I am trying the code sample from: https://github.com/OfficeDev/Microsoft-Graph-ASPNET-Webhooks and it is working fine on ngrok but I get this issue on azure when creating subscription.
Any suggestions to look into?
The error appears to be related to the app permissions. Check the application permissions for the proper level of access to the resource. For example, set the "Read user mail" permission if you want to subscribe to email notifications. Also ensure that the token being used for creating the subscription has access to the resource.
This is related to the permissions in the token and not a hosting difference between Azure or ngrok.
Related
I would like to implement Password Credentials flow in ASP Net Core. The idea is we created a service account (user#{tenant}.onmicrosoft.com) with Global Administrator role where this will read information on users behalf.
I also created app in app registration page and resource owner user flow as mentioned here.
By following the instructions in this document to test my created ROPC, I encountered the error as shown in the screenshot below.
The application is created in the Azure AD B2C -> App Registrations and I don't know why my ROPC is not working.
I really appreciate your response. Thank you.
Make sure you have registered the application as mentioned in the document and the account type should be "Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.".
For Testing Use the below Url and check the screenshot on how to pass the parameters
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_ROPC_Auth/oauth2/v2.0/token
For use with the Azure API Management, I am trying to add Applications to an Azure Active Directory (AAD) programmatically, in my case by using the Graph API.
My scenario is the following: In order to secure a Web API I want to manage with Azure API Management, I want to leverage AAD's OAuth functionality to do the heavy lifting regarding authentication and issuing JWT Tokens, and then just use the validate-jwt policy to verify everything is okay in Azure API Management. This has the advantage I can more or less omit authentication in my backend service.
This works fine, as long as I have created an application in the Azure AD for the consuming web application, but this has to be done manually from the Azure Portal; Azure APIm does not do it automatically.
Now for what I am trying to do to get the done automatically: I wanted to delegate the subscription to APIs in APIm to some other web app I am writing, and from there I want to leverage the Graph API to create an Application in the Azure AD and grant permissions to the Application of the API.
The first thing I tried to do was to have a third application (my service application) to have full application permissions to the Windows Azure Active Directory application in the Azure AD; this lets my application access AAD using the Graph REST API. I manage to get an Access Token using the client_credentials grant (from login.microsoft.com), but this Token does not let me do a POST on https://graph.windows.net/(my AAD ID)/applications?api-version=1.5:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
I found (https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes) that even if I grant the Directory.ReadWrite.All permission, the application (app-only) will not be able to create or update Applications:
Note: Specifically excludes create or update for entities not listed above.
This includes: Application, Oauth2PermissionGrant, AppRoleAssignment, Device,
ServicePrincipal, TenantDetail, domains, etc.
The next thing I tried was the Resource Owner Password Grant (grant_type=password), passing my own credentials additionally, so that I can impersonate myself in the Graph API. Now, my POST to the applications end point succeeds.
My bottom-of-the-line question is: Can I grant sufficient permissions to my application so that I can add applications programmatically using the client credentials flow, and not any flow which acts on behalf of a user? And if so, how is it done?
Sorry Don. We don't currently have any permission scopes for the client credential flow (app-only) that can be used to create applications or service principals or create any oauth2 permission grants (or any of the other entities that you mentioned above through the Directory.ReadWrite.All permission). We are working on additional app-only permissions that will enable you to light up this scenario, but I don't have an ETA that I can give you.
This operation should be possible if you use the app+user (code flow) and grant the app the Directory.AccessAsUser.All permission - as long as there is a user using your app AND that they are a tenant admin. Not sure if this is an acceptable workaround for you (and I guess is similar to what you are using with the password flow - although I would recommend you use the code flow here).
UPDATE: There are a couple of new app only permissions we added for AAD Graph. Application.ReadWrite.OwnedBy (which allows an app to create/own another app - but only update the apps it created - it won't be able to touch any other apps it doesn't own) AND Application.ReadWrite.All (which allows an app to create/manage ALL apps in a tenant). Seems like the first one would be appropriate. You can see these show in the Azure Portal for the AAD Graph resource.
We are developing a ASP.NET 5 / MVC 6 application and want to use the new Azure Api Apps. So have followed Brady's tutorials, but when I try and access the service on Azure I get bounced at the default gateway saying...
{ "status": 400, "source":
"https://default-web-northeuropef54b46974f064fc0b30c72928d0d7443.azurewebsites.net/login/federated?service=SceneStealer.Web.Api",
"message": "No default login policy set, configure gateway auth policy
first." }
So I went through the article to secure your webservices with Azure Active Directory thinking this may trigger it.... but no... it didn't make any difference. I can't find any articles or anything on how to set a default login policy for an Azure gateway and have been struggling with this for a day now.. so any suggestions or pointers to articles would be greatly appreciated!
App URL: My Azure
I had the same problem. My Azure AD had my Microsoft Live account user. But I figured that maybe because I'm testing on my personal laptop and my laptop's user is actually not the Microsoft Live account.
So at Azure AD, I created another user of the same name as my personal laptop account, on domain yourname.onmicrosoft.com. Then go to the API site's /login/aad and login as that account. It seems to authenticate through, though I now get a new error saying "You do not have permission to view this directory or page."
I'm currently exploring the (Academic Licensed) Office365 API via oAuth access_tokens and have succeeded in retrieving a simple OneDrive folder list via the SharePoint API using access tokens, as a proof of concept.
But this seems to work only for users that are in the Azure maintenance domain that's NOT SSO enabled to our on-premise ADFS server.
The domain that is SSO enabled to our own ADFS server succesfully gets logged in on acquiring the oAuth code and I get a genuine access_token while trading in this code. But using this access_token to retrieve a simple folder list for the user results in this error instead of a folderlist.
{"error_description":"The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs."}
Wich I can't check since I'm not in control of the Azure Sharepoint server.
Did anyone succeed in using the Office365 API icw SSO enabled domains/users?
You'll struggle with an ADFS setup. Any code I've written relies on managed accounts only (i.e. those accounts with a UPN ending with onmicrosoft.com). Each synchronised user from on-premise will have a matching onmicrosoft.com secondary identifier which you should use instead.
In my external application i need to find all sites with write permission for logged in user.
I am using WSS.
Is there any web service available for this task?
Or can i send a Query and get the desired results?
You need to use the client object model (see this msdn article http://msdn.microsoft.com/en-us/library/ee535231.aspx) to work with SharePoint for outside the system.
use SharePoint webservices. They have a special asmx for permissions:
/_vti_bin/permissions.asmx
This Web service is used to obtain the permissions assigned to a list or site, add new permissions, and update or removing existing permissions.
Here's a blog post about using the permissions webservice:
example