Our MSAL.js sample is an excellent example for using MSAL in a javascript page. However, it only demonstrates logging in by clicking on a button. If you’re launching your app from myapps portal or are otherwise already logged into the portal with the browser, it would make sense to just use that session to perform your sign-in for your MSAL app without requiring the button click. This is actually easily…
Read MoreInfinite sign in loop between MVC application and Azure AD
In a previous post I talked about an infinite redirect loop issue between an MVC application and Azure AD when performing sign in. In this post, we will look at another scenario which can lead to the same type of problem. Background Applications running an old version of OWIN middleware can run into this issue because of a known Katana bug. Due to a cookie mismanagement issue in the old…
Read MoreHow to acquire bearer token non-interactively with a federated user
You are looking for a way to acquire an access token from Azure Active Directory without user interaction. We highly recommended to always use an interactive user sign-in experience as this is the most secured method. Especially when your organization has conditional access policies which require Multi-Factor Authentication. If at all possible, please use the methods for interactive sign-in. Here are some general guidance on how to non-interactively acquire a…
Read MoreHow to customize SAML token claims to include custom attribute created as Directory Schema Extension in Azure AD
Background Recently I was engaged to assist a customer with an interesting issue. This customer follows the guideline at https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions to create a custom User attribute as a Directory schema extension and then assigns a value to the attribute. As an example, I have a few custom attributes created this way as can be seen by Microsoft Graph Explorer: The customer wants to have this custom attribute returned as a…
Read MoreTroubleshooting Asp.Net OWIN and Asp.Net Core Authentication sign-in failures with Azure Active Directory
Let get started! This article assumes you are using your own code to perform the authentication to Azure Active Directory. IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you. You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no…
Read MoreWalkthrough: MSAL.Net client calling Azure API App with Easy Auth enabled in a B2C tenant
In a previous blog post, I talked about how to use MSAL.Net client application to call an Azure Function App with Easy Auth enabled in a regular tenant. In this post, I’ll describe the process to use an MSAL.Net client application to call a Web API application with Easy Auth enabled in a B2C tenant. I assume you already have an API App created on Azure App Service. If you…
Read MoreReceiving error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’
Problem: An application receives the following error when authenticating to Azure Active Directory: { “error”: “invalid_client”, “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”, “error_codes”: [7000218], …} What does this error mean? The error is what it said. When authenticating to Azure AD to get an access token, the client application is not providing…
Read MoreAADSTS5011 Error on Kubernetes container app running .Net Core code with an Ingress Controller
I recently worked with a customer who was receiving an AADSTS5011: The reply url specified in the request does not match the reply urls configured for the application on his .Net Core Kubernetes container application with an Ingress Controller. When running from the Docker environment, there was no issue however, the redirect URI was configured for http://localhost:someport . Once deployed, the redirect URI ( as seen in the address bar…
Read MoreWalkthrough: Using MSAL.Net to call an Azure Function App with Easy Auth enabled
In this post, I’ll walk through the steps for how to create an application using Microsoft Authentication Library for .Net (MSAL.Net) to call an Azure AD protected Azure Function App using Easy Auth (Azure App Service’ Authentication and Authorization feature). 1. Create an Azure Function with Easy Auth enabled: Assuming you already have an Azure Function App created (refer to https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal if you don’t know how to create one), go…
Read MoreUnderstanding Azure AD’s On-Behalf-Of flow (aka OBO flow)
Background Microsoft Azure Active Directory supports an OAuth2 protocol extension called On-Behalf-Of flow (OBO flow). This is documented at both the Microsoft Identity Platform V1 and V2 endpoint. The OBO flow is used in the following scenario. Both Web API 1 and Web API 2 are protected by Azure AD. A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into…
Read More