If you are using Microsoft Graph API Query to fetch B2B user using UPN, and experiencing below shown error: Query: https://graph.microsoft.com/v1.0/users/example_gmail.com#EXT#@example.onmicrosoft.com Response: { ‘error’: { ‘code’: ‘Request_ResourceNotFound’, ‘message’: ‘Resource ‘*******’ does not exist or one of its queried reference-property objects are not present.’, ‘innerError’: { ‘request-id’: ‘8f390389-b9c6-4f6b-93ba-c531b3d7d595’, ‘date’: ‘2019-12-05T23:55:40’ } } } Well, here is the fix: You will need to encode…
Read MoreExploring AzureServiceTokenProvider class with Azure Key Vault and Azure SQL
The AzureServiceTokenProvider class from the Nuget package Microsoft.Azure.Services.AppAuthentication can be used to obtain an access token. When running in Azure it can also utilize managed identities to request an access token. In this post I’ll focus on using this class to get an access token for Azure Key Vault. Keep in mind that you can also use this class to obtain an access token for any Azure resources integrated with…
Read MoreReceiving error WIF10201: No valid key mapping found for securityToken
Customer has an ASP.Net MVC application using both WS-Federation OWIN middleware and Windows Identity Foundation (WIF) to authenticate to Azure AD. The application works fine initially and then fails with the following error: Error Details:Server Error in ‘/’ Application.WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/<Directory ID>/’. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for…
Read MoreUsing PowerShell to get Azure AD audit logs
In my previous blog, I talked about how to use PowerShell with Microsoft Graph Reporting API. In that blog, I used the Client Credentials grant flow to acquire an access token for Microsoft Graph against the V1 endpoint. Also the code sample in that blog only works if all the reporting data result set is small. In this blog I’ll discuss how to get a Microsoft Graph access token using…
Read MoreUsing Azure Management Libraries for .NET to manage Azure AD users, groups, and RBAC Role Assignments
In this blog, we will use Azure SDK for .NET to perform the following tasks: Create an Azure Active Directory (Azure AD) user, query for the created user, and delete the user. Create an Azure AD group, query for the created group, and delete the group. Add a user to the group’s members. Create an Role-based Access Control (RBAC) Role Assignment: we will assign the group created above ‘Storage Blob…
Read MoreReceiving error “Change enumeration is not supported for requested tenant.” from MS Graph Delta query
Problem Customer receives the following error when running an MS Graph delta query, for instance the following: GET https://graph.microsoft.com/beta/users/delta ‘error’: { ‘code’: ‘Request_UnsupportedQuery’, ‘message’: ‘Change enumeration is not supported for requested tenant.’, ‘innerError’: { ‘request-id’: ‘xxx’, ‘date’: ‘2020-05-22T13:17:45’ } } Root Cause This error can happen if the tenant is an Azure AD B2C tenant. More Information Differential or Delta query is currently not supported in an Azure AD B2C…
Read MoreConfigure .Net Application to call Microsoft Graph in a National Cloud Tenant
When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…
Read MoreReceiving Error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”
Problem: This blog provides more information about the error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”. This error typically occurs when a user uses a public cloud endpoint to sign in to an application registered in Azure Government sovereign cloud. It is known fact that the official Azure Active Directory (AAD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government…
Read MoreWhere is all the Azure Active Directory for developers (v1.0) documentation?
Where is all the Azure Active Directory for developers (v1.0) documentation? Azure Active Directory (Azure AD) is a cloud identity service that allows developers to build apps that securely sign in users with a Microsoft work or school account. If you have been developing your apps using Azure Active Directory for developers (v1.0), typically ADAL, you might have noticed that it is getting harder to find related documentation. This is…
Read MoreUsing MSAL.Net to perform the client credentials flow with a certificate instead of a client secret in a .NetCore console appliction.
The sample files for this post can be found in this GitHub repository: https://github.com/RayGHeld/NetCore_ClientCredentials_withCert There is also a Powershell script there to create a certificate for this sample. You can perform the OAuth2 client_credentials grant flow to sign in as an application for your automated type of services. This flow does not require an interactive user to authenticate and should only be run in secure environments. There are 2 methods…
Read More