Let get started! This article assumes you are using your own code to perform the authentication to Azure Active Directory. IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you. You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no…
Read MoreHow to use postman to perform a Client Credentials Grant flow with a certificate
This post will demonstrate a couple of things: How to create a signed jwt token (aka Client Assertion) using Powershell. How to use this generated Client Assertion in Postman to get an Access Token Using Client Credentials Grant Flow. To get an Access Token using Client-Credentials Flow, we can either use a Secret or a Certificate. This post will use a self-signed certificate to create the client assertion using both…
Read MoreWalkthrough: Using MSAL.Net to call an Azure Function App with Easy Auth enabled
In this post, I’ll walk through the steps for how to create an application using Microsoft Authentication Library for .Net (MSAL.Net) to call an Azure AD protected Azure Function App using Easy Auth (Azure App Service’ Authentication and Authorization feature). 1. Create an Azure Function with Easy Auth enabled: Assuming you already have an Azure Function App created (refer to https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal if you don’t know how to create one), go…
Read MoreHow to use Microsoft Graph SDK for PowerShell to update a registered Device’s Extension Attribute
Below is a sample PowerShell script showing how to update a registered device’s extension attribute. The sample uses extensionAttriubte3. You can easily swap this out to a different one. Refer to the Update Device documentation for more info. Note: The above device update operation requires the signed in user to be in either the Intune Administrator role or Global Administrator role.
Read MoreHello world!
Welcome to Developer Network. This is your first post. Edit or delete it, then start blogging!
Read MoreTroubleshooting ASP.NET Core Azure AD-protected Web API Authorization issues
There is plenty of content on the internet that shows you how to use ASP.NET Core Authentication pipeline to protect a Web API with Azure Active Directory. This is all working great except when your Web API returns a 401 Unauthorized error without providing much information. You can end up spending a lot of time, pulling your hair out trying to figure out what can go wrong even though you…
Read MoreUnderstanding the difference between application and delegated permissions from OAuth2 Authentication Flows perspective
It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…
Read MoreHow to use an access token to connect to an Azure SQL Database
In Azure SQL, an access token can be used to authenticate a user or service principal. In this blog post, I will show you what is required for both and give some methods for acquiring the access token based on the scenario to set the access token parameter in the connection object. Requirements: You have an Azure tenant and an Azure SQL database already configured and basic understanding of SSMS…
Read MoreHow to customize SAML token claims to include custom attribute created as Directory Schema Extension in Azure AD
Background Recently I was engaged to assist a customer with an interesting issue. This customer follows the guideline at https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions to create a custom User attribute as a Directory schema extension and then assigns a value to the attribute. As an example, I have a few custom attributes created this way as can be seen by Microsoft Graph Explorer: The customer wants to have this custom attribute returned as a…
Read Morereceiving error AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application
Problem: A tenant admin may receive the error “AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application…” when clicking on the “Grant Admin Consent” button in Azure AD’s App Registration portal as shown in the screen shot below: Why is this happening? This error typically happens when the Enterprise Application portion (or Service Principal) of the registered application has the setting ‘User Assignment Required’…
Read More