as other user to that directory, you will not get UPN in claims. For experiment you can create a user in the directory with "New user in your Organization"...
OData error: “A value without a type name was found and no expected type is available.” when calling Azure Active Directory Graph API
asp.net,azure,active-directory,openid,azure-active-directory
I had the same problem just now! I have an application which have been working for a couple of weeks and hasn't been changed. I've got it working by upgrading "Microsoft.Azure.ActiveDirectory.GraphClient" from version 2.0.5 to 2.0.6
WAAD Authentication with WebAPI OData service consumed by Excel PowerQuery
asp.net-web-api,odata,single-sign-on,azure-active-directory,powerquery
Here is the expected flow between PowerQuery and an OData service during authentication: When you enter the URI to your service in the builder, click ok, you will get a credential prompt asking for your credentials to access the service. Typically, you would choose Organizational Account if Azure Active Directory...
Using Directory Roles for authorization in ASP.NET MVC application using AAD
asp.net-mvc,owin,azure-active-directory
Varun, in the coming weeks we are planning to add a new claim in the token that contains the well-known identifiers of the directory roles that the user belongs to. Stay tuned for that. Until then the best option is to query the Graph API at login, determine the directory...
Adding an additional Windows Azure AD delegated permission to an existing grant
ms-office,office365,azure-active-directory
The Azure folks are working on implementing passing scopes in each request. In the meantime, the guidance they've given is that you do not include prompt=consent with every request. Instead, if you get an Unauthorized error, then you fall back on re-requesting with prompt=consent.
How to get all users that belong in an AppRole using Azure Active Directory Graph API
c#,azure,azure-active-directory
I finally figured out the answer. In order get to AppRoleAssignments off the ServicePrincipal you need to query the list directly rather than trying to expand it off the ServicePrincipal: await client.ServicePrincipals .GetByObjectId(servicePrincipalObjectId) .AppRoleAssignedTo .ExecuteAsync() Then you have to manually walk through the users and groups to get a final...
How to get a token with a specific group claim from azure-active-directory
azure,oauth,jwt,azure-active-directory,adal
As of today there is no way for AAD to send a subset of the user's group. A possible trick would be to define a role for your app, and then assign that group to the role. In that case you'll see the role in the token only if the...
Why isn't my Azure Website accepting OAuth tokens?
azure,oauth,claims-based-identity,azure-active-directory
So it turns out that I was using the Uri class to validate the App ID URI. Problem is, it adds a trailing slash onto to the end, which causes problems. As soon as I started using the string class to store the App ID URI, it was fine. So...
User identification claim in OpenID connect
azure-active-directory,openid-connect,auth0
OpenID Connect has standardized the sub claim for the primary user identifier. Alternatively you may be able to use the mail claim, with the caveat that e-mail addresses can be reassigned, and sub should not be.
Error adding Office 365 Unified API (preview) to Azure AD
office365,azure-active-directory,outlook-restapi
Do you get a correlation id? what happens if you refresh the page?
Authentication failed with Azure Active Directory in Windows Phone
windows,azure,windows-phone-8,azure-active-directory
this might be related to a known problem with the WebAuthenticationBroker on Windows Phone 8.1: it cannot be invoked until the full UX of the app has been loaded. Please take a look to this thread for a description of the issue and proposed workarounds: https://social.msdn.microsoft.com/Forums/vstudio/en-US/95c6569e-2fa2-43c8-af71-939e006a9b27/mobile-services-loginasync-remote-procedure-call-failed-hresult-0x800706be?forum=azuremobile HTH V.
Azure AD Change Password with patch call
c#,azure,azure-active-directory,change-password,http-patch
I found the error. I was using user_id as UPN and you cant use a password that have the UPN in it. So I changed the way I made the UPN and it works like a charm!
How to get user name, email, etc. from MobileServiceUser?
c#,wpf,azure,azure-mobile-services,azure-active-directory
That is the userID of Azure Active Directory. You need to create a service to expose your AAD info through a service and retrieve the additional information using the access token you get from your user. First: ServiceUser user = this.User as ServiceUser; var identities = await user.GetIdentitiesAsync(); var aad...
Create schema extensions in Azure AAD Request_MultipleObjectsWithSameKeyValue
c#,asp.net-mvc,azure,azure-active-directory
The error message is correct, which is, that your extension property does actually exist in your directory. The problem is in your GetProperties method. When I authored the blog there was an issue in the Graph client libraries and apparently the problem still exists, which is, the ExtensionProperties property always...
Check Office365 session
azure,office365,azure-active-directory
The code you wrote there does not work in a web application. It might work while you are hitting localhost, but as soon as you deploy your web app to an actual server it will not be able to pop out the dialog. Did you get that code form some...
Azure ADAL Refresh id_token
owin,azure-active-directory,openid-connect,adal
In general you cannot use a refresh_token to renew an id_token because an id_token represents user authentication, information that cannot be refreshed without the user present. The way to refresh an id_token is described in the Session Management draft of OpenID Connect (http://openid.net/specs/openid-connect-session-1_0.html) i.e. by sending the user (agent) off...
Azure Active Directory as simply user/role validation service
1 - sure you can. There is no endpoint to perform validation, but it's easy to validate incoming tokens - we offer components that automate it. See https://github.com/AzureADSamples/NativeClient-DotNet for an example. The same location on guthub has lots of other samples demonstrating different scenarios. 2 - I am not certain...
How I connect to Azure Access Panel with a Microsoft Account
When user [email protected] signs in to the Access Panel, the directories that user has access to can be selected from the dropdown box in the upper-right corner of the panel next to the username (see example below). ...
Turn off Single -Sign-On during debugging
authentication,azure,azure-active-directory
Without Auth you won't be able to exercise many scenarios in your app while development. Assuming from your tag that this is an Azure AD integrated app, you could add a localhost reply URL to the application in Azure AD and enable SSO in dev mode as well as prod...
Azure, login to separate accounts with one email
You can only view subscriptions for a single directory at a time. If you click your name in the top right corner of the portal you can select which directory you want to work from. There is a suggestion on the Azure feedback site to add the ability to view...
Access Window Azure Active Directory from web API controller to resolve user based on id (v-id)
RamLaki - have a look at the Graph API samples in the AzureADSamples org on Github: https://github.com/AzureADSamples. I believe the WebApp-GraphAPI-DotNet and/or ConsoleApp-GraphAPI-DotNet C# samples demonstrate retrieving a User by UPN/email. The Graph API doc has details on the User entity and the filterable properties: https://msdn.microsoft.com/en-us/library/azure/hh974483.aspx
Getting username and group info from Azure using adal4j
azure,active-directory,azure-active-directory,adal
First, you're absolutely right, adal4j was failing to return UserInfo. The reason for this was that the token request did not include the scope=openid parameter, which is required if the caller wants an id_token in the response. I opened an issue, and it has already been resolved. So, an updated...
Access Azure Active Directory secured site from other web application
asp.net,azure,active-directory,azure-active-directory
It looks like you have a WebAPI secured using Azure AD (what you refer to as web application) and a WebApp (what you refer to as site) that needs to access the WebAPI. If this is indeed the case, you can register both the WebApp and WebAPI as applications in...
How do I authenticate via Azure Active Directory with multi-tenant ASP.NET applications?
asp.net,iis,azure,azure-active-directory
You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token...
ADAL user consent triggered even when admin has already consented
c#,azure,console-application,azure-active-directory,adal
Your test app is a native client. In OAuth terms it is a public client. Those terms apply to any client that does not have a client secret or certificate credential of its own. The admin consent feature does not apply to native clients and only works for web applications....
Add custom claims to ASP.NET MVC with organizational account (multiple tenants)
asp.net-mvc,azure,claims-based-identity,azure-active-directory
For organizational account authentication, the templates setup HTTP handlers to handle authentication of your users. If you look in your web.config you will see two modules that were added to your project, which are the WSFederationAuthenticationModule and the SessionAuthenticationModule. As such, it's an entirely different authentication and authorization dance than...
Passing Authentication from WebApp to WebAPI using BreezeJS
odata,breeze,asp.net-web-api2,single-page-application,azure-active-directory
After some tinkering with the HTTP requests, I found out that the Bearer token that we were expecting to be passed on to server was actually not happening. Reason being we were not using ajaxAdapter in breeze. We had to add that header ourselves and send the request. We had...
ADAL: W8.1 app trying to log user out
azure,windows-8.1,azure-active-directory,adal
The actual user session is determined by two different components: the token cache (under ADAL's control) and any session tracking cookies that might be present in the system (not under ADAL's control). As you point out, you can easily take care of the token cache part. However the logic you...
X509CertificateCredential or some simple way to authenticate to azure active directory for windows service
Your scenario requires daemon services to securely communicate with a web API. For this, the services need to be given an identity that the web API understands. Further, the services need to be given a credential using which they can get a token that proves their identity to the web...
'authority' should be in Uri format Parameter name: authority
c#,asp.net-mvc,azure,azure-active-directory,adal
You need to pass Authority to AuthenticationContext() instead of aadInstance: // Instantiate an AuthenticationContext for my directory (see authString above). AuthenticationContext authenticationContext = new AuthenticationContext(authority, false); ...
Azure AD Graph API cannot access Microsoft Account
You are missing your domain in the URL you posted. It should be https://graph.windows.net/[your Azure AD domain]/users To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would...
Add user to Azure AD from another Azure AD via powershell
powershell,azure,office365,azure-active-directory
Unfortunately, as you had guessed, this functionality is not currently available through Azure AD PowerShell. It is something that we'd like to add in the future, but I don't have an exact timeframe for this yet.
setting up azure ad certificate auth using powershell
powershell,azure,azure-active-directory
The 'value' field for the key credentials is always returned as 'null' for applications and service principals.
Azure returns bearer token even with incorrect password
The 2nd time you are hitting the cache.
Azure Active Directory AcquireTokenAsync doesn't trigger event
c#,win-universal-app,azure-active-directory
Did you use the Windows Phone sample https://github.com/AzureADSamples/NativeClient-WindowsPhone8.1 as starting point? Does the sample work on its own, before integrating it in the universal app solution? I would recommend adding breakpoints in the App.xaml.cs code to ensure that the continuation events are correctly hooked up.
Web API 401 Redirect Azure Active Directory OpenIdConnect
web-api,azure-active-directory,openid-connect
Mixing authentication for MVC (as in web UX) and Web API requires special care. See here for an example of how you can combine the two. I know you already read a lot about the theory behind this, but you you want yet another (not required, the sample above alone...
Create Azure AD ClientCredentials Key from PowerShell
powershell,azure,azure-active-directory,adal
Please try using Password as the key type: New-MsolServicePrincipalCredential -AppPrincipalId $appId ` -Type Password ` -StartDate ([DateTime]::Now.AddMinutes(-5)) ` -EndDate ([DateTime]::Now.AddMonths(1)) ` -Value "$newPassword" Hope this helps...
Validate access token for WEB API protected by Azure AD
azure,asp.net-web-api,azure-active-directory
In your service start up you register OWIN and when your controller is decorated with Authorize attribute then the authentication challenge will happen and OWIN will try to validate the token on each request.. The token validation happens because you have OWIN Dll references AND you have the startup.auth class...
TeamCity and Office365 / Windows Active Directory integration
teamcity,office365,azure-active-directory
I'm working on this integration at the moment. Will announce it via @lodkin twitter account. update: plugin home page https://github.com/ekoshkin/teamcity-azure-active-directory
Accessing Calendar, Mail and Contacts of an OAuthenticated user
oauth,ews,azure-active-directory
You have a choice: Call the separate service apis - Your problem is that you acquired a token to call AAD, and then tried to use that to call Outlook - you need to make a separate call to acquire a token for outlook.office365.com through ADAL or through the token...
Azure AD User management delegation
azure,active-directory,azure-active-directory
You can achieve your goal with your current setup by using the Azure AD Graph API. Using the Azure AD Graph API Client library as a base and create a local area in your application, where given Administrator user for your application can manage users and groups in the Azure...
Azure Active Directory and Windows Authentication
azure,visual-studio-2013,.net-4.5,azure-active-directory
No, Windows authentication depends on Kerberos (or NTLM), which needs an Active Directory domain to authenticate the user in. Azure Active Directory does not handle Kerberos tokens. You can have your users authenticate against ADFS using the Kerberos protocol and federate the security token in ACS....
Why is my “access grant malformed” in Azure AD?
python,azure,azure-active-directory
Your token request is failing because of the query parameter at the end of your redirect uri. OAuth redirect URI's should not have any query parameters or fragments. You can use the state parameter instead. I don't think that the authorize call should have succeeded either, but clearly it did....
Office 365 and Azure Integration
asp.net-mvc,azure,office365,azure-active-directory
Chris, your first assumption is correct. Customers that have an Office 365 subscription do not necessarily have an Azure subscription too. However this doesn't prohibit them from signing up for applications like yours using their Office 365 Azure AD and using single sign-on with their Office 365 accounts. During sign-up...
Missing assembly reference Microsoft.IdentityModel.Clients.ActiveDirectory
c#,xamarin,monodroid,azure-active-directory,assembly-references
So I found out what was the problem. I had to use a specific version of the package since it's a pre-released version. I had to install 3.0.110281957 exactly then it recognize the reference as I needed.
Get member-groups in Azure AD Graph API
The AAD Graph API currently returns 100 items per page. If the request you make is for more than one page of data, the response will contain a link to the next page of data. From Supported Queries, Filters, and Paging Options in Azure AD Graph API: A response that...
MVC AZURE WA AD Singout without ACS
asp.net-mvc-4,azure,azure-active-directory,logoff
The answer depends on what protocol and identity middleware/framework you're using to sign in to Azure AD. If you built your app in VS2012 and used the Identity and Access tool to connect it to Azure AD, you're probably using WS-Federation (protocol) and Windows Identity Foundation (WIF) 4.5 (framework). The...
Enable Azure Active Directory Access Control with Office 365 Azure Active Directory tenant
azure,active-directory,office365,azure-active-directory,azure-acs
I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried...
Azure Active Directory: Get user's UPN with OpenID Connect authentication
active-directory,openid,azure-active-directory
Indeed. Get the ObjectId of the user from the objectidentifier claim, using: ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value UPN property is set by default for regular Organizational accounts - whereas you are signing is as an MSA (Microsoft Account) external user. MSA external users do not have the UPN property set by default. That said,...
Multiple AzureAD Admins On Single Azure Tenant
azure,azure-active-directory,ws-federation
You need to add those "organisational" accounts as co-administrators via the Azure Management Portal. See here: http://msdn.microsoft.com/en-us/library/azure/gg456328.aspx
Obtaining a users Application access from Azure Graph API
api,azure,office365,azure-active-directory
Thanks for reporting the bug. Fixed in Graph Client Library 2.0.5.
Setting a valid Azure AD uri for PhoneGap
cordova,mobile,oauth-2.0,uri,azure-active-directory
After some further research, I managed to find a solution to the authentication problem. The problem with authentication through Azure is that Azure expects a valid return uri. I had at first considered implementing a custom url scheme for it to return to, but this was also not considered valid....
Integrating Azure AD applications into Office 365 App Launcher
ms-office,owin,office365,azure-active-directory,adal
This was recently fixed to use the sign on url of the web application rather that the reply address. Can you try that please and let us know if this now works for you? Thanks...
Azure Active Directory Users (type=User with an existing user account) Json to List Model is giving null
c#,json,azure,single-sign-on,azure-active-directory
I got the saluting :) Add this block in your global.asax protected void Application_PostAuthenticateRequest(Object sender, EventArgs e) { ClaimsIdentity id = ((ClaimsIdentity)User.Identity); Claim claim = id.FindFirst(ClaimTypes.Email); if (claim != null) { string email = claim.Value; id.AddClaim(new Claim(ClaimTypes.Name, email)); } } ...
Azure Active Directory for Web API and clients using OAuth for multiple environments
angularjs,azure,asp.net-web-api,azure-active-directory
If I understand your question correctly you have the following Setup: In AAD, you have a single tenant where there is a single Web API registered. In the same tenant, you have multiple, equivalent client applications registered, which correlate to the different environments you have set-up on your end. This...
federate azure active directory with on premise ADFS
azure,azure-active-directory,ws-federation,adfs3.0
It's the normal adfs/ls. You just need to configure the URL and URI. Refer: Azure AD as IdP with AD FS as RP....
Azure Graph API get all Users in multiple groups
The REST method for achieving transitive group retrieval is documented in http://msdn.microsoft.com/en-us/library/dn424889.aspx The Graph Client 2.x supports transitive group retrieval as well. HTH V....
How can you use LINQ to find Azure AD users with specific licenses using the Azure AD Graph API Client Library 2.0
c#,linq,azure-active-directory
Couple of things going on here - and I'm afraid I don't have any decent answers for you. Firstly our client library doesn't support the kind of construct you are attempting, but I believe we're fixing that pretty soon. A bigger issue is that our service side doesn't support querying...
Connect to Azure to create an Application registration
authentication,azure,azure-active-directory,azure-sdk-.net
You can't register a new application using the Graph API from an unregistered client. The only reason the VS2013 flow works is because VS2013 is already registered in a special way within Azure AD -- it's a first party application and has unique permissions. In my Fiddler trace, VS2013 uses...
how to get the groupId from group name in AAD graph API
thanks for your question! You can query /groups with a filter expression to get the Group object for your group and then grab the objectId property to use for the isMemberOf function from that. For example: https://graph.windows.net/myorganization/groups?api-version=1.5&$filter=displayName%20eq%20'Example%20Group' You can learn more about the filterable properties for groups here: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#GroupEntity Hope...
Skip “login.windows.net” and redirect to federated ADFS
single-page-application,claims-based-identity,azure-active-directory,adal,office365-apps
http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/ In OAuth2 and OpenId Connect you do so by passing the target domain in the “domain_hint” parameter. In ADAL you can pass it via the following: AuthenticationResult ar = ac.AcquireToken("https://developertenant.onmicrosoft.com/WebUXplusAPI", "71aefb3b-9218-4dea-91f2-8b23ce93f387", new Uri("http://any"), PromptBehavior.Always, UserIdentifier.AnyUser, "domain_hint=mydomain.com"); In the OWIN middleware for OpenId Connect you can do the same in...
Authenticating a PHP Web App with Azure Active Directory and Azure Mobile Services
azure,azure-mobile-services,azure-active-directory
One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login. You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through...
Azure Authentification and Authorization
security,azure,azure-active-directory
I would recommend starting by reading up on the Claims-based Identity model. The current version of WIF (Windows Identity Framework) supports claims based identity. In a nutshell this model is much more extensible (say Federation) and you don't have to worry about the nitty gritty details of security code. You...
Azure Graph API
api,azure,graph,azure-active-directory,graph-api-explorer
In graph API, "applications" represent application configuration that developers register in their tenant. Gallery apps are no different (and happen to be registered in a special tenant). When you acquire an application (like a gallery app, or consent to a custom application someone else has developed), an application instance gets...
Microsoft Graph API Accessing basic info of a user that is outside tenancy
oauth,ms-office,ews,multi-tenant,azure-active-directory
Ah-ah! Forget the use of your tenant ID when talking with the Graph API if you develop a multi-tenant app with OAuth! The equivalent to "common" when requesting a token for a user in or outside your tenancy is... "myorganization"! This will work: https://graph.windows.net/myorganisation/me?api-version=2013-11-08 Oh, it was clearly written in...
Azure AD Graph API User memberOf nested groups
c#,azure,authorization,azure-active-directory
Yes. The getMemberObjects API returns all groups (transitive) of which the user is a member: https://msdn.microsoft.com/en-us/library/azure/dn835117.aspx . Also, using the checkMemberGroups API you can check whether or not the user is member of a group (transitively): https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx However for your requirement the application roles feature of Azure AD might be...
Use OWIN to connect an ASP.NET MVC application to Azure AD or use the default templates
asp.net-mvc,azure,asp.net-mvc-5,owin,azure-active-directory
I think HttpModules is the old way of handling things like AuthZ in the pipeline. HttpModules are part of the infrastructure that was built at the same time as web forms. If you are making a modern web api like Web Api or an MVC app, i suggest forget about...
Need Guidance Implementing OAuth 2.0 in ASP.NET App
asp.net,oauth-2.0,azure-active-directory
Azure AD supports the OAuth2.0 flow that you can execute once the user has signed in using passive authentication, to receive access tokens to make delegated calls to WebAPIs on behalf of the user. You can use the Active Directory Authentication Library (ADAL SDK) to execute the OAuth flow. This...
Azure AD OAuth2 No permission to access user information
azure,oauth-2.0,azure-active-directory
It seems like this won't work, we choose to use OpenIdConnect instead which worked fine.
Azure AD Premium Branding And OpenID
Yep. You simply need to specify your home realm using a different syntax. See http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/
Get Organization ID or domain from Azure AD Graph
azure,active-directory,office365,azure-active-directory
Indeed. Use the tenantDetails API (https://graph.windows.net/{tenantDomain}/tenantDetails?api-version={version}), to get the display name of the directory and all verified domains associated with it. Documented here: http://msdn.microsoft.com/en-us/library/azure/hh974467.aspx. Below is the trimmed output for my tenant. Hope this helps. { "odata.metadata": "https://graph.windows.net/dushyantgill.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.TenantDetail", "value": [ { "odata.type":...
Configure Application Permissions in Azure AD
asp.net-web-api,oauth-2.0,azure-active-directory,katana
Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the...
How do I secure an Azure Mobile Service with Azure AD? ADAL.JS
azure,azure-mobile-services,azure-active-directory,adal
In Mobile Service Identity configuration, for Azure AD as you ask, following parameters are requested App URL Client ID Allowed Tenants Package SID is related to MSA account authentication. Azure AD is last at the bottom. Refer to: Register your apps to use an Azure Active Directory Account login In...
Why as a co-administrator of a subscription am I unable to edit the Active Directory?
The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.
multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory
azure,single-sign-on,soa,azure-active-directory
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms. The following should see you through:...