My goal is to be able to access work items in DevOps from Azure Data Factory. I have already implemented the following:
Created an app registration in Azure.
In Azure AD, I granted permission to the app to access DevOps.
In DevOps I created an entry for the application created in Azure (App Registration). It
appears under the section 'Applications and Services'
The issue I'm facing is that the app does not appear in the section that shows a List of OAuth-compliant applications and providers.
What do I need to do to make it OAuth Compliant?
The details of the settings for the app creation in DevOps are as follows:
Company Name: <the company name>
Application Name: <my app registration name> // Exactly as it appears in Azure 'App Registration'
Application Web Site: https://portal.azure.com/
Authorization Callback URL: https://login.microsoftonline.com/common/oauth2/nativeclient
Authorized Scopes: Work Items (Read)
Related
Microsoft has announced its intention to turn off SMTP AUTH:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
This change will affect an application I wrote for internal use by employees of the company. The app pulls info from the company database and merges the data into an email which is sent to designated business partners. The app connects to the Outlook SMTP server and, at present, is authenticating with account-name and password.
The app is launched from an intranet web server using ClickOnce and is set to be "available only online".
According to the documentation for setting up OAuth authentication, the application must be registered on the Azure Portal in order to obtain an OAuth token which would be used by the app when authenticating on the SMTP server.
Will this portal registration have any impact on how the application is made available to the users? Can we continue to launch the app from an intranet web server using ClickOnce?
EDIT: The following documentation appears to address some aspects of my question but I don't know, for sure, what is meant by "if you're not registering the application in a directory" and "outside of a directory" in the context of ClickOnce deployment where the application package is placed in a folder on the web server:
https://learn.microsoft.com/en-us/graph/auth-register-app-v2
Accounts in this organizational directory only
Select this option if you're building a line-of-business (LOB)
application. This option is not available if you're not registering
the application in a directory.
This option maps to Azure AD only single-tenant.
This is the default option unless you're registering the app outside
of a directory. In cases where the app is registered outside of a
directory, the default is Azure AD multi-tenant and personal Microsoft
accounts.
Hi am trying Microsoft Single Sign-on authentication to my Login page.For that i have used to create Azure multi-tenant directories and created Application with redirect-URI as per given link https://www.c-sharpcorner.com/article/azure-ad-authentication-for-mvc-web-application/ .
Successfully integrated the code, while running i am getting microsoft sign on page after enter the username and password i am getting below error.
Error :
AADSTS50020: User account 'xxxxxx#outlook.com' from identity provider 'live.com' does not exist in tenant 'SampleApp' and cannot access the application 'xxxxxxx-xxxxxxx'( in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
The 'outlook.com' is a personal account. You need to set your App Registration to use v2 endpoint to access personal account.
The Microsoft document which can help you is here .i.e., to force Azure AD to issue V2 access token we can set in its app manifest accessTokenAcceptedVersion value to 2.0
I have asp.net core web api which is talking to MS Garaph Api.I have Implemented ROPC using service account to talk to onedrive. I have created the MS graph Api app in MS Portal 2 years back using the same service account. The the portal is obsolete now and the App is moved to Azure Portal. But i can get the Bearer token using ROPC and consuming Graph api and its working good.
Now i tried to mimic the same, i have created a new app in azure portal with same credentials and similar Metadata.The service account user type is member in azure Portal. I am getting the following error for the new App
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID
any ideas would be appreciated.
Thanks in advance
Subbiah K
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to here process.
Then follow this process to grant administrator consent to the app:
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
In the Azure portal, I registered the application for testing and used User.Read permission to demonstrate:
Then use the ROPC flow in postman to get the access token:
I’m currently working on application built on ASP.NET MVC which uses Microsoft account (MSA) authentication. To implement a new requirement, during a flow (say on step 2) the application has to validate the user against Azure Active Directory (AAD) authentication for organization account (while MSA login should persist) to grant special privileges and move to step 3.
So during step 2 to 3 navigation, MSA authentication should not be logged out and user can be validated against AAD.
Is it possible to allow have concurrent logged-in via two different identity providers (MSA and AAD)?
It is not possible if you are suing Azure AD v1.0 endpoint. However, you can Azure AD v2.0 end point to implement. This document helps in Comparing the Azure AD v2.0 endpoint with v1.0 endpoint.
To build an app that accepts both personal Microsoft account (MSA), and work or school account (Azure AD) sign-in, you'll need to register an app with the Azure Active Directory (Azure AD) v2.0 endpoint. At this time, you won't be able to use any existing apps you may have with Azure AD or MSA - you'll need to create a brand new one. refer to this document to help on it - Quickstart: Register an app with the Azure Active Directory v2.0 endpoint.
You can also use Azure AD B2C and use custom policy to add MSA as Identity Provider. Refer to this document for details - Azure Active Directory B2C: Add Microsoft Account (MSA) as an identity provider using custom policies.
I am attempting to log in to an Azure Active Directory B2C application.
Whenever I access the URL https://login.microsoftonline.com/te/<my_domain>/<my_sign_up_sign_in_policy_name>/oauth2/v2.0/authorize?client_id=<my_client_id>..., I get the following error:
The client id <my_client_id> specified in the request is not registered in tenant <my_tenant_name>.
Here is some information about my configuration:
In https://portal.azure.com, I have created the Azure Active Directory B2C tenant which contains the user globaladmin#<my_domain>.onmicrosoft.com
In order to create the application, I navigated to https://apps.dev.microsoft.com, logged in as the global admin and created the "Web Portal v2" application following the instructions here
I granted Web Portal v2 access to Microsoft Graph but did not grant access to Azure AD Windows Graph API (I didn't see this option anywhere)
I can successfully navigate to https://portal.azure.com -> Find the Azure AD B2C resource -> Click into it -> Applications. And there is the newly created "Web Portal v2"
My application has been updated with the new ClientId and ClientSecret of "Web Portal v2". However, when I launch the application and click "Login", I get the error. What other configuration am I missing?
Also, I should add that the reason for all of the above configuration is so that I can migrate my application from using Azure AD V1 tokens to Azure AD V2 tokens, which have information in them such as User.Identity.Name, which is a value I use to display the currently logged-in user's name in the top right corner of the application. If there is a different/better way to achieve this then please let me know.
I think the reason for this is that the API Permissions aren't pre-provisioned when you create an app through the AD blade (or Graph API). The way to resolve is to add the API Permissions to the app:
Having just gone through the process of automating this I can tell you that there are four layers that have to be configured for this to work using Graph API (Note: using the beta endpoints).
Create application https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-beta&tabs=http
Update application properties https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-beta&tabs=http
a. requiredResourceAccess https://learn.microsoft.com/en-us/graph/api/resources/requiredresourceaccess?view=graph-rest-beta
b. Any other properties, like implicitGrantSettings, logoutUrl, etc
Create Service Principal for app just created: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-beta&tabs=http
Create oauth2PermissionGrants using the object id of the service principal: https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-beta&tabs=http
The https://login.microsoftonline.com/te/<tenant_id>/<policy_id>/oauth2/v2.0/authorize?client_id=<client_id>... URL is correct, but you shouldn't create an Azure AD B2C application using the Application Registration Portal, otherwise it becomes a faulted app and you then receive the The client id ... specified in the request is not registered in tenant ... error.
An Azure AD B2C application should be created using the Azure AD B2C blade of the Azure Portal.
All you need to do is to grant admin consent for the Organization registered in the API Permission menu under the manage app setting. It worked for me immediately