My web application uses Azure Active Directory for authentication. In my Azure Portal I have an application reference which hooks into the AAD, I also have all the relative keys in place within the web application itself. Everyone in my organisation can log in without any problems but any new user accounts that are added get a message:
You can't access this application Company App Registration Name needs
permission to access resources in your organization that only an admin
can grant. Please ask an admin to grant permission to this app before
you can use it.
This is a message that only new accounts get, I can see these new accounts within the AAD and they accounts are identical to other employees, it's as if it's out of sync. Does anyone know what I have done wrong or why new accounts are not automatically picked up?
I believe you can solve your issue by having an Administrator of your tenant consent to the application on-behalf-of the entire tenant, which should include all new and existing users.
To do this, the Administrator can simply go to a login endpoint with the query string prompt=admin_consent.
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent
You can use this template URL, and simply fill out the variables with your application and tenant information. Then, hand it to the administrator and have them consent to the app.
Let me know if this helps!
Related
We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
As of now, I have created an application that has certain permissions to access Mail Information of certain users in an organization. Till this point, admin from the organization would create the service and provide the credentials.
However, as a plan to scale the application to multiple organizations, I'd like to send a mail to admin to grant access for the permissions and automatically get the credentials.
I'm open to alternative ideas. Any ideas if the above is even feasible?
This is quite impossible to automate the complete process creating, and admin still need to approve the permission in Azure AD. What you can do here is ,just create the application and if user tries to access the app but they can't give consent ,they need to trigger a request for admin approval that can be sent by an email .
To allows admin consent request to be sent via email Configure the admin consent workflow , please follow the docs - Azure AD | Microsoft Docs
Hope that process will help you .
I have an ASP.NET MVC application that is used by different customers. Currently the app is set up to use individual user accounts. I have built some authorization logic around that and would like to keep the logic unchanged.
I got a request that some of the customers would like to perform authentication for their users with their Azure Active Directory. I have uncommented the app.UseMicrosoftAccountAuthentication part from Startup.Auth.cs. I registered the app as multi-tenant in my AAD. I managed to get the whole thing running and users now have the possibility to link their accounts with AAD and use it for authentication.
However, I encountered a few problems I am struggling with:
In order for the user to link his account with AAD he needs to set up an individual login/pass account in the first place. How can I avoid that? I want to have the users either authenticating with login/pass or with AAD, not both at the same time.
I have no control over which account the user uses to authenticate. Let's assume I expect the user to use an account in domainx.com, but if they link domainy.com account it will still work. I need to have some kind of way to compare the expected domain with the actual one that comes back from AAD. How can I do that?
One of the ideas to tackle the problem was to have a customer admin create the user accounts for them. The issue is that in AspNetUserLogins I need to store the user's AAD ID, not the email. How can I query AAD to check the UserID based on the email?
I have a MVC5 application which has authentication and authorization using ASP.net Identity. So all my roles, user profiles are stored in the application database. The application is managed by me. My company now wants to use Azure AD for authentication in the application. So the user will be able to login with their credentials. If the user is signing in for the first time then i want to create the user profile in my application database. I also want to use the the roles stored in my application database for authorization.
Can someone provide some guidelines on how I can achieve this?
Thanks for your help.
Here is the link where the step by step guide is available for using Azure AD to accept sign up and sign in.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-aspnet-webapp
Overall in summary below is the architecture diagram which you need to perform.
You could also use Azure AD B2C for allowing user to signup/sign through google, FB, Amazon and etc identity provider.
All the authentication login you could implement it in filter and later you can decorate your controller with the AUTH filter.
and then you can register your filter like below
GlobalFilters.Filters.Add(new AuthorizeAttribute());
I have not provided code samples here as it would be too long answer.
Coming back to your original question , i want to create the user profile in my application database , basically after successful login you can save the claims data which would act as a user profile in your DB.
However it is not recommened to save the entire profile in database if you are already maintaining it in Azure AD.
Azure AD B2C gives the flexibility to add custom attributes too.
Hope it helps.Let me know if you need any help.
I have created an app in https://apps.dev.microsoft.com portal with name GroupsApp and I have given couple of permissions as below:
I have created client id and secret to use in my application. I am using asp.net MVC (with 4.5.1 .net framework) web application.
I am getting some groups info and displaying on the screen. If I am logged with my account it is working fine. But if I logged in as another user then it is giving me issue as below:
I have formatted url as below: https://login.microsoftonline.com/948894dc-c0e2-43e5-a7e6-1d21dd183c9d/oauth2/authorize?client_id=75acb700-e675-4dc4-9deb-d3f68f6911a1&response_type=code&redirect_uri=http://localhost:34280&prompt=admin_consent and trying to granted the permission. Here I have logged in as admin and given permissions.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
I could encounter the same issue according to your settings. I assumed that you may hit the Admin-restricted scopes of AAD v2.0 as follows:
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:
Read an organization's directory data by using Directory.Read
Write data to an organization's directory by using Directory.ReadWrite
Read security groups in an organization's directory by using Groups.Read.All
Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.
You could Using the admin consent endpoint and follow this Build an app with admin restricted scopes using the v2.0 endpoint github code sample to ensure your app can gather permissions for all users in a tenant, including admin-restricted scopes.