I am attempting to add a member to my MS Team using the Graph API and an Azure app token:
Endpoint: https://graph.microsoft.com/v1.0/teams/c924e9b8-*****/members
Body:
'#odata.type':'#microsoft.graph.aadUserConversationMember'
'roles':'[]'
'user#odata.bind':'https://graph.microsoft.com/v1.0/users('41134b16-6f68*****')
When I send this request I am getting:
"code": "InternalServerError"
"message": "Failed to execute request."
I can't seem to find any information on what this error means. Is anyone familiar with this error?
The issue must be due to Web App token generated from Developer portal.
Steps to Resolve:
Check if the required permissions are provided to the app
registration you are using for the webapp i.e.
TeamMember.ReadWriteNonOwnerRole.All with admin consent like below :
Go to Postman>>new_request>>authorization>>Select Oauth2.0 in type>> select Grant type as Client Credential>> fill necessary
details provided below and then click on new access token.
Access Token URL : https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token
ClientId: azure ad App reg ID
ClientSecret: Secret generated for the same app
scope: https://graph.microsoft.com/.default
Once the above is done you will be successfully able to do the
operation :
Related
I'm trying to figure out how to secure an azure function (service func) that should only be called from another azure function (client func) in the same tenant.
Here's what I've tried in the azure portal:
created a windows function app on a consumption plan
added a hello-world http triggered function with authorization level of "Anonymous"
tested I'm able to call the function anonymously
on the blade for the service func, selected "Authentication"
selected "Add identity provider"
chose "Microsoft"
"Create new app registration"
"Current tenant - Single tenant"
"Require authentication", "HTTP 401"
created a new app registration for the client func, making a note of the client_id and client_secret
I then configured postman to acquire a token from the azure ad (using the only tenant id in play), passing the client_id and client_secret from the app registration of the client func. In the post to the /token endpoint, I gave a grant_type value of "client_credentials".
On posting the request from postman, I received a response containing an access_token. I copied this and pasted into https://jwt.ms to check that all looked ok.
I configured another request in postman to issue a get to the hello-world function. This contained a "Authorization" header with a value of "Bearer " + the access_token received in the previous step.
Despite passing what seems to be a valid access token, the function app (which has no authentication bindings) return a 401 Unauthorized error.
I don't need authorization, just authentication.
Can anyone spot where I went wrong?
I now have this working. I found the following page helpful: Microsoft Doc
Key points:
App roles declared on the app registration of the service app
I didn't manually enter anything into the "Expose an API" page
No authorized client applications listed on the "Expose an API" page
When getting the access token, the scope should be set to the Application ID URI of the target service app registration + "/.default"
API permissions set on the app registration of the client service - these are "Application permissions" NOT "Delegated permissions"
From the function app, select Authentication then edit the identity provider. The value for "Allowed token audiences" needs to be the api://guid value from the "Application ID URI" value of the app registration for the target app service. I noticed that I had problems when using a non-guid value for this
I'm wondering if anyone has run into this problem. I'm trying to authenticate to OneDrive using AAD v2.0, and the device code flow. My app has the following permissions configured in the Azure portal:
Microsoft Graph:
email
Files.ReadWrite.All
offline_access
openid
profile
User.Read
Each time I try to authenticate, I get the following error message from the token endpoint:
AADSTS70011: The provided value for the input parameter 'scope' is not valid. One or more scopes in 'https://graph.microsoft.com/.default openid offline_access' are not compatible with each other.
However, when I use the usual authorization code flow, it works. Similarly, if I use the scope https://graph.microsoft.com/Files.ReadWrite.All openid offline_access instead of https://graph.microsoft.com/.default openid offline_access, it also works.
Is there something about the .default scope that is incompatible with the device code flow?
More info:
The app can be used by "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". I'm authenticating to the "consumers" tenant because I want to access my personal OneDrive.
Just remove openid offline_access from the scope, it should be https://graph.microsoft.com/.default, when you use /.default, they are not needed, all permissions registered by the application will be included.
Reference - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
Update:
I can reproduce your issue with /consumers and a personal account in the auth url, if I modify it to /<tenant-id>, it works fine, you could refer to the steps below.
1.In the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/devicecode
Request Body:
client_id=<client-id>
scope=https://graph.microsoft.com/.default
2.In the browser, navigate to the https://microsoft.com/devicelogin, input the code and login your user account, the app will let you consent the permission, click the Accept.
3.After login successfully, in the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Request Body:
grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: <client-id>
device_code: <device_code in the screenshot of step 1>
I am trying to secure APIM APIs using OAuth2 via AzureAD by reading the article: Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD
AzureAPIM - OAuth2
Authorization endpoint URL (v1): https://login.microsoftonline.com/{tenant}/oauth2/authorize
Token endpoint URL (v1): https://login.microsoftonline.com/{tenant}/oauth2/token
Client ID: client-app id
Redirect URI: (deprecated portal): https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback
AzureAD - backend-app:
scope: Files.All
AzureAD - client-app:
secret key: xxx
Redirect url: ONLY WORK with deprecated portal in APIM (https://xxx-api.portal.azure-api.net/docs/services/auth1/console/oauth2/authorizationcode/callback)
For Demo Conference API, Add Validate JWT policy to Inbound processing where 3a0cf09b- is tenant id and b7c31179- is backend-app application id:
In Developer portal, the authentication to AzureAD is successful with a return token:
However the authorization is failed with calling the API:
Inspecting the received token in jwt.io, I found that the "aud": "00000003-0000-0000-c000-000000000000" is not backend-app application id:
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/3a0cf09b-xxx/",
"app_displayname": "client-app",
"appid": "05a245fb-xxx",
"scp": "Files.Read User.Read profile openid email",
"tenant_region_scope": "OC",
"tid": "3a0cf09b-2952-4673-9ace-0e1bf69ee23a",
"unique_name": "user1#xxx.onmicrosoft.com",
}
API Test HTTP response trace shows the error on validate-jwt:
validate-jwt (-0.138 ms)
{
"message": "JWT Validation Failed: Claim value mismatch: aud=b7c31179-xxx.."
}
Replacing aud by the value in the token 00000003-0000-0000-c000-000000000000 or removing the required-claims in the validate-jwt policy to get it working.
Any idea please?
From your error report, it is indeed a 401 error, that is, your aud does not match the api you want to call, I use the auth code flow to do a simple demonstration for you:
First expose the api of the back-end application and add the client application.
Next,under 'API permissions', give your front-end application access to your backend api:
Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your backend application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Get token:
Parse the token:
It seems you choose v1 endpoint of OAuth2 authorization but not v2 endpoint, so the value of aud in access token should be like b7c31179-xxxx.... but not api://b7c31179-xxxx..... So there are no mistakes in your steps of get access token.
According to some test in my side, the cause of this problem is you did not specify a parameter resource with the value of the backend-app application id when you configure OAuth2.0 in your APIM. The document you refer to also mentions this (I test with not specify this parameter, it shows same problem with yours)
So to solve this problem, please go to your APIM and click "OAuth 2.0" tab, edit the item you created. Add a parameter resource with value of the backend-app application id.
Note: When you add the parameter resource and click "Save" button, please open the item again and check if the "Client secret" box is empty. When I test in my side, the "Client secret" box shows empty after add parameter resource, it may be a bug on that page. If "Client secret" is empty, it might show error message like The request body must contain the following parameter: 'client_assertion' or 'client_secret' when you get the access token in Developer portal.
I'm having issues with trying to set up account linking with Google Assistant.
I'm using Azure AD B2C for my identity provider.
I've created a User flow so I have a authorize and token endpoint set up and I created an Azure AD Application so I have an App Id, and App Secret and I set the redirect URL as https://oauth-redirect.googleusercontent.com/r/{google-project-name}/.
My Google account linking settings are show below:
Client ID is the App Id of the application I created in Azure AD.
Client Secret is the app secret of of the application I created in Azure AD
Auth URL is:
https://{b2c-name}.b2clogin.com/{b2c-name}.onmicrosoft.com/oauth2/v2.0/authorize?p={sign-in-policy-name}
Token URL is:
https://{b2c-name}.b2clogin.com/{b2c-name}.onmicrosoft.com/oauth2/v2.0/token?p={sign-in-policy-name}
When I got to https://console.actions.google.com/project/{google-project-name}/simulatorand try to go through the auth flow it pops up the box I put in my user name and password and then just stops.
I can see in Fiddler it redirects back to the redirect URL and then there is a 400.
{
"error": {
"code": 400,
"message": "Bad response from IdP in Auth Code Exchange",
"status": "FAILED_PRECONDITION"
}
}
When I look in Fiddler at the request to the redirect URL it looks as expected with a state and code like this documentation says it should so I'm not sure what I'm doing wrong. I've double checked my App Id and regenerated the key.
https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID?code=AUTHORIZATION_CODE&state=STATE_STRING
I've seen a few questions with similar error messages but none of the fixes suggested helped or applied.
Any help would be appreciated.
I have an application registered in Azure AD which uses certificates. I am trying to write a script which would add a new certificate to the application. This can be used to add a new certificate when the existing certificate is going to expire.
I am trying to use AddKey function of Azure AD Graph API. The request body of this api as a parameter 'proof' which is a JWT assertion signed by the existing certificate of the application. The doc says the "aud" claim in JWT should be set to "AAD Graph SPN". Here what is meant by "AAD Graph SPN"?
I tried with a JWT where "aud" was set to "00000002-0000-0000-c000-000000000000". But I am getting the following error,
{
"odata.error": {
"code":"Authorization_RequestDenied",
"message":{
"lang":"en",
"value":"Insufficient privileges to complete the operation."
}
}
}
Any thoughts on this?
I am getting the access token to call the Azure AD Graph API via "Resource Owner Credentials Grant" flow . To get the access token i am using the client_id "1950a258-227b-4e31-a9cf-717495945fc2" (The Well Known Client ID for Azure PowerShell")
My script (For deployment purpose) does something like below,
i) Get the access token as described above and registers a new application in Azure AD with a initial certificate.
ii) When the initial certificate is about to expire it should add a new certificate to the created application.
According to the documentation, you must use a self-signed JWT token to access that API:
As part of the request validation for this service action, a proof of
possession of an existing key is verified before the action can be
performed. The proof is represented by a self-signed JWT token. The
requesting application needs to generate a self-signed JWT token with
the following requirements...
The "Resource Owner Credentials Grant" won't work here in this situation. Instead, use the "Client Credentials Grant":
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service
The application you want to update should be the Client ID used to get this access token.
The other option is to update the application directly using an PATCH request on the Application Object:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#application-entity
Using this method, you should be able to update using the method you described above (user credentials and an external Client ID)
Let me know if this helps.