Problem: An application receives the following error when authenticating to Azure Active Directory: { “error”: “invalid_client”, “error_description”: “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: xxx\r\nCorrelation ID: xxx\r\nTimestamp: 2019-08-18 20:38:28Z”, “error_codes”: [7000218], …} What does this error mean? The error is what it said. When authenticating to Azure AD to get an access token, the client application is not providing…
Read MoreUnderstanding Azure AD’s On-Behalf-Of flow (aka OBO flow)
Background Microsoft Azure Active Directory supports an OAuth2 protocol extension called On-Behalf-Of flow (OBO flow). This is documented at both the Microsoft Identity Platform V1 and V2 endpoint. The OBO flow is used in the following scenario. Both Web API 1 and Web API 2 are protected by Azure AD. A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into…
Read MoreUnderstanding the difference between application and delegated permissions from OAuth2 Authentication Flows perspective
It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…
Read MoreSetup POSTMAN to get Azure access tokens automatically for you
Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…
Read MoreReceiving Error AADSTS50058 in JavaScript Setting
Introduction This post is to review why a user may receive the error AADSTS50058 in a Javascript setting. The full error that is shown is : AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user’s session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the…
Read MoreUsing Postman to call the Microsoft Graph API using Authorization Code Flow
Introduction This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and…
Read MoreUsing Postman to Call the Microsoft Graph API Using Client Credentials
Introduction This blog post is to help users stand up an Azure Active Directory Application Registration, explain what permissions will be needed to added to the AAD Application Registration, how to make rest calls to get an access token, and then finally call the Microsoft Graph API to do whatever call you would like to do. Please note, that not all permissions are going to be within Azure. i.e.…
Read MoreReceiving CORS Redirection Error when Signing into App Service using Azure AD
Introduction This post is to help explain what is occurring when the CORS redirection error occurs when trying to navigate back to the login page after logging in. This doesn’t occur when the user is using a private browsing method/mode. The error that is typically received is error : “Failed to load https://login.windows.net/{GUID} (index):{GUID}/oauth2/autho…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D1518029528427: Redirect from ‘https://login.windows.net/…{GUID}&oauth2/autho…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D1518029528427′ to ‘https://login.microsoftonline.com/{GUID}/oaut…{GUID}&state=redir%3D%252F.auth%252Fme%253Fv%253D158029528427′ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present…
Read MoreReceiving AADSTS90094: The grant requires admin permission.
Introduction This post is to help provide guidance when receiving the error : AADSTS90094: The grant requires admin permission. Typically this error is received when trying to get access to an AAD application registration. Please note that there are two different Microsoft application portals: https://portal.azure.com (v1 application portal) and the https://myapps.microsoft.com (v2 application portal). For details on the different application models, please visit the following link: What’s different about the…
Read More