The Graph Client Authentication Providers allows for each authentication to the graph endpoint implementing a variety of OAUTH2 flows. I will demonstrate the use of this library in c# code based on this GitHub. Previously, you had to build your own Authentication Provider ( see my creation of the client credentials provider in a vb.net application here ) . This library will allow you to use the following flows: Confidential…
Read MoreSetup Postman to call Microsoft Graph using a Client Credentials Grant Access Token from the v2 endpoint
To use the V1 endpoint, please refer to this post. Our documentation for the client credentials grant type can be found here. You can setup postman to make a client_credentials grant flow to obtain an access token and make a graph call ( or any other call that supports application permissions ). This is very useful for testing code you plan to run as a script or in a Daemon…
Read MoreHow to acquire bearer token non-interactively with a federated user
You are looking for a way to acquire an access token from Azure Active Directory without user interaction. We highly recommended to always use an interactive user sign-in experience as this is the most secured method. Especially when your organization has conditional access policies which require Multi-Factor Authentication. If at all possible, please use the methods for interactive sign-in. Here are some general guidance on how to non-interactively acquire a…
Read MoreTroubleshooting Asp.Net OWIN and Asp.Net Core Authentication sign-in failures with Azure Active Directory
Let get started! This article assumes you are using your own code to perform the authentication to Azure Active Directory. IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you. You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no…
Read MoreReceiving error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’
Problem: An application receives the following error when authenticating to Azure Active Directory: { “error”: “invalid_client”, “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”, “error_codes”: [7000218], …} What does this error mean? The error is what it said. When authenticating to Azure AD to get an access token, the client application is not providing…
Read MoreUnderstanding Azure AD’s On-Behalf-Of flow (aka OBO flow)
Background Microsoft Azure Active Directory supports an OAuth2 protocol extension called On-Behalf-Of flow (OBO flow). This is documented at both the Microsoft Identity Platform V1 and V2 endpoint. The OBO flow is used in the following scenario. Both Web API 1 and Web API 2 are protected by Azure AD. A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into…
Read MoreUnderstanding the difference between application and delegated permissions from OAuth2 Authentication Flows perspective
It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…
Read MoreSetup POSTMAN to get Azure access tokens automatically for you
Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…
Read MoreReceiving Error AADSTS50058 in JavaScript Setting
Introduction This post is to review why a user may receive the error AADSTS50058 in a Javascript setting. The full error that is shown is : AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user’s session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the…
Read MoreUsing Postman to call the Microsoft Graph API using Authorization Code Flow
Introduction This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and…
Read More