One may receive the following 403 error when using Microsoft Graph API to add a user to a group: MS Graph Request:POST https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members/$refRequest body:{ “@odata.id”: “https://graph.microsoft.com/v1.0/directoryObjects/<User Object ID>”}Response:{ “error”: { “code”: “Authorization_RequestDenied”, “message”: “Insufficient privileges to complete the operation.”, “innerError”: { “date”: “2024-05-07T15:39:39”, “request-id”: “aa324f0f-b4a3-4af6-9c4f-996e195xxxx”, “client-request-id”: “aa324f0f-b4a3-4af6-9c4f-996e1959074e” } }} Below are some guidelines for resolving the error Check group type: There are different types of groups and not…
Read More‘Update your browser’ message when using apps that leverage ADAL/MSAL
You might see the following messageā¦ Update your browserYour browser is not supported or up-to-date. Try updating it, or else download and install the latest version of Microsoft Edge.You could also try to access https://aka.ms/mysecurityinfo from another device. As a quick solution for the user. Have the user register for MFA ahead of time before using the app. Simply open a supported Browser like Edge or Chrome and have the…
Read MoreHow to find the underlying MS Graph URL from a Microsoft Graph PowerShell commandlet
There are times one needs to know the underlying Microsoft Graph URL for a given Microsoft Graph PowerShell commandlet. Knowing the underlying URL can be helpful for debugging Microsoft Graph related issues. There can be multiple ways to find out. Below are a couple of techniques one can use. Use the Debug switch This switch is documented here. This technique requires Using Connect-MgGraph to authenticate and execute the commandlet. The…
Read MoreTutorial: How to call a protected web API with an application permission token in Azure AD B2C
Introduction This post covers an end to end scenario where a front end console application authenticates to Azure AD B2C using client credentials OAuth2 grant flow and calls a .Net backend web API. The samples in this post are built on .Net 6 framework. App Registrations There are 2 App Registrations required in this tutorial: a front-end console app and a back-end web API. The samples also require either a…
Read MoreTroubleshooting CORS to Azure AD/Entra ID
You are developing an app and see one of the following CORS related errors in the console logs… Notice it starts with “https://login.microsoftonline.com“, you might have a Azure B2C scenario, so in that case it might start with “https://youdomain.b2clogin.com/…“ It is outside of scope for this article If the error is not generated by Azure AD/Entra ID, and the error looks something like this… Access to XMLHttpRequest at ‘https://app.contoso.com/…‘ We…
Read MoreHow to bundle consent
You have a custom client and a custom API. There is an application registration in Azure AD for each of these apps, one for the custom client, and one for the custom API. You want your users to be able to bundle the consent for these apps. You might see one of the following errorsā¦ Step 1: Configure knownClientApplications for the API app registration First, you will need to add…
Read MoreImplementing SwaggerUI and API for Azure AD
Do not forget the basic principles of Open ID Connect and OAuth2. When you want to protect an API with OAuth2 and Azure AD, you must pass an access token that will be validated. So if you want to test with SwaggerUI, on accessing the API portion, SwaggerUI must be configured to authenticate, acquire an access token, and pass it to the API. Before we get started, ensure you create…
Read MoreAdding multiple issuer and audience validation in C#
You have an custom developed Web app or Web API using Asp.Net or Asp.Net Core and you want to control which issuers have access to your app. There are a couple ways to do this. Use Multiple Authentication schemes One way to do this and is probably the most recommended way is to perform what is documented here… https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes In this solution, you’ll want to have different Web App or…
Read MoreUsing MSAL for Python to perform interactive sign in from a local script
This blog shows how to use MSAL for Python to perform an interactive sign in to Azure AD from running a local python script. The sample also demonstrates how to enable MSAL logging along with how to capture Python SSL web traffic using Fiddler Classic App Registration: You will need to have an Azure AD App Registration with “http://localhost” reply URL configured in the ‘Mobile and desktop applications’ platform The…
Read MoreAdd Azure AD roles claim support in WebAssembly Authentication
You are developing a WebAssembly authentication app and trying to implement Roles based access control. You are getting a similar error like… The WebAssembly Authentication stack appears to cast the roles claim into a single string. We need this User Factory to modify its behavior so that each role has its own unique value. Create the Custom User Factory First, create a custom User Factory (CustomUserFactory.cs)… Add the roles mapping…
Read More