Menu
  • HOME
  • TAGS

application created with New-MsolServicePrincipal not showing up in Azure portal

powershell,azure-active-directory

The applications you see in the portal are projections of the Application entities in the directory. The apps created via powershell are only ServicePrincipals I believe. For a detailed explanation of the difference between the two see http://msdn.microsoft.com/en-us/library/azure/dn132633.aspx

Azure Active Directory Login: Web App Permissions, User Consent not triggered

azure,oauth,active-directory,azure-active-directory

If an admin creates an application in their tenant, and requests permissions to other applications, then users in that same tenant are pre-consented for that application. I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. If you...

AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials

azure-active-directory

The account used in your case is a Microsoft Account and not an Organizational Account / AAD Account. Unfortunately, Microsoft Accounts do not work at the common endpoint. If the Microsoft Account is a guest in an Azure AD tenant, then you can put that tenant name in the authority...

Azure Active Directory warning the security token service signing certificate validation failed ID1118

azure,single-sign-on,azure-active-directory

This version of the Identity&Access Tool performs a 'ChainTrust' validation each signing certificate found in the metadata. If any certificates fail the validation, this warning pops up. The metadata is retrieved over https when the channel must show proof of the private key, you should be OK. I would check...

Getting Roles for Group Membership Azure AD

azure,single-sign-on,azure-active-directory,adal

Nikhil, thanks for reporting this. We've identified the issue and are working on a fix - I shall update the thread as soon as it rolls out.

Is there a default value to the Azure Active Directory token expiration timeout?

asp.net-mvc,session,azure,session-timeout,azure-active-directory

AAD access tokens expire in 1 hour. AAD refresh tokens expire in about 14 days if they are not used. Each new refresh token starts the 14 day clock over again. This works for a total of 90 days. But after 90 days, the user will have to enter credentials...

Windows Azure Active Directory Application Setup

azure-active-directory

What worked for me was setting the passiveRedirectEnabled to true in the config file. Then the returnUrl parameter in the FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest call worked! <wsFederation passiveRedirectEnabled="true" ....> ...

Adal.js not triggering the authentication

javascript,angularjs,azure,azure-active-directory,adal

Your issue: I think you have an issue with the link. Your link should be like this:http://localhost:8081/test-ui#/dashboard <a href="#/home">Home</a> <a href="#/todoList">ToDo List</a> <a href="#/contactList">Contact List</a> Adal.Js uses requireADLogin keyword to interrupt the route change event. If you don't see any redirection, it could be related to the routechange event not...

Confirmation required - Multiple authentication with ASP.net Identity

asp.net,azure,active-directory,asp.net-identity,azure-active-directory

Absolutely possible. See the sample here, and specifically the SecurityTokenValidated handler in Startup.Auth.cs, for a good starting point. https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet -- Rich...

asp.net azure active directory user profile data

c#,sql-server,asp.net-mvc,asp.net-identity,azure-active-directory

I have a couple of options to suggest here. Option 1 - you can use your own application profile store, for storing additional user profile information for properties not present in the directory. Basically when your app gets a user token (or a JWT token) for the signed in user,...

Is it possible to manage userprofiles in azure AD by c#?

c#,sharepoint,office365,azure-active-directory

You can write an application that can update all user (and group) properties that are stored in Azure AD through the Azure AD Graph API. You can either use direct calls to the REST API or use the c# and the .Net client library. For more information I would recommend...

Azure AD application roles

asp.net-mvc,web-api,asp.net-web-api2,azure-active-directory,openid-connect

It turns out the following should be added to Startup.Auth: TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters { ValidateIssuer = true, // map the claimsPrincipal's roles to the roles claim RoleClaimType = "roles", } It is actually configuring 'roles' claim type in order to map it with the default behavior. Excellent explanation is...

Modify Users via Exchange Online REST Api

powershell,azure,exchangewebservices,azure-active-directory

Here's the way to attack this problem the easy method, using the PowerShell module. Since you already have access to a great and fully featured PowerShell tool, there's really no reason to do this by hand with a REST API, in my experience. Using the MSONline Module We can do...

How to check if an azure active directory user is already in an approle

c#,asp.net,azure,azure-active-directory

Sorry for the late response. The following code worked for me. Not sure if you need to use the IUserFetcher interface, but your LINQ query fails because you are comparing the objectID of the assignment, with the appRole Id. What you need to compare is the ID of the assignment....

Cant use my microsoft account to log into my test app using active directory

azure,azure-web-roles,adfs,azure-active-directory

krilovich, Azure AD login page does very basic disambiguation between Organizational and Live accounts and fails when the Live account doesn't look like the typical ones (@outlook.com/@hotmail.com etc.). We plan to improve this experience. However currently the only option is to show two login buttons in your app, one for...

Not getting upn (unique principal name) in claims in Azure AD authentication

azure,azure-active-directory,upn

You will get UPN in claims only if you are the user of that Azure Active Directory if you are listing as other user to that directory, you will not get UPN in claims. For experiment you can create a user in the directory with "New user in your Organization"...

OData error: “A value without a type name was found and no expected type is available.” when calling Azure Active Directory Graph API

asp.net,azure,active-directory,openid,azure-active-directory

I had the same problem just now! I have an application which have been working for a couple of weeks and hasn't been changed. I've got it working by upgrading "Microsoft.Azure.ActiveDirectory.GraphClient" from version 2.0.5 to 2.0.6

WAAD Authentication with WebAPI OData service consumed by Excel PowerQuery

asp.net-web-api,odata,single-sign-on,azure-active-directory,powerquery

Here is the expected flow between PowerQuery and an OData service during authentication: When you enter the URI to your service in the builder, click ok, you will get a credential prompt asking for your credentials to access the service. Typically, you would choose Organizational Account if Azure Active Directory...

Using Directory Roles for authorization in ASP.NET MVC application using AAD

asp.net-mvc,owin,azure-active-directory

Varun, in the coming weeks we are planning to add a new claim in the token that contains the well-known identifiers of the directory roles that the user belongs to. Stay tuned for that. Until then the best option is to query the Graph API at login, determine the directory...

Adding an additional Windows Azure AD delegated permission to an existing grant

ms-office,office365,azure-active-directory

The Azure folks are working on implementing passing scopes in each request. In the meantime, the guidance they've given is that you do not include prompt=consent with every request. Instead, if you get an Unauthorized error, then you fall back on re-requesting with prompt=consent.

How to get all users that belong in an AppRole using Azure Active Directory Graph API

c#,azure,azure-active-directory

I finally figured out the answer. In order get to AppRoleAssignments off the ServicePrincipal you need to query the list directly rather than trying to expand it off the ServicePrincipal: await client.ServicePrincipals .GetByObjectId(servicePrincipalObjectId) .AppRoleAssignedTo .ExecuteAsync() Then you have to manually walk through the users and groups to get a final...

How to get a token with a specific group claim from azure-active-directory

azure,oauth,jwt,azure-active-directory,adal

As of today there is no way for AAD to send a subset of the user's group. A possible trick would be to define a role for your app, and then assign that group to the role. In that case you'll see the role in the token only if the...

Why isn't my Azure Website accepting OAuth tokens?

azure,oauth,claims-based-identity,azure-active-directory

So it turns out that I was using the Uri class to validate the App ID URI. Problem is, it adds a trailing slash onto to the end, which causes problems. As soon as I started using the string class to store the App ID URI, it was fine. So...

User identification claim in OpenID connect

azure-active-directory,openid-connect,auth0

OpenID Connect has standardized the sub claim for the primary user identifier. Alternatively you may be able to use the mail claim, with the caveat that e-mail addresses can be reassigned, and sub should not be.

Error adding Office 365 Unified API (preview) to Azure AD

office365,azure-active-directory,outlook-restapi

Do you get a correlation id? what happens if you refresh the page?

Authentication failed with Azure Active Directory in Windows Phone

windows,azure,windows-phone-8,azure-active-directory

this might be related to a known problem with the WebAuthenticationBroker on Windows Phone 8.1: it cannot be invoked until the full UX of the app has been loaded. Please take a look to this thread for a description of the issue and proposed workarounds: https://social.msdn.microsoft.com/Forums/vstudio/en-US/95c6569e-2fa2-43c8-af71-939e006a9b27/mobile-services-loginasync-remote-procedure-call-failed-hresult-0x800706be?forum=azuremobile HTH V.

Azure AD Change Password with patch call

c#,azure,azure-active-directory,change-password,http-patch

I found the error. I was using user_id as UPN and you cant use a password that have the UPN in it. So I changed the way I made the UPN and it works like a charm!

How to get user name, email, etc. from MobileServiceUser?

c#,wpf,azure,azure-mobile-services,azure-active-directory

That is the userID of Azure Active Directory. You need to create a service to expose your AAD info through a service and retrieve the additional information using the access token you get from your user. First: ServiceUser user = this.User as ServiceUser; var identities = await user.GetIdentitiesAsync(); var aad...

Create schema extensions in Azure AAD Request_MultipleObjectsWithSameKeyValue

c#,asp.net-mvc,azure,azure-active-directory

The error message is correct, which is, that your extension property does actually exist in your directory. The problem is in your GetProperties method. When I authored the blog there was an issue in the Graph client libraries and apparently the problem still exists, which is, the ExtensionProperties property always...

Check Office365 session

azure,office365,azure-active-directory

The code you wrote there does not work in a web application. It might work while you are hitting localhost, but as soon as you deploy your web app to an actual server it will not be able to pop out the dialog. Did you get that code form some...

Azure ADAL Refresh id_token

owin,azure-active-directory,openid-connect,adal

In general you cannot use a refresh_token to renew an id_token because an id_token represents user authentication, information that cannot be refreshed without the user present. The way to refresh an id_token is described in the Session Management draft of OpenID Connect (http://openid.net/specs/openid-connect-session-1_0.html) i.e. by sending the user (agent) off...

Azure Active Directory as simply user/role validation service

azure-active-directory

1 - sure you can. There is no endpoint to perform validation, but it's easy to validate incoming tokens - we offer components that automate it. See https://github.com/AzureADSamples/NativeClient-DotNet for an example. The same location on guthub has lots of other samples demonstrating different scenarios. 2 - I am not certain...

How I connect to Azure Access Panel with a Microsoft Account

azure,azure-active-directory

When user [email protected] signs in to the Access Panel, the directories that user has access to can be selected from the dropdown box in the upper-right corner of the panel next to the username (see example below). ...

Turn off Single -Sign-On during debugging

authentication,azure,azure-active-directory

Without Auth you won't be able to exercise many scenarios in your app while development. Assuming from your tag that this is an Azure AD integrated app, you could add a localhost reply URL to the application in Azure AD and enable SSO in dev mode as well as prod...

Azure, login to separate accounts with one email

azure,azure-active-directory

You can only view subscriptions for a single directory at a time. If you click your name in the top right corner of the portal you can select which directory you want to work from. There is a suggestion on the Azure feedback site to add the ability to view...

Access Window Azure Active Directory from web API controller to resolve user based on id (v-id)

azure-active-directory

RamLaki - have a look at the Graph API samples in the AzureADSamples org on Github: https://github.com/AzureADSamples. I believe the WebApp-GraphAPI-DotNet and/or ConsoleApp-GraphAPI-DotNet C# samples demonstrate retrieving a User by UPN/email. The Graph API doc has details on the User entity and the filterable properties: https://msdn.microsoft.com/en-us/library/azure/hh974483.aspx

Getting username and group info from Azure using adal4j

azure,active-directory,azure-active-directory,adal

First, you're absolutely right, adal4j was failing to return UserInfo. The reason for this was that the token request did not include the scope=openid parameter, which is required if the caller wants an id_token in the response. I opened an issue, and it has already been resolved. So, an updated...

Access Azure Active Directory secured site from other web application

asp.net,azure,active-directory,azure-active-directory

It looks like you have a WebAPI secured using Azure AD (what you refer to as web application) and a WebApp (what you refer to as site) that needs to access the WebAPI. If this is indeed the case, you can register both the WebApp and WebAPI as applications in...

How do I authenticate via Azure Active Directory with multi-tenant ASP.NET applications?

asp.net,iis,azure,azure-active-directory

You can most definitely leverage Azure AD on apps running on your own server. You should not need to apply settings at the IIS level. When you use Azure AD the windows integrated auth would take place between the client and Azure AD endpoints - that results in a token...

ADAL user consent triggered even when admin has already consented

c#,azure,console-application,azure-active-directory,adal

Your test app is a native client. In OAuth terms it is a public client. Those terms apply to any client that does not have a client secret or certificate credential of its own. The admin consent feature does not apply to native clients and only works for web applications....

Add custom claims to ASP.NET MVC with organizational account (multiple tenants)

asp.net-mvc,azure,claims-based-identity,azure-active-directory

For organizational account authentication, the templates setup HTTP handlers to handle authentication of your users. If you look in your web.config you will see two modules that were added to your project, which are the WSFederationAuthenticationModule and the SessionAuthenticationModule. As such, it's an entirely different authentication and authorization dance than...

Passing Authentication from WebApp to WebAPI using BreezeJS

odata,breeze,asp.net-web-api2,single-page-application,azure-active-directory

After some tinkering with the HTTP requests, I found out that the Bearer token that we were expecting to be passed on to server was actually not happening. Reason being we were not using ajaxAdapter in breeze. We had to add that header ourselves and send the request. We had...

ADAL: W8.1 app trying to log user out

azure,windows-8.1,azure-active-directory,adal

The actual user session is determined by two different components: the token cache (under ADAL's control) and any session tracking cookies that might be present in the system (not under ADAL's control). As you point out, you can easily take care of the token cache part. However the logic you...

X509CertificateCredential or some simple way to authenticate to azure active directory for windows service

azure-active-directory

Your scenario requires daemon services to securely communicate with a web API. For this, the services need to be given an identity that the web API understands. Further, the services need to be given a credential using which they can get a token that proves their identity to the web...

'authority' should be in Uri format Parameter name: authority

c#,asp.net-mvc,azure,azure-active-directory,adal

You need to pass Authority to AuthenticationContext() instead of aadInstance: // Instantiate an AuthenticationContext for my directory (see authString above). AuthenticationContext authenticationContext = new AuthenticationContext(authority, false); ...

Azure AD Graph API cannot access Microsoft Account

azure,azure-active-directory

You are missing your domain in the URL you posted. It should be https://graph.windows.net/[your Azure AD domain]/users To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would...

Add user to Azure AD from another Azure AD via powershell

powershell,azure,office365,azure-active-directory

Unfortunately, as you had guessed, this functionality is not currently available through Azure AD PowerShell. It is something that we'd like to add in the future, but I don't have an exact timeframe for this yet.

setting up azure ad certificate auth using powershell

powershell,azure,azure-active-directory

The 'value' field for the key credentials is always returned as 'null' for applications and service principals.

Azure returns bearer token even with incorrect password

azure-active-directory

The 2nd time you are hitting the cache.

Azure Active Directory AcquireTokenAsync doesn't trigger event

c#,win-universal-app,azure-active-directory

Did you use the Windows Phone sample https://github.com/AzureADSamples/NativeClient-WindowsPhone8.1 as starting point? Does the sample work on its own, before integrating it in the universal app solution? I would recommend adding breakpoints in the App.xaml.cs code to ensure that the continuation events are correctly hooked up.

Web API 401 Redirect Azure Active Directory OpenIdConnect

web-api,azure-active-directory,openid-connect

Mixing authentication for MVC (as in web UX) and Web API requires special care. See here for an example of how you can combine the two. I know you already read a lot about the theory behind this, but you you want yet another (not required, the sample above alone...

Create Azure AD ClientCredentials Key from PowerShell

powershell,azure,azure-active-directory,adal

Please try using Password as the key type: New-MsolServicePrincipalCredential -AppPrincipalId $appId ` -Type Password ` -StartDate ([DateTime]::Now.AddMinutes(-5)) ` -EndDate ([DateTime]::Now.AddMonths(1)) ` -Value "$newPassword" Hope this helps...

Validate access token for WEB API protected by Azure AD

azure,asp.net-web-api,azure-active-directory

In your service start up you register OWIN and when your controller is decorated with Authorize attribute then the authentication challenge will happen and OWIN will try to validate the token on each request.. The token validation happens because you have OWIN Dll references AND you have the startup.auth class...

TeamCity and Office365 / Windows Active Directory integration

teamcity,office365,azure-active-directory

I'm working on this integration at the moment. Will announce it via @lodkin twitter account. update: plugin home page https://github.com/ekoshkin/teamcity-azure-active-directory

Accessing Calendar, Mail and Contacts of an OAuthenticated user

oauth,ews,azure-active-directory

You have a choice: Call the separate service apis - Your problem is that you acquired a token to call AAD, and then tried to use that to call Outlook - you need to make a separate call to acquire a token for outlook.office365.com through ADAL or through the token...

Azure AD User management delegation

azure,active-directory,azure-active-directory

You can achieve your goal with your current setup by using the Azure AD Graph API. Using the Azure AD Graph API Client library as a base and create a local area in your application, where given Administrator user for your application can manage users and groups in the Azure...

Azure Active Directory and Windows Authentication

azure,visual-studio-2013,.net-4.5,azure-active-directory

No, Windows authentication depends on Kerberos (or NTLM), which needs an Active Directory domain to authenticate the user in. Azure Active Directory does not handle Kerberos tokens. You can have your users authenticate against ADFS using the Kerberos protocol and federate the security token in ACS....

Why is my “access grant malformed” in Azure AD?

python,azure,azure-active-directory

Your token request is failing because of the query parameter at the end of your redirect uri. OAuth redirect URI's should not have any query parameters or fragments. You can use the state parameter instead. I don't think that the authorize call should have succeeded either, but clearly it did....

Office 365 and Azure Integration

asp.net-mvc,azure,office365,azure-active-directory

Chris, your first assumption is correct. Customers that have an Office 365 subscription do not necessarily have an Azure subscription too. However this doesn't prohibit them from signing up for applications like yours using their Office 365 Azure AD and using single sign-on with their Office 365 accounts. During sign-up...

Missing assembly reference Microsoft.IdentityModel.Clients.ActiveDirectory

c#,xamarin,monodroid,azure-active-directory,assembly-references

So I found out what was the problem. I had to use a specific version of the package since it's a pre-released version. I had to install 3.0.110281957 exactly then it recognize the reference as I needed.

Get member-groups in Azure AD Graph API

c#,azure-active-directory

The AAD Graph API currently returns 100 items per page. If the request you make is for more than one page of data, the response will contain a link to the next page of data. From Supported Queries, Filters, and Paging Options in Azure AD Graph API: A response that...

MVC AZURE WA AD Singout without ACS

asp.net-mvc-4,azure,azure-active-directory,logoff

The answer depends on what protocol and identity middleware/framework you're using to sign in to Azure AD. If you built your app in VS2012 and used the Identity and Access tool to connect it to Azure AD, you're probably using WS-Federation (protocol) and Windows Identity Foundation (WIF) 4.5 (framework). The...

Enable Azure Active Directory Access Control with Office 365 Azure Active Directory tenant

azure,active-directory,office365,azure-active-directory,azure-acs

I can imagine that you cannot use the free Azure subscription for this purpose because using the Access Control Service brings costs. The free subscription is not tied to any creditcard. When you have e.g. a pay-as-you-go subscription you should be able to create a ACS namespace. I just tried...

Azure Active Directory: Get user's UPN with OpenID Connect authentication

active-directory,openid,azure-active-directory

Indeed. Get the ObjectId of the user from the objectidentifier claim, using: ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value UPN property is set by default for regular Organizational accounts - whereas you are signing is as an MSA (Microsoft Account) external user. MSA external users do not have the UPN property set by default. That said,...

Multiple AzureAD Admins On Single Azure Tenant

azure,azure-active-directory,ws-federation

You need to add those "organisational" accounts as co-administrators via the Azure Management Portal. See here: http://msdn.microsoft.com/en-us/library/azure/gg456328.aspx

Obtaining a users Application access from Azure Graph API

api,azure,office365,azure-active-directory

Thanks for reporting the bug. Fixed in Graph Client Library 2.0.5.

Setting a valid Azure AD uri for PhoneGap

cordova,mobile,oauth-2.0,uri,azure-active-directory

After some further research, I managed to find a solution to the authentication problem. The problem with authentication through Azure is that Azure expects a valid return uri. I had at first considered implementing a custom url scheme for it to return to, but this was also not considered valid....

Integrating Azure AD applications into Office 365 App Launcher

ms-office,owin,office365,azure-active-directory,adal

This was recently fixed to use the sign on url of the web application rather that the reply address. Can you try that please and let us know if this now works for you? Thanks...

Azure Active Directory Users (type=User with an existing user account) Json to List Model is giving null

c#,json,azure,single-sign-on,azure-active-directory

I got the saluting :) Add this block in your global.asax protected void Application_PostAuthenticateRequest(Object sender, EventArgs e) { ClaimsIdentity id = ((ClaimsIdentity)User.Identity); Claim claim = id.FindFirst(ClaimTypes.Email); if (claim != null) { string email = claim.Value; id.AddClaim(new Claim(ClaimTypes.Name, email)); } } ...

Azure Active Directory for Web API and clients using OAuth for multiple environments

angularjs,azure,asp.net-web-api,azure-active-directory

If I understand your question correctly you have the following Setup: In AAD, you have a single tenant where there is a single Web API registered. In the same tenant, you have multiple, equivalent client applications registered, which correlate to the different environments you have set-up on your end. This...

federate azure active directory with on premise ADFS

azure,azure-active-directory,ws-federation,adfs3.0

It's the normal adfs/ls. You just need to configure the URL and URI. Refer: Azure AD as IdP with AD FS as RP....

Azure Graph API get all Users in multiple groups

azure,azure-active-directory

The REST method for achieving transitive group retrieval is documented in http://msdn.microsoft.com/en-us/library/dn424889.aspx The Graph Client 2.x supports transitive group retrieval as well. HTH V....

How can you use LINQ to find Azure AD users with specific licenses using the Azure AD Graph API Client Library 2.0

c#,linq,azure-active-directory

Couple of things going on here - and I'm afraid I don't have any decent answers for you. Firstly our client library doesn't support the kind of construct you are attempting, but I believe we're fixing that pretty soon. A bigger issue is that our service side doesn't support querying...

Connect to Azure to create an Application registration

authentication,azure,azure-active-directory,azure-sdk-.net

You can't register a new application using the Graph API from an unregistered client. The only reason the VS2013 flow works is because VS2013 is already registered in a special way within Azure AD -- it's a first party application and has unique permissions. In my Fiddler trace, VS2013 uses...

how to get the groupId from group name in AAD graph API

.net,azure-active-directory

thanks for your question! You can query /groups with a filter expression to get the Group object for your group and then grab the objectId property to use for the isMemberOf function from that. For example: https://graph.windows.net/myorganization/groups?api-version=1.5&$filter=displayName%20eq%20'Example%20Group' You can learn more about the filterable properties for groups here: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#GroupEntity Hope...

Skip “login.windows.net” and redirect to federated ADFS

single-page-application,claims-based-identity,azure-active-directory,adal,office365-apps

http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/ In OAuth2 and OpenId Connect you do so by passing the target domain in the “domain_hint” parameter. In ADAL you can pass it via the following: AuthenticationResult ar = ac.AcquireToken("https://developertenant.onmicrosoft.com/WebUXplusAPI", "71aefb3b-9218-4dea-91f2-8b23ce93f387", new Uri("http://any"), PromptBehavior.Always, UserIdentifier.AnyUser, "domain_hint=mydomain.com"); In the OWIN middleware for OpenId Connect you can do the same in...

Authenticating a PHP Web App with Azure Active Directory and Azure Mobile Services

azure,azure-mobile-services,azure-active-directory

One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login. You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through...

Azure Authentification and Authorization

security,azure,azure-active-directory

I would recommend starting by reading up on the Claims-based Identity model. The current version of WIF (Windows Identity Framework) supports claims based identity. In a nutshell this model is much more extensible (say Federation) and you don't have to worry about the nitty gritty details of security code. You...

Azure Graph API

api,azure,graph,azure-active-directory,graph-api-explorer

In graph API, "applications" represent application configuration that developers register in their tenant. Gallery apps are no different (and happen to be registered in a special tenant). When you acquire an application (like a gallery app, or consent to a custom application someone else has developed), an application instance gets...

Microsoft Graph API Accessing basic info of a user that is outside tenancy

oauth,ms-office,ews,multi-tenant,azure-active-directory

Ah-ah! Forget the use of your tenant ID when talking with the Graph API if you develop a multi-tenant app with OAuth! The equivalent to "common" when requesting a token for a user in or outside your tenancy is... "myorganization"! This will work: https://graph.windows.net/myorganisation/me?api-version=2013-11-08 Oh, it was clearly written in...

Azure AD Graph API User memberOf nested groups

c#,azure,authorization,azure-active-directory

Yes. The getMemberObjects API returns all groups (transitive) of which the user is a member: https://msdn.microsoft.com/en-us/library/azure/dn835117.aspx . Also, using the checkMemberGroups API you can check whether or not the user is member of a group (transitively): https://msdn.microsoft.com/en-us/library/azure/dn835107.aspx However for your requirement the application roles feature of Azure AD might be...

Use OWIN to connect an ASP.NET MVC application to Azure AD or use the default templates

asp.net-mvc,azure,asp.net-mvc-5,owin,azure-active-directory

I think HttpModules is the old way of handling things like AuthZ in the pipeline. HttpModules are part of the infrastructure that was built at the same time as web forms. If you are making a modern web api like Web Api or an MVC app, i suggest forget about...

Need Guidance Implementing OAuth 2.0 in ASP.NET App

asp.net,oauth-2.0,azure-active-directory

Azure AD supports the OAuth2.0 flow that you can execute once the user has signed in using passive authentication, to receive access tokens to make delegated calls to WebAPIs on behalf of the user. You can use the Active Directory Authentication Library (ADAL SDK) to execute the OAuth flow. This...

Azure AD OAuth2 No permission to access user information

azure,oauth-2.0,azure-active-directory

It seems like this won't work, we choose to use OpenIdConnect instead which worked fine.

Azure AD Premium Branding And OpenID

openid,azure-active-directory

Yep. You simply need to specify your home realm using a different syntax. See http://www.cloudidentity.com/blog/2014/11/17/skipping-the-home-realm-discovery-page-in-azure-ad/

Get Organization ID or domain from Azure AD Graph

azure,active-directory,office365,azure-active-directory

Indeed. Use the tenantDetails API (https://graph.windows.net/{tenantDomain}/tenantDetails?api-version={version}), to get the display name of the directory and all verified domains associated with it. Documented here: http://msdn.microsoft.com/en-us/library/azure/hh974467.aspx. Below is the trimmed output for my tenant. Hope this helps. { "odata.metadata": "https://graph.windows.net/dushyantgill.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.TenantDetail", "value": [ { "odata.type":...

Configure Application Permissions in Azure AD

asp.net-web-api,oauth-2.0,azure-active-directory,katana

Ben, Application Permissions are declared in the appRoles section of the manifest. Indeed, if you declare an appRole called say 'trusted' in your resource application's (storage broker demo) manifest - it will show up in the Application Permissions drop down there. Then, when you assign that Application Permission to the...

How do I secure an Azure Mobile Service with Azure AD? ADAL.JS

azure,azure-mobile-services,azure-active-directory,adal

In Mobile Service Identity configuration, for Azure AD as you ask, following parameters are requested App URL Client ID Allowed Tenants Package SID is related to MSA account authentication. Azure AD is last at the bottom. Refer to: Register your apps to use an Azure Active Directory Account login In...

Why as a co-administrator of a subscription am I unable to edit the Active Directory?

azure,azure-active-directory

The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.

multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory

azure,single-sign-on,soa,azure-active-directory

Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms. The following should see you through:...