I am setting up OIDC within an ASP.NET Core 3.1 web mvc application. I have setup "OpenIdConnect" for our employees specifying the authority via
"Authority": "https://login.microsoftonline.com/{0}/v2.0"
Where {0} is the companyname.onmicrosoft.com (or companyname is the tenantId) -> this works fine/well.
We have Azure GUEST accounts within our AD/ADFS and this above authority is not working for these accounts. i.e. my bob#gmail account is setup as a guest account in Azure AD. I have read that it should against companyname.onmicrosoft.com however the only way I could log in with guest access was to use authority
"Authority": "https://login.microsoftonline.com/common/v2.0"
Using common within the authority url I could log into my application. This also means I had to know what type of auth employee or guest account before user could log in (i.e. different buttons making the user choose between type of auth to perform)...this is less than ideal.
I would like to use the same Authority for both employees and guest users..is this possible?
If I use "Authority": "https://login.microsoftonline.com/{0}/v2.0" > where {0} is tenant mycompany.onmicrosoft.com and try to log in with my bob#gmail AD GUEST Account it fails and I get this error... (interesting how the redirect_uri is using common even though bob#gmail is AD guest account
This login.live.com page can’t be foundNo webpage was found for the web address: https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-085c-4d86-bf88-cf50c7252078&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2ffederation%2foauth2&state=rQIIAY2VOc_sZgGFv7lLkntJxAWlSHmlpCGS7_Vuv59EMbbHnvE6M17GdjN43_dlxhY_ACEK6jRIlClpQKmoU0Wiyy-IqCIqRAF8_AOaUz3FOdKRni-fo-_gxy9iAqeCKCIgDAAPwkmAQT7uYxAdUzgaEiEWR6D_-es3aPDJl78CH6vfvPnZy__87vUvvtq8upbZHL0LmurrzefpOLbD4_v3ZRN4ZdoM4yMBw8j7IUvqrIaSKRrGv2w23202P2w2Xz8bSIzCaEACEgcUQZI4TrxzqxOmCnymGqdRNQ6YusCwIqipbCSIkpujurqZxhV3xVALJT8RDrq7P_GFc1FGV9hhyhPvGg4sG2mpXszRMZy7mzuLmluFwiW375_9VNtOY4r-L5o-W6N_PHsVN311bZ_qfvX8x5-wMSfS6p5czlFoEqJW66unxfKdZabVC-FKaAKlnrdr4uTdyq4SPw8QAwKtS0uGuynwMRmBZanH3DQbUJwVp1nHpTRbEoN4W_BJNaFg1o6o07nP85vo7CqxuSHrrScjMriI3T7TTp1yHxTzhNeLXGDHHhZ9g_PCpNlNo7WU6D49W22BqhQ-3lRh5-b15E2mk-8H8n6jdWjB22xmU8DAl13P9nBzQlhRYqEAg7REQi2zqpNjQR4REZa1YsIJOZ74YMrmQCRsXo31sVcOR8t2q2pyd6bvWg3cna_MSNVzDkEmQKfxcCC392NnlTk_7QS0mGnMRKf9zXdEXBoV2- ....
It is interested the reference to common here even though i was using "Authority": "https://login.microsoftonline.com/{0}/v2.0" > where {0} is tenant mycompany.onmicrosoft.com
Guest users are related only to the particular tenant, so we need to give tenant id instead of common. Current Azure AD B2B common endpoint can't be used for guest users, guest users are treated as personal accounts.
Related
The use case is quiet simple, I want to read and write to calendars on a daemon (backend workflow) from personal Microsoft account or azure AD account.
Then I registered an Enterprise application in Azure Active Directory admin center with:
the account type « Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) ».
permissions on read write on calendars + read on user
a generated client secret
a redirect uri
For all accounts from the same Azure Active Directory, the authentication with the client secret and the impersonation of the targeted email works well.
But for personal Microsoft accounts it is not. If I understood correctly I need to use the client credentials flow to grant the user. Then the user need to go on the admin consent url as explained: https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>&state=12345&redirect_uri=<redirect_uri>.
But when logging in with a personal account it results in a redirection to the specified redirect uri with the error:
AADSTS500200: User account '{EmailHidden}' is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization.
Try signing out and signing back in with an organizational account.
Research
I tried some solution of the error AADSTS500200 with this article: https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/azure/active-directory/error-code-AADSTS50020-user-account-identity-provider-does-not-exist.md (note that the error number is missing a last zero). But I still receive the same error or an other error Needs admin approval when the personal account is invited.
Needs admin approval (french only)
Question
Is it possible to read data on personal Microsoft account ? How to achieve this ? Is there any other way ?
It is not possible to use Microsoft personal accounts with the client credentials flow.
The solution is to use the authorization-code flow and use the scope offline_access during the authorization request and the token request. So that the refresh_token that can be used to regenerate new refresh_tokens.
We are working on a web application that requires two different types of users:
Administrators (mapped to Azure AD, SSO);
Customers (mapped to Azure AD B2C);
Customers log into the web application using their Azure AD B2C account. Administrators log into an administration UI area of the website using their Azure AD account. This part is fine.
However, one of the requirements is that the Administrators are able to impersonate the Customer, so that they can carry out certain tasks on-behalf of the customer e.g. place an order.
We'll be using OAuth (.NET package) for the authorisation. My question is two fold really:
1) Does OAuth support impersonation of other accounts?
2) If yes, is it even possible for an account in Azure AD to impersonate a user in Azure AD B2C - currently they are different directories with no visibility of one another.
Perhaps my questions are a little vague, we're looking for some pointers in the right direction.
Many thanks in advance
dotdev
You can build a flow which authenticates the Admin via the federated IdP (AAD), then presents them a B2C page which allows them to impersonate a B2C user: https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation. The policy should do some checks to make sure the AAD user is in some group who can impersonate, then present them a screen in B2C to provide the end users email. B2C will then finish the authentication by minting a token that is in the B2C users context.
Azure AD (regular/B2C) does not allow you to impersonate other users.
You can't really login as the user.
You will most likely have to build this functionality into your application, where the admin is allowed to choose a customer on whose behalf they are making the order.
I am working on Azure AD B2C for my Angular 6 front-end App and consuming Microsoft Graph API in order to change the singed-in user's password. I am getting the access_token using the Authorization Code flow.
It works fine when the user has a username like xyz#myb2cname.onmicrosoft.com, I get an access_token and then call https://graph.microsoft.com/v1.0/users/{id}/changePassword.
But when I try to do the same for users with a username like xyz#gmail.com or abc#hotmail.com, I get an error when acquiring the access_token from Authorization Code flow (grant_type=password). Note: These users are "local" accounts in my AAD B2C tenant
Following is the error message I get:
{
"error": "invalid_grant",
"error_description": "AADSTS50034: To sign into this application the account must be
added to the myb2cname.onmicrosoft.com directory.
Trace ID: 8fcae061-5088-4393-9e5b-d0a83d1d0a00
Correlation ID: 0dc6c906-c54b-4cd8-ae8b-46f3f6118e40
Timestamp: 2018-08-01 06:16:55Z",
"error_codes": [
50034
],
"timestamp": "2018-08-01 06:16:55Z",
"trace_id": "8fcae061-5088-4393-9e5b-d0a83d1d0a00",
"correlation_id": "0dc6c906-c54b-4cd8-ae8b-46f3f6118e40"
}
How can I call changePassword for users who are signed in using the email identity provider (SignIn-SignUp Policy) when their username looks like xyz#gmail.com or abc#hotmail.com instead of xyz#myb2cname.onmicrosoft.com?
It is the expected behavior. You need to understand AD clearly before implementing it.
In Azure AD, to authenticate a user against a Directory, the user should be a part the Active Directory. The users, who are not a part of the Active Directory will not be authenticated. The token gets generated only when the user is authenticated.
Trying to generate a token for a user who is not a part of the Active Directory is similar to logging into Azure Portal with a invalid user account.
When an external user signs into your AAD, it does not create a traditional user with a traditional password, it creates a "guest" user. The actual user remains in the originating AAD tenant, your AAD tenant only stores a placeholder for that user.
You cannot change a guest user's password since your AAD doesn't actually have a password assigned to that user. Your AAD holds the authorization (what the user has access to) but relies on the user's AAD for authentication (the user is who they claim to be).
You can't change passwords for local account users using the Microsoft Graph API because, currently, an Azure AD B2C application can't be registered with the Microsoft Application Registration Portal and, therefore, it can't be used with the Microsoft Graph API.
You should change passwords for local account users using a custom policy.
This means the Azure AD B2C application doesn't have to collect either the current or new passwords for users.
I ran in the same situation where I was able to create and update the user in AZURE AD-B2C
but not able to delete or reset the password.
Because Currently, the Read and write directory data permission does NOT include the ability to delete users or update user passwords
Configure delete or update password permissions for your application
To archive this I had to follow the above link and it worked like a charm.
I have an ASP.NET MVC 4.6 application and I want to be able to use an application identity to provide access to the Azure Graph API behind the scenes, but I want to use Azure AD users for my applications authentication and authorization.
The end goal is to be able to have a user initially register using Google, Facebook, or enter their own username. During this registration, my application would leverage the Graph API to create an Azure AD user behind the scenes.
Once registered, if the user logs on using Google, Facebook, or their own username, it will look up against the Azure AD users to retrieve groups or roles.
Is this possible, or even a good idea? I'm open to other suggestions. Thanks!
This is possible. Azure AD recently released Azure AD B2C (business to consumer) to public preview. B2C will allow your users to sign up and sign in with consumer identity providers (e.g. Google, Facebook, etc.).
The sign up portion of this creates a special kind of user in Azure AD that has a reference to an identity in the consumer identity provider. The sign in portion of B2C allows users to authenticate with their corresponding identity provider, and that authentication is recognized in Azure AD.
The full documentation starts at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/, and a ASP.NET MVC sample is at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/.
Alternatively, if you want to do you own, off the top of my head, the best you can do is to build a mechanism where you associate a "regular" Azure AD user with the corresponding social identity provider (e.g. maintain a lookup table). Your users would sign in to your app using each identity provider's protocol, and when they've done so, you "artificially" link them to the corresponding Azure AD users. From Azure AD's perspective, however, these users would not actually be authenticated, so at best, you'd be using Azure AD as a place to store users and groups.
Check out the new Azure B2C offering, in preview, which supports the exact scenario you are asking about out of the box.
Short version: Can my application authenticate itself with OAuth 2.0 without using a service account?
Long version: The issue I'm having with service accounts is that they can't be granted the same permissions as the original account that created them. Specifically, my company doesn't grant external accounts write permissions for security reasons. A service account is technically an application specific account, outside of the domain of the account that created it, and has more restricted access than an end-user account.
Is it possible for an application to authenticate itself as a user account?
Service account is allowed to impersonate a user to get an access token.
See https://developers.google.com/accounts/docs/OAuth2ServiceAccount#formingclaimset Additional claims section.
https://code.google.com/p/google-apps-manager/wiki/GAM3OAuthServiceAccountSetup has description for how to configure it.