It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…
Read MoreReceiving error IDX21323 or DX10311 RequireNonce…
Depending on what version of OWIN is used, you may see the following error in an MVC application using OpenID Connect middleware IDX21323: RequireNonce is ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is…
Read MoreSetup POSTMAN to get Azure access tokens automatically for you
Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…
Read MoreUnderstanding Azure AD token signing certificate (kid)
Introduction Upon successful authentication, Azure AD issues a signed JWT token (id token or access token). The resource application needs to know the public key of the certificate used sign the token in order to validate the token signature. Depending upon the type (OAuth2 or SAML Application) of the resource application, the steps to obtain the pubic key information are different. An OWIN asp.net application can throw the following error…
Read MoreHow to Update an Application Logo in Azure using AAD Graph
Introduction For branding purposes, you can customize the logo for your app registration. Normally, this is done manually through the portal: However, if you have a scenario where you have many tenants to update, this can be a very tedious process and so automation can come in handy. The purpose of this blog post is to show you how this can be updated via code. Since the endpoint requires a…
Read MoreAzure Active Directory reporting API with MS Graph
Introduction As documented here, the Microsoft Graph Reporting API can be used to get the audit logs (https://graph.microsoft.com/beta/auditLogs/directoryAudits) and the sign-ins reports (https://graph.microsoft.com/beta/auditLogs/signIns). The old reports endpoint using Azure AD Graph is now deprecated and attempting to use that legacy end point to get the auditEvents can result in the following error: GET https://graph.windows.net/<tenant>.onmicrosoft.com/reports/auditEvents?api-version=beta { “error”:{ “code”:”Deprecated_ActivityReports”,”message”:”This API is deprecated as part of old azure classic portal, please…
Read MoreAADSTS50011: The reply url specified in the request does not match the reply urls configured for the application
Last Updated: August 23 2019 Let’s get started… When your developing or integrating an application with Azure AD, you might see the following similar error… AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ‘XXX’. This is because the redirect_uri (when using OpenID Connect) or AssertionConsumerServiceUrl (when using SAML2) being passed to Azure Active Directory to sign-in, does not exist in…
Read MoreCertain User Attributes may not show up in Graph Query
The Problem Azure AD Connect Sync Tool is often used to sync on prem Active Directory users and their attributes to Azure Active Directory. To query for these user and other directory objects, the Graph REST endpoint (Azure AD Graph or Microsoft Graph) can be used. An example Microsoft Graph query to get a User is the following: https://graph.microsoft.com/beta/users/john@contoso.com In certain scenario, some attributes, whether they are synced as Directory…
Read MoreUsing “groups” claim in Azure Active Directory
Lets get Started! To enable the return of groups in a claim, there are two ways… Use the application registration manifest by enabling the groupMembershipClaims property… https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest or if it’s a SAML application, you can enable it though the SSO configuration. The steps on enabling groups claim is outlined in the following article… https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims Once enabled, groups will now be returned in the “groups” claim within a access token or…
Read MoreRetrieving Azure Key Vault Secret using System MSI in an Azure VM in Python
Introduction This is a walk-through showing how to use System Managed Service Identity (MSI) from an Azure VM to retrieve an Azure Key Vault secret in python. Pre-requisite To use the steps in this walk-through you need to have the following: Azure VM Azure Key Vault Python is already installed in the Azure VM (can be downloaded at https://www.python.org/downloads/) The steps Enable System MSI for the Azure VM in the…
Read More