The AAD Directory Object classes in Microsoft Graph SDK for .Net have a generic property called ‘AdditionalData’ that can be used to send and receive data in the json payload. In certain scenarios where the regular class members are not available in the SDK we can still set their values via AdditionalData property. An example of this is to create a group that has resourceBehaviorOptions attribute (array of strings) populated…
Read MoreUsing Microsoft.Identity.Web to request multiple different Azure AD Access Tokens
There are times a web application may need to log in a user and call different backend Azure AD protected web APIs. The web application would need to obtain different Access Tokens, one for each web API. In this post I will attempt to demonstrate how this can be done using MIcrosoft.Identity.Web nuget package. This sample shows how to get tokens for Microsoft Graph resource and a custom web API…
Read MoreMSAL.JS SPA client performing Authorization Code Grant flow to ADFS 2019
This blog walks through how to set up MSAL.JS to authenticate directly to ADFS 2019 Server using Authorization Code Grant flow to get an Access Token and then call a Web API with that Access Token. We will go over the following steps to get this the samples working: App Registrations for both the Single Page Application (SPA) client app and the web API app Enable Cross-origin Request Sharing (CORS)…
Read MoreReceiving error AADSTS7500514: A supported type of SAML response was not found when authenticating to Azure AD with a federated account
Customers can get the following error when authenticating to Azure Active Directory with a federated account using MSAL (or now deprecated ADAL) Authentication library. { error: “invalid_request”, error_description: “AADSTS7500514: A supported type of SAML response was not found. The supported response types are ‘Response’ (in XML namespace ‘urn:oasis:names:tc:SAML:2.0:protocol’) or ‘Assertion’ (in XML namespace ‘urn:oasis:names:tc:SAML:2.0:assertion’). …. error_uri: “https://login.microsoftonline.com/error?code=7500514” } The error is typically seen in the following environment: A federated account…
Read MoreHow to perform logging for both MSAL.Net and Microsoft Graph SDK
Microsoft Graph SDK has the ability to log out complete HTTP Requests and Reponses as documented here. The way this logging mechanism works is by implementing a custom HttpClient Message handler to intercept every HTTP Request and Response between the client application and the Microsoft Graph Service. Besides hooking into GraphServiceClient’s processing pipeline to do request and response tracing, one can also configure proxy info. See Customize the Microsoft Graph…
Read MoreAzure AD-protected Web API using Spring Boot Starter for Azure Active Directory
In this blog post, I will demonstrate a simple Azure AD-protected Web API sample using Spring Boot Starter for Azure Active Directory. If you are not familiar with Spring Boot Starter for Azure Active Directory, please take a look at azure-sdk-for-java/sdk/spring/azure-spring-boot-starter-active-directory at main ยท Azure/azure-sdk-for-java (github.com) and the Azure AD Spring Developer’s Guide. Requirement: You must have a Web API Application registered in Azure Active Directory and expose its permission…
Read MoreScript errors running MSAL.Net in XBAP application
You may encounter script errors with the background text saying cookies are disabled when running MSAL code snippet similar to the following in a XAML Browser Application (XBAP) from Internet Explorer when performing Azure AD login Root Cause XBAP Applications, although housed in Internet Explorer, runs in its own process space: PresentationHost.exe, which is a very tightly-controlled security container. XBAP Application uses the webBrowser control to host the Azure AD…
Read MoreReceiving error ‘Neither tenant is B2C or tenant doesn’t have premium license’ from Microsoft Graph
You may receive the following error ‘error’: { ‘code’: ‘Authentication_RequestFromNonPremiumTenantOrB2CTenant’, ‘message’: ‘Neither tenant is B2C or tenant doesn’t have premium license’, ‘innerError’: { ‘date’: ‘2021-03-04T07:53:51’, ‘request-id’: ‘a0a074e6-xxx-c511669fa420’, ‘client-request-id’: ‘a0a074e6-xxx-c511669fa420′ } when making any Microsoft Graph call querying users’ sign in activities, for example the following GET requests https://graph.microsoft.com/v1.0/auditLogs/signIns or https://graph.microsoft.com/beta/users?$select=displayName,userPrincipalName,signInActivity So what’s the resolution? The following criteria are required for the call to succeed: The queried tenant or directory will…
Read MoreAADSTS50000: There was an error issuing a token or an issue with our sign-in service
This error can occur during Azure AD authentication process or during any token acquisition flow using the token endpoint. There are multiple causes for this error to happen. Below are a few scenarios that can lead to the error . Root Cause 1: the user password is either expired, invalid, or out of sync This can happen more predominantly in a hybrid environment. The authenticated federated account’s password may be…
Read MoreUsing MSAL.js v2 in a SPA App to call a web API protected by Azure App Service’s Easy Auth with Azure AD
There are a couple of ways to call an Easy Auth enabled web API. You can either call the web API with: an Easy Auth session cookie (via a previously authenticated browser session to the web API) or An Azure AD Bearer JWT token In this post I will show you how to use MSAL.JS v2 in a Single Page Application (SPA) to get an access token for the web…
Read More