Introduction Upon successful authentication, Azure AD issues a signed JWT token (id token or access token). The resource application needs to know the public key of the certificate used sign the token in order to validate the token signature. Depending upon the type (OAuth2 or SAML Application) of the resource application, the steps to obtain the pubic key information are different. An OWIN asp.net application can throw the following error…
Read MoreHow to Update an Application Logo in Azure using AAD Graph
Introduction For branding purposes, you can customize the logo for your app registration. Normally, this is done manually through the portal: However, if you have a scenario where you have many tenants to update, this can be a very tedious process and so automation can come in handy. The purpose of this blog post is to show you how this can be updated via code. Since the endpoint requires a…
Read MoreAzure Active Directory reporting API with MS Graph
Introduction As documented here, the Microsoft Graph Reporting API can be used to get the audit logs (https://graph.microsoft.com/beta/auditLogs/directoryAudits) and the sign-ins reports (https://graph.microsoft.com/beta/auditLogs/signIns). The old reports endpoint using Azure AD Graph is now deprecated and attempting to use that legacy end point to get the auditEvents can result in the following error: GET https://graph.windows.net/<tenant>.onmicrosoft.com/reports/auditEvents?api-version=beta { “error”:{ “code”:”Deprecated_ActivityReports”,”message”:”This API is deprecated as part of old azure classic portal, please…
Read MoreAADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
Let’s get started… When your developing or integrating an application with Azure AD, you might see the following similar error… AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘XXX’. This is because the redirect_uri (when using OpenID Connect) or AssertionConsumerServiceUrl (when using SAML2) being passed to Azure AD to sign-in, does not exist in the application registration. For example, if…
Read MoreCertain User Attributes may not show up in Graph Query
The Problem Azure AD Connect Sync Tool is often used to sync on prem Active Directory users and their attributes to Azure Active Directory. To query for these user and other directory objects, the Graph REST endpoint (Azure AD Graph or Microsoft Graph) can be used. An example Microsoft Graph query to get a User is the following: https://graph.microsoft.com/beta/users/john@contoso.com In certain scenario, some attributes, whether they are synced as Directory…
Read MoreUsing “groups” claim in Azure Active Directory
Lets get Started! To enable the return of groups in a claim, there are two ways… Use the application registration manifest by enabling the groupMembershipClaims property… https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest or if it’s a SAML application, you can enable it though the SSO configuration. The steps on enabling groups claim is outlined in the following article… https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims Once enabled, groups will now be returned in the “groups” claim within a access token or…
Read MoreRetrieving Azure Key Vault Secret using System MSI in an Azure VM in Python
Introduction This is a walk-through showing how to use System Managed Service Identity (MSI) from an Azure VM to retrieve an Azure Key Vault secret in python. Pre-requisite To use the steps in this walk-through you need to have the following: Azure VM Azure Key Vault Python is already installed in the Azure VM (can be downloaded at https://www.python.org/downloads/) The steps Enable System MSI for the Azure VM in the…
Read MoreUsing jwt.io to verify the signature of a JWT token
Introduction In an asymmetric algorithm, a JWT token is signed with an Identity Provider’s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at https://jwt.io/ to verify the signature of an signed Azure AD token (either access or id token). Note: You should only validate the token intended for your own…
Read MoreTroubleshooting network related issue when using ADAL authentication library
Problem: The problem described in this post is often seen in enterprise environment where the customer uses ADAL.Net library to run code like the following from their corpnet machine to authenticate to Azure Active Directory with a Federated account. The network topology in a corporate environment is often complex with multiple security measure put in place (proxy, firewall, router, etc…) to protect the LAN environment from the internet. Unfortunately, these…
Read MoreMicrosoft Graph Explorer – How come I only see one user in my directory?
Problem: Customer uses the Microsoft Graph Explorer tool and clicks the “Sign in with Microsoft” button to log in. After logging in, he tries the following query to get all the users in his directory. There is only one user returned. Expected result is that there should be a lot more than one user in this directory being returned by MS Graph. Resolution: This is because the customer logs in…
Read More