Package Inspector for MSAL Android Native Guide The Microsoft Authentication Library (MSAL) for Android Native contains a tool called Package Inspector. This tool presents a list of packages installed on an Android device and allows the user to view, copy, and paste the signature hash used to sign the application’s package. It can be very useful in troubleshooting and verifying the signature hash for applications installed on an Android device.…
Read MoreNetLog: Alternative to Fiddler and HAR captures
Have you run across where you can’t get a standard Fiddler capture, and furthermore, HAR captures from developer tools is truncating the information you need to see? I ran across the NetLog tool built into Chromium based browsers. So, this will work in the new Microsoft Edge, Chrome, and Electron. Here are couple known limitations before we get started… POST request bodies are not captured. Sites running in compatibility mode…
Read MoreSome tips and tricks with Fiddler capture
Recently, I came across a couple of scenarios where I could not get Fiddler to capture SSL traffic easily. Below are the some tips and tricks that may help in these situations. Scenario 1: Capture Node.js web traffic in Fiddler In the same command window where you run npm start to start the node server, run the below set commands first to set the proxy info before running npm start.…
Read MoreSetup Postman to call Microsoft Graph using a Client Credentials Grant Access Token from the v2 endpoint
To use the V1 endpoint, please refer to this post. Our documentation for the client credentials grant type can be found here. You can setup postman to make a client_credentials grant flow to obtain an access token and make a graph call ( or any other call that supports application permissions ). This is very useful for testing code you plan to run as a script or in a Daemon…
Read MoreSetup POSTMAN to get Azure access tokens automatically for you
Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…
Read MoreUsing jwt.io to verify the signature of a JWT token
Introduction In an asymmetric algorithm, a JWT token is signed with an Identity Provider’s private key. To verify the signature of the token, one will need to have a matching public key. This post will cover how to use the JWT tool at https://jwt.io/ to verify the signature of an signed Azure AD token (either access or id token). Note: You should only validate the token intended for your own…
Read MoreCapturing Python web traffic with Fiddler
Update 4/15/2019 – added GraphRbacManagementClient section Introduction: Capturing encrypted HTTPS web traffic in Python with Fiddler can be tricky mainly because Python uses its own trusted certificate store instead of the OS’s certificate store and in certain scenario, python does not use proxy by default. This post will cover how to capture SSL traffic using Fiddler for a few different scenario: ADAL for Python: The problem with this case is…
Read MoreHow to filter Fiddler capture traffic using host name and process name
This post discusses a couple of ways to filter Fiddler traffic based on domain names (or host names) and client process(es): Note that before using filter you should make sure Fiddler is configured to capture all processes. This is indicated at the bottom left corner of Fiddler window. That area is clickable to change the selection. Filter traffic using Fiddler’s built-in filter feature: From Fiddler’s right pane –> Filters tab…
Read MoreCapture http(s) traffic with Http Fiddler
1 – Download the Fiddler 4 application and install it on the machine used to reproduce the problem (if you have not already). Go to http://www.telerik.com/download/fiddler 2 – Enable the option to decrypt HTTPS traffic: Tools -> Options -> Https -> select ‘decrypt HTTPS Traffic’ (you may be prompted to install the Fiddler certificate – make sure to select Yes) Ensure this option is checked when collecting the trace as…
Read MoreUsing Postman to call the Microsoft Graph API using Authorization Code Flow
Introduction This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and…
Read More