So I'm trying to connect an mvc app to AAD B2C, and retrieve the current users groups, so I can add them to their roles. Unfortunately, I am unable to successfully query the graph.
Insufficient privileges error when trying to access Azure Graph APIs
The link above is essentially the situation I'm in, save that I'm connecting to a B2C directory. As near as I can tell, I don't have a way to specify privileges as that questions answer suggested. There is a section for 'Keys' but the keys it generates are really quite different than the keys that regular AD apps generate.
When I do try to use the key, I just get the insufficient privileges error.
I also tried locating my app in the main, regular AD, and adding keys and ALL permissions, but I also got the same error (and there doesn't appear to be any way that I can see to determine if I even got closer)
To add to the confusion, there are different ways to get to the registered "applications" in the Azure portal. I can go in through the B2C settings, or through the regular AD settings. In the B2C side of things, I can generate keys (but as I said, they're quite different from the keys generated on the AD side), but I cannot do annything with Privileges... no option exists. on the AD side, I actually see two apps for my 1 B2C app... it looks like there's one which has the same ID as the B2C app (but using that key and privileges does nothing), and theres another, which also doesn't appear to have any useful qualities that I've figured out.
I'm out of ideas. What else can I try?
edit
I've done some more experimenting, and found that if I use an incorrect ID or Secret, I get appropriate error messages. So, by this I assume that I am "Authenticating" correctly. The problem seems to be that, as the error message indicates, my Key does not have sufficient permissions.
To that end, I've added every single available permission under both "Windows Azure Active Directory" and "Microsoft Graph" ... No improvement, I still fail to have the required privileges. I guess I'll add ALL the available permissions, and see if that seems to help any.
-- Nope, there are NO remmaining privileges to add, but I still get the insufficient Privileges error message.
Additionally, making the login-user an AD administrator, doesn't make any difference.
You're likely missing a so called admin consent in your flow. Basically, its not enough to grant permissions (those which are marked "Requires admin") using the portal, but also a user with admin rights should consent that grant. The tricky thing is that this consent isn't shown automatically when an admin user signs in (like it happens with regular user consent). You have to add a prompt=admin_consent parameter to the url of the page where you enter credentials, press enter, and then login. In this case you will see the admin consent, asking if you want to grant the permissions.
You can read more about admin consent here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent.
I also discuss this problem here: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/issues/38#issuecomment-264664883
Related
If in Azure portal, I set Enterprise applications > Properties > User assignment required? to No, then authentication works as expected. However, if I turned it on, users get error Application needs permission to access resources in your organization that only an admin can grant. I understand that I need to add an API permission to my app, but what is it?
Interestingly, if a user has signed in into the app before, then they are not affected when turning the option on. Only users who have never use it are affected
Edit: To clarify, I already have App roles created. Users without app roles can't sign in, as expected. Users WITH app roles who sign in for the first time after the the option turned to Yes get the above error
Finally, I reproduce your issue with the request URL below, the scope also could be another one, e.g. https://storage.azure.com/.default, which has been added in the API permissions of the AD App.
https://login.microsoftonline.com/<tenant0id>/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://management.azure.com/.default
&state=12345
If the User assignment required is set to Yes, I notice it will not promote the user to consent the permissions. (e.g. user_impersonation in the Azure Service Management API.)
To fix the issue, we need the admin consent to the App, just navigate to the API permissions, click the Grant the admin consent for xxx button, then it will work fine.
I want my application to access my users OneDrive for Business files (both read and write access). It should work as an alternative browsing client, so the user just has to login and then browse his files.
With personal OneDrive using the v2 Endpoint, it works flawlessly.
When I try to login my OneDrive for Business account I get an error stating that my application requires some privileges that only Admins can grant.
But.. From the app panel ( https://apps.dev.microsoft.com ) my application requires only permission that non-admin users can request (under delegate authorization). The Application authorization list empty.
I also tried to remove ALL the permission required, save, wait some minutes and retry.. and even without any permission required i still get the same error.
I tried making new application, checking all the permission, refreshing the app's key.. but i always get the same error. If i try to login the same account from other commercial application it works.
I also don't have access to any admin account to see a list of authorization required by my app.
I'm really out of ideas, what i can try?
I was told by one of the engineers at Microsoft that in order to display the jobtitle field, using users method in REST, I need an admin permission. I would appreciate if someone can answer exactly what steps the domain administrator needs to take in order to give user.read.all permission to all users in the domain that will run the graph query. I would appreciate if anyone can provide detailed step by step instruction.
For user.read.all, you will need to get administrative consent from the organization before a regular user can sign-in to your application.
To do this, you'll first need to have them go through the “Admin Consent” workflow. This workflow requires an administrator but once complete any users of your application will have “admin consent” to the restricted scope.
For example, you would normally you would then authenticate users by redirecting them to
https://login.microsoftonline.com/common/oauth2/authorize?<your params>.
Since this scope requires an Admin however, you fist need to obtain consent by first having an Admin authenticate by redirecting them to
https://login.microsoftonline.com/common/adminconsent?<yours params>.
Once an Admin grants consent, normal users will be able to use OAUTH to authenticate.
Dan's link took care of the problem.
In the link the below sample link was the answer. Instead of the word "common", I have replaced it with the tenant ID as shown below:
https://login.microsoftonline.com/{tenant id from azure ad}/adminconsent?
client_id={application client id}
&state={can be anything. I used the same as the redirect url}
&redirect_uri={URL that exactly appears in the app application portal}
I'm working on a cloud-storage API, authorized via OAuth. Users of third-party applications can permit said application to access their files/data via our RESTful API.
Currently, we are limiting a third-party app access to a users account once. E.g., the Access Token table has a UNIQUE on the consumer column and the user column. This makes sense at first glance, as the user should never be sent to our service to authorize a third-party application twice, since the third-party would already know their user is already tied to our service and wouldn't need to be re-authorized.
However, what if this user has two accounts on the third-party app, and they want said app to connect to their single account on our service twice? This seems likely, given the prevalence of multiple accounts on services such as Reddit.
Here are the possible solutions I've come up with so far, none of them being perfect:
Display an error during the second auth request: This seems like a frustrating experience for the user, a "cop out" of sorts.
Delete the previous token: This would likely annoy the user, as their previous accounts stop working. Even if we display a warning, it would likely be hard to explain what exactly is happening.
Return the same access token as the first request: Each time the access is requested, a set of permissions are also passed along. The permissions for the second request could be different than the permissions for the first request. Also, not sure if this will violate the OAuth spec, as the secondly generated Request Token isn't tied to the Access Token properly.
Allow two to be generated: This would be confusing, as when the user visits their screen full of authorized applications to revoke one, they don't know which authorization is tied to which third-party account. We could ask for an optional third-party username parameter when the Request Token is generated to identify the different auth's (we currently ask for a non-OAuth-standard permission parameter already). But, this seems like it wouldn't be used by 99% of developers and could make application development more confusing.
What is the best way to handle this situation? Is there a standardized practice for handling this use-case?
I think your last case is the right way to go - Allow two to be generated
When the user visits his screen full of authorized application, it's not necessary to show him one and the same Application twice - you just have to delete the tokens associated with the app if the user revokes application access. That is, all his authorizations to the app with all tokens will go away with the revoke, which is fine.
I am using the new OAuthWebSecurity wrapper for DotNetOpenAuth to allow users to log in to an MVC4 application with their Microsoft Account (aka Windows Live ID).
I have registered the microsoft client:
OAuthWebSecurity.RegisterMicrosoftClient(clientId: "...", clientSecret: "...");
It is all working, and I love the simplicity of it. But how do I refine what it's doing?
After selecting to log in with their Microsoft Account, the user is taken to a screen asking them to log in:
When they log in, I want them to be able to check the "keep me signed in" box.
Microsoft then asks for them to OK my access:
But I don't actually want that much access. All I want is their name and email address. And maybe their picture. I certainly don't need or want access to their contacts and friends. This is going to scare off my users.
Where can I pass parameters to OAuthWebSecurity or DotNetOpenAuth to control this?
So the user clicks yes and all is ok. However, when they leave and come back to my site - the "keep me signed in" option should have been honored. It isn't. Instead, they see this:
I don't understand the message that says:
Because you're accessing sensitive info, you need to verify your password.
What sensitive info? The contacts/friends I didn't want to begin with? Or something else?
How can I get around these two issues to make my application more user-friendly?
You need to pass the scopes you want, you can just use wl.signin which will sign users into your application if they are already signed in to live without asking for the credentials again.
Check http://msdn.microsoft.com/en-us/library/live/hh243646.aspx