Proof Key for Code Exchange (PKCE) is a mechanism, typically used together with an OAuth2 Authorization Code Grant flow to provide an enhanced level of security when authenticating to an Identity Provider (IDP) to get an access token. In fact for Single Page Applications (SPA), Authorization Code Grant flow with PKCE is now the recommended OAuth2 authentication protocol over its predecessor, the Implicit Grant flow, for acquiring an access token.…
Read MoreMSAL.Net in PowerShell – Use .pfx file for Client Credentials Flow
This post will show you how to authenticate for the client credentials flow in PowerShell with MSAL.Net using the .pfx file for the certificate authentication instead of loading the certificate from the certificate store. This post is in part based on this: Using PowerShell to Configure a signing certificate for a SAML-based SSO enterprise application Also, special thanks to my team members Bac Hoang and Will Fiddes for assisting with…
Read MoreHow to use postman to perform a Client Credentials Grant flow with a certificate
This post will demonstrate a couple of things: How to create a signed jwt token (aka Client Assertion) using Powershell. How to use this generated Client Assertion in Postman to get an Access Token Using Client Credentials Grant Flow. To get an Access Token using Client-Credentials Flow, we can either use a Secret or a Certificate. This post will use a self-signed certificate to create the client assertion using both…
Read MoreHow to use Microsoft Graph SDK for PowerShell to update a registered Device’s Extension Attribute
Below is a sample PowerShell script showing how to update a registered device’s extension attribute. The sample uses extensionAttriubte3. You can easily swap this out to a different one. Refer to the Update Device documentation for more info. Note: The above device update operation requires the signed in user to be in either the Intune Administrator role or Global Administrator role.
Read MoreHello world!
Welcome to Developer Network. This is your first post. Edit or delete it, then start blogging!
Read MoreAzure Active Directory reporting API with MS Graph
Introduction As documented here, the Microsoft Graph Reporting API can be used to get the audit logs (https://graph.microsoft.com/beta/auditLogs/directoryAudits) and the sign-ins reports (https://graph.microsoft.com/beta/auditLogs/signIns). The old reports endpoint using Azure AD Graph is now deprecated and attempting to use that legacy end point to get the auditEvents can result in the following error: GET https://graph.windows.net/<tenant>.onmicrosoft.com/reports/auditEvents?api-version=beta { “error”:{ “code”:”Deprecated_ActivityReports”,”message”:”This API is deprecated as part of old azure classic portal, please…
Read MoreUnderstanding the difference between application and delegated permissions from OAuth2 Authentication Flows perspective
It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…
Read MoreHow to customize SAML token claims to include custom attribute created as Directory Schema Extension in Azure AD
Background Recently I was engaged to assist a customer with an interesting issue. This customer follows the guideline at https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions to create a custom User attribute as a Directory schema extension and then assigns a value to the attribute. As an example, I have a few custom attributes created this way as can be seen by Microsoft Graph Explorer: The customer wants to have this custom attribute returned as a…
Read MoreTroubleshooting ASP.NET Core Azure AD-protected Web API Authorization issues
There is plenty of content on the internet that shows you how to use ASP.NET Core Authentication pipeline to protect a Web API with Azure Active Directory. This is all working great except when your Web API returns a 401 Unauthorized error without providing much information. You can end up spending a lot of time, pulling your hair out trying to figure out what can go wrong even though you…
Read Morereceiving error AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application
Problem: A tenant admin may receive the error “AADSTS50105: The signed in user ‘{EmailHidden}’ is not assigned to a role for the application…” when clicking on the “Grant Admin Consent” button in Azure AD’s App Registration portal as shown in the screen shot below: Why is this happening? This error typically happens when the Enterprise Application portion (or Service Principal) of the registered application has the setting ‘User Assignment Required’…
Read More