I am using a Logic App to automate creation of new users and update attributes in a Azure B2C Tenant. It works perfectly for everything except for password reset. When I try to reset a user password, I get the following error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
I tried granting all permissions to the logic apps, yet I am unable to get the logic apps to work.
API Permissions in B2C
I don't know what I am missing. Can someone help?
Have you granted the user administrator role?
Related
I have asp.net core web api which is talking to MS Garaph Api.I have Implemented ROPC using service account to talk to onedrive. I have created the MS graph Api app in MS Portal 2 years back using the same service account. The the portal is obsolete now and the App is moved to Azure Portal. But i can get the Bearer token using ROPC and consuming Graph api and its working good.
Now i tried to mimic the same, i have created a new app in azure portal with same credentials and similar Metadata.The service account user type is member in azure Portal. I am getting the following error for the new App
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID
any ideas would be appreciated.
Thanks in advance
Subbiah K
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to here process.
Then follow this process to grant administrator consent to the app:
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
In the Azure portal, I registered the application for testing and used User.Read permission to demonstrate:
Then use the ROPC flow in postman to get the access token:
We have to generate an online meeting request from our Dynamics CRM System. We tried using the Microsoft graphs API, and were able to generate the token. However while submitting the request, we get a 403 Forbidden Error. We have registered our application in Azure and also given the required API permissions.
I have attached the screenshots of our testing. I am testing this on my personal Azure test account.
Screenshots
The user has to consent the permission:
Consent experience
Azure AD will sign the user in and ensure their consent for the permissions your app requests.
At this point, the user will be asked to enter their credentials to authenticate with Microsoft. The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.
I am working on Azure AD B2C for my Angular 6 front-end App and consuming Microsoft Graph API in order to change the singed-in user's password. I am getting the access_token using the Authorization Code flow.
It works fine when the user has a username like xyz#myb2cname.onmicrosoft.com, I get an access_token and then call https://graph.microsoft.com/v1.0/users/{id}/changePassword.
But when I try to do the same for users with a username like xyz#gmail.com or abc#hotmail.com, I get an error when acquiring the access_token from Authorization Code flow (grant_type=password). Note: These users are "local" accounts in my AAD B2C tenant
Following is the error message I get:
{
"error": "invalid_grant",
"error_description": "AADSTS50034: To sign into this application the account must be
added to the myb2cname.onmicrosoft.com directory.
Trace ID: 8fcae061-5088-4393-9e5b-d0a83d1d0a00
Correlation ID: 0dc6c906-c54b-4cd8-ae8b-46f3f6118e40
Timestamp: 2018-08-01 06:16:55Z",
"error_codes": [
50034
],
"timestamp": "2018-08-01 06:16:55Z",
"trace_id": "8fcae061-5088-4393-9e5b-d0a83d1d0a00",
"correlation_id": "0dc6c906-c54b-4cd8-ae8b-46f3f6118e40"
}
How can I call changePassword for users who are signed in using the email identity provider (SignIn-SignUp Policy) when their username looks like xyz#gmail.com or abc#hotmail.com instead of xyz#myb2cname.onmicrosoft.com?
It is the expected behavior. You need to understand AD clearly before implementing it.
In Azure AD, to authenticate a user against a Directory, the user should be a part the Active Directory. The users, who are not a part of the Active Directory will not be authenticated. The token gets generated only when the user is authenticated.
Trying to generate a token for a user who is not a part of the Active Directory is similar to logging into Azure Portal with a invalid user account.
When an external user signs into your AAD, it does not create a traditional user with a traditional password, it creates a "guest" user. The actual user remains in the originating AAD tenant, your AAD tenant only stores a placeholder for that user.
You cannot change a guest user's password since your AAD doesn't actually have a password assigned to that user. Your AAD holds the authorization (what the user has access to) but relies on the user's AAD for authentication (the user is who they claim to be).
You can't change passwords for local account users using the Microsoft Graph API because, currently, an Azure AD B2C application can't be registered with the Microsoft Application Registration Portal and, therefore, it can't be used with the Microsoft Graph API.
You should change passwords for local account users using a custom policy.
This means the Azure AD B2C application doesn't have to collect either the current or new passwords for users.
I ran in the same situation where I was able to create and update the user in AZURE AD-B2C
but not able to delete or reset the password.
Because Currently, the Read and write directory data permission does NOT include the ability to delete users or update user passwords
Configure delete or update password permissions for your application
To archive this I had to follow the above link and it worked like a charm.
Trying to create a tool to handle password resets (user forgot their password). We’ve applied permissions to the AAD app used for password resets per the documentation.
Getting the error:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
Should this be possible using the Client Credentials Grant flow?
You cannot reset user passwords using Application permission scopes (i.e. scopes use for the client_credentials grant). Per the documentation:
When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.
The Directory.AccessAsUser.All scope is only available as a Delegated permission scope.
Tool: postman
Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
Got token back
Used the token and did a GET on a User OK
Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.
After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App