Azure Active Directory Developer Support Team

Why do I sometimes get a 404 when trying to update an Azure Directory object after I just created it?

August 11, 2021August 11, 2021 Ray Held [MSFT]

Azure AD is a distributed computing system which means, all of the data must be duplicated to the various data centers. You can read about the architecture of Azure here. We occasionally see a case where a customer is using Microsoft Graph to programmatically create a user, group, application, etc. and getting the object id back from that request and then using that id to do some kind of management…

Microsoft Graph: Why you cannot call the “me” endpoint with a token acquired via the client credentials grant flow

August 4, 2021August 4, 2021 Ray Held [MSFT]

Introduction Microsoft Graph has a couple of primary ways you can get information about a user in Azure AD. This not only includes things like the user attributes but also groups the user is a member of, access to mail, and etc. Each endpoint does require specific permissions but generally speaking, a user can get the basic information about him/herself via the “me” endpoint. The “me” endpoint From our docs…

Azure Active Directory: How to get the signed in users groups when there is a groups overage claim in an Access token.

July 28, 2021July 28, 2021 Ray Held [MSFT]

Azure AD has a maximum number of groups that can be returned in an access token when you have selected to include the groups claim for your access token. This post will show you how to reproduce the scenario and then how to get the users groups using Microsoft Graph when a groups overage claim is present in the token instead of actual groups. For a JWT token, Azure has…

How to perform logging for both MSAL.Net and Microsoft Graph SDK

July 28, 2021July 28, 2021 Bac Hoang [MSFT]

Microsoft Graph SDK has the ability to log out complete HTTP Requests and Reponses as documented here. The way this logging mechanism works is by implementing a custom HttpClient Message handler to intercept every HTTP Request and Response between the client application and the Microsoft Graph Service. Besides hooking into GraphServiceClient’s processing pipeline to do request and response tracing, one can also configure proxy info. See Customize the Microsoft Graph…

How to avoid the MS Graph error “Authorization_RequestDenied” while managing users

July 21, 2021July 21, 2021 Achuta Nukala [MSFT]

Problem: You may see the error “Authorizaion_RequestDenied” below ‘error’: { ‘code’: ‘Authorization_RequestDenied’, ‘message’: ‘Insufficient privileges to complete the operation.’, ‘innerError’: { ‘date’: ‘2020-11-09T20:28:42’, ‘request-id’: ‘604e410b-4af8-4b79-9f48-fe0cf905a759’, ‘client-request-id’: ‘d6350bb5-3660-1f44-01a8-8a3b86a4c12a’ } } when using Microsoft Graph to manage users. The error happens most likely because the user does not have sufficient permissions. In summary the call requires both of the following: 1) The user or application needs to be in an Administrative role2)…

Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory

June 29, 2021June 30, 2021 Bac Hoang [MSFT]

In this blog post, I will demonstrate a simple Azure AD-protected Web API sample using Spring Boot Starter for Azure Active Directory. If you are not familiar with Spring Boot Starter for Azure Active Directory, please take a look at azure-sdk-for-java/sdk/spring/azure-spring-boot-starter-active-directory at main · Azure/azure-sdk-for-java (github.com) and the Azure AD Spring Developer’s Guide. Requirement: You must have a Web API Application registered in Azure Active Directory and expose its permission…

Script errors running MSAL.Net in XBAP application

June 7, 2021June 9, 2021 Bac Hoang [MSFT]

You may encounter script errors with the background text saying cookies are disabled when running MSAL code snippet similar to the following in a XAML Browser Application (XBAP) from Internet Explorer when performing Azure AD login Root Cause XBAP Applications, although housed in Internet Explorer, runs in its own process space: PresentationHost.exe, which is a very tightly-controlled security container. XBAP Application uses the webBrowser control to host the Azure AD…

How to use an access token to connect to an Azure SQL Database

June 2, 2021June 2, 2021 Ray Held [MSFT]

In Azure SQL, an access token can be used to authenticate a user or service principal. In this blog post, I will show you what is required for both and give some methods for acquiring the access token based on the scenario to set the access token parameter in the connection object. Requirements: You have an Azure tenant and an Azure SQL database already configured and basic understanding of SSMS…

Update Asp.Net or Asp.Net Core app session to last longer than Azure AD tokens

April 8, 2021April 14, 2021 Bill Fiddes [MSFT]

Azure AD tokens (ID tokens, access tokens, and SAML tokens) by default last one hour. Asp.Net and Asp.Net Core Middleware sets their authentication ticket to the expiration of these tokens by default. If you do not want your web application to kick the user out redirecting them to Azure AD to sign-in again, you can customize the Middleware authentication ticket. For Asp.Net… In most cases within your Startup.Auth.cs under ConfigureAuth,…

Using MSAL in a VB.Net Winforms application

April 7, 2021April 8, 2021 Ray Held [MSFT]

All of our MSAL samples are for either Web, mobile client or console applications in c#. This blog post will show how you can also use MSAL in vb.net in a Winforms desktop application. When creating a winforms application, the thing to remember is that code in your form will run under the UI thread, which, for the most part is ok. However, when MSAL prompts for credentials, it will…