Configure .Net Application to call Microsoft Graph in a National Cloud Tenant

When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…

Read More

Receiving error “Change enumeration is not supported for requested tenant.” from MS Graph Delta query

Problem Customer receives the following error when running an MS Graph delta query, for instance the following: GET https://graph.microsoft.com/beta/users/delta ‘error’: { ‘code’: ‘Request_UnsupportedQuery’, ‘message’: ‘Change enumeration is not supported for requested tenant.’, ‘innerError’: { ‘request-id’: ‘xxx’, ‘date’: ‘2020-05-22T13:17:45’ } } Root Cause This error can happen if the tenant is an Azure AD B2C tenant. More Information Differential or Delta query is currently not supported in an Azure AD B2C…

Read More

Using Azure Management Libraries for .NET to manage Azure AD users, groups, and RBAC Role Assignments

In this blog, we will use Azure SDK for .NET to perform the following tasks: Create an Azure Active Directory (Azure AD) user, query for the created user, and delete the user. Create an Azure AD group, query for the created group, and delete the group. Add a user to the group’s members. Create an Role-based Access Control (RBAC) Role Assignment: we will assign the group created above ‘Storage Blob…

Read More

Control access to your apps in Azure AD

We get this kind of question all the time. It comes in many variations and forms like… “I only want to consent for some users to access the app.” “I only want my service account to access this app” Before we get started… First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin…

Read More

Troubleshooting consent in Azure AD

This is a general guide for troubleshooting consent in Azure AD. It will help resolve majority of the consent related scenarios (Not all of them). In general, the application is trying to sign-in or get an access token for a resource which has not been consented by the user or admin. In general, you want to make sure all of the permissions needed by the application have been consented to.…

Read More

Using PowerShell to get Azure AD audit logs

In my previous blog, I talked about how to use PowerShell with Microsoft Graph Reporting API. In that blog, I used the Client Credentials grant flow to acquire an access token for Microsoft Graph against the V1 endpoint. Also the code sample in that blog only works if all the reporting data result set is small. In this blog I’ll discuss how to get a Microsoft Graph access token using…

Read More

Receiving error WIF10201: No valid key mapping found for securityToken

Customer has an ASP.Net MVC application using both WS-Federation OWIN middleware and Windows Identity Foundation (WIF) to authenticate to Azure AD. The application works fine initially and then fails with the following error: Error Details:Server Error in ‘/’ Application.WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/<Directory ID>/’. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for…

Read More

receiving error AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application

Problem: A tenant admin may receive the error “AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application…” when clicking on the “Grant Admin Consent” button in Azure AD’s App Registration portal as shown in the screen shot below: Why is this happening? This error typically happens when the Enterprise Application portion (or Service Principal) of the registered application has the setting ‘User Assignment Required’…

Read More

Exploring AzureServiceTokenProvider class with Azure Key Vault and Azure SQL

The AzureServiceTokenProvider class from the Nuget package Microsoft.Azure.Services.AppAuthentication can be used to obtain an access token.  When running in Azure it can also utilize managed identities to request an access token.  In this post I’ll focus on using this class to get an access token for Azure Key Vault.  Keep in mind that you can also use this class to obtain an access token for any Azure resources integrated with…

Read More

Segment Users in Azure AD

If you have been using Microsoft Graph API to add or modify users in Azure Active Directory (Azure AD) you may have noticed that when you create a new user it lives with all the other users, some of which may have nothing to do with your application. Ideally, you may want a sub-directory or business unit of sorts. Fortunately, there are ways to segment these users in a more…

Read More