You are looking for a way to acquire an access token from Azure Active Directory without user interaction. We highly recommended to always use an interactive user sign-in experience as this is the most secured method. Especially when your organization has conditional access policies which require Multi-Factor Authentication. If at all possible, please use the methods for interactive sign-in. Here are some general guidance on how to non-interactively acquire a…
Read MoreTroubleshooting Asp.Net OWIN and Asp.Net Core Authentication sign-in failures with Azure Active Directory
Let get started! This article assumes you are using your own code to perform the authentication to Azure Active Directory. IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you. You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no…
Read MoreReceiving error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’
Problem: An application receives the following error when authenticating to Azure Active Directory: { “error”: “invalid_client”, “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”, “error_codes”: [7000218], …} What does this error mean? The error is what it said. When authenticating to Azure AD to get an access token, the client application is not providing…
Read MoreUnderstanding Azure AD’s On-Behalf-Of flow (aka OBO flow)
Background Microsoft Azure Active Directory supports an OAuth2 protocol extension called On-Behalf-Of flow (OBO flow). This is documented at both the Microsoft Identity Platform V1 and V2 endpoint. The OBO flow is used in the following scenario. Both Web API 1 and Web API 2 are protected by Azure AD. A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into…
Read MoreUnderstanding the difference between application and delegated permissions from OAuth2 Authentication Flows perspective
It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…
Read MoreSetup POSTMAN to get Azure access tokens automatically for you
Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…
Read MoreReceiving Error AADSTS50058 in JavaScript Setting
Introduction This post is to review why a user may receive the error AADSTS50058 in a Javascript setting. The full error that is shown is : AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user’s session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the…
Read MoreUsing Postman to call the Microsoft Graph API using Authorization Code Flow
Introduction This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and…
Read MoreUsing Postman to Call the Microsoft Graph API Using Client Credentials
Introduction This blog post is to help users stand up an Azure Active Directory Application Registration, explain what permissions will be needed to added to the AAD Application Registration, how to make rest calls to get an access token, and then finally call the Microsoft Graph API to do whatever call you would like to do. Please note, that not all permissions are going to be within Azure. i.e.…
Read MoreReceiving CORS Redirection Error when Signing into App Service using Azure AD
Introduction This post is to help explain what is occurring when the CORS redirection error occurs when trying to navigate back to the login page after logging in. This doesn’t occur when the user is using a private browsing method/mode. The error that is typically received is error : “Failed to load https://login.windows.net/{GUID} (index):{GUID}/oauth2/autho…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D1518029528427: Redirect from ‘https://login.windows.net/…{GUID}&oauth2/autho…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D1518029528427′ to ‘https://login.microsoftonline.com/{GUID}/oaut…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D158029528427′ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present…
Read More