How to unconsent / remove consented permissions in Graph Explorer tool

While using Microsoft Graph explorer, you accidentally consented to permission(s) that you did not mean to. This blog post will explain how to unconsent or remove that permission(s). Log in to graph explorer (Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph) with your credentials. Note: In order to perform the following unconsent steps, make sure these permissions: Directory.Read.All and DelegatedPermissionGrant.ReadWrite.All are already consented. Perform the following steps to…

Read More

How to Resolve IDX10501 Errors in a B2C Microsoft.Identity.Web Application

Consider the situation where you are developing an ASP.NET Core application that needs to support Azure B2C. Following the official Microsoft Document, you implement the Microsoft.Identity.Web library and three built-in User Flows. All is working well, but you also need to implement a Custom Policy. You find the following documentation which shows how to make a request with the B2C policy specified: https://learn.microsoft.com/en-us/azure/active-directory-b2c/enable-authentication-web-application-options#pass-the-azure-ad-b2c-policy-id You try to implement this guidance. Everything…

Read More

Use logging to troubleshoot Azure AD protected Web API Authentication or Authorization errors

The sample web API application in this blog uses .Net 6 Framework and Microsoft.Identity.Web nuget package to Azure AD protect the Web API. I use Serilog framework for logging the debug output both to the console window and to the local file. This sample assumes you already have a web API application registered in Azure AD. If you are not familiar with how to do that refer to my previous…

Read More

How to Solve Failed Authentication After Publishing App to Google Play Store

Issue Description You successfully implemented Azure AD Authentication in your Android app with the Microsoft Authentication Library. The application built and executed perfectly and passed all QA testing with flying colors. And then you published the application on Google Play. And authentication doesn’t work after installing the app. If you exposed authentication error messages to the user, or had them sent to your team, then you might see an error…

Read More

Using the Application.ReadWrite.OwnedBy API permission

You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate. The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API: For more information…

Read More

How to avoid the MS Graph error “Authorization_RequestDenied” while managing users

Problem: You may see the error “Authorizaion_RequestDenied” below ‘error’: { ‘code’: ‘Authorization_RequestDenied’, ‘message’: ‘Insufficient privileges to complete the operation.’, ‘innerError’: { ‘date’: ‘2020-11-09T20:28:42’, ‘request-id’: ‘604e410b-4af8-4b79-9f48-fe0cf905a759’, ‘client-request-id’: ‘d6350bb5-3660-1f44-01a8-8a3b86a4c12a’ } } when using Microsoft Graph to manage users. The error happens most likely because the user does not have sufficient permissions. In summary the call requires both of the following: 1) The user or application needs to be in an Administrative role2)…

Read More

Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory

In this blog post, I will demonstrate a simple Azure AD-protected Web API sample using Spring Boot Starter for Azure Active Directory. If you are not familiar with Spring Boot Starter for Azure Active Directory, please take a look at azure-sdk-for-java/sdk/spring/azure-spring-boot-starter-active-directory at main ยท Azure/azure-sdk-for-java (github.com) and the Azure AD Spring Developer’s Guide. Requirement: You must have a Web API Application registered in Azure Active Directory and expose its permission…

Read More

Using MSAL.js v2 in a SPA App to call a web API protected by Azure App Service’s Easy Auth with Azure AD

There are a couple of ways to call an Easy Auth enabled web API. You can either call the web API with: an Easy Auth session cookie (via a previously authenticated browser session to the web API) or An Azure AD Bearer JWT token In this post I will show you how to use MSAL.JS v2 in a Single Page Application (SPA) to get an access token for the web…

Read More

Using OpenID Connect OWIN middleware to validate an Azure AD JWT token signed with a symmetric key

Azure AD by default uses a certificate to sign an OAuth2 JWT token using an asymmetric algorithm (RS256). Alternatively a JWT token can be signed with a “shared” secret using a symmetric algorithm (HS256). Asymmetric signing algorithm is always more secure in preventing the token to be tampered with compared to a symmetric algorithm since the private key is always kept at the Identity Provider (IDP) and the token consumer…

Read More

How to use postman to perform a Client Credentials Grant flow with a certificate

This post will demonstrate a couple of things: How to create a signed jwt token (aka Client Assertion) using Powershell. How to use this generated Client Assertion in Postman to get an Access Token Using Client Credentials Grant Flow. To get an Access Token using Client-Credentials Flow, we can either use a Secret or a Certificate. This post will use a self-signed certificate to create the client assertion using both…

Read More