In Azure SQL, an access token can be used to authenticate a user or service principal. In this blog post, I will show you what is required for both and give some methods for acquiring the access token based on the scenario to set the access token parameter in the connection object. Requirements: You have an Azure tenant and an Azure SQL database already configured and basic understanding of SSMS…
Read MoreMSAL.JS SPA client performing Authorization Code Grant flow to ADFS 2019
This blog walks through how to set up MSAL.JS to authenticate directly to ADFS 2019 Server using Authorization Code Grant flow to get an Access Token and then call a Web API with that Access Token. We will go over the following steps to get this the samples working: App Registrations for both the Single Page Application (SPA) client app and the web API app Enable Cross-origin Request Sharing (CORS)…
Read MoreHow to logout of an OAuth2 application without getting prompted to select a user
By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…
Read MoreHow to Add an Azure AD Role to a Enterprise Application (Service Principal)
Introduction This post is to help users be able to assign administrative roles to Enterprise Applications/Service Principals so that they can perform duties that would otherwise require a user with elevated permissions to accomplish. This is convenient when a user wishes to use a service principal in order to reset a password, or to perform some activity that requires admin privileges programmatically without an interactive sign in (using client credentials…
Read MoreRetrieving Azure Key Vault Secret using System MSI in an Azure VM in Python
Introduction This is a walk-through showing how to use System Managed Service Identity (MSI) from an Azure VM to retrieve an Azure Key Vault secret in python. Pre-requisite To use the steps in this walk-through you need to have the following: Azure VM Azure Key Vault Python is already installed in the Azure VM (can be downloaded at https://www.python.org/downloads/) The steps Enable System MSI for the Azure VM in the…
Read MoreCommon Microsoft First Party Apps resource table
The information below is taken from the manifest file in the App Registration portal Azure Resource Resource URL Resource App ID Azure AD Graph https://graph.windows.net/ 00000002-0000-0000-c000-000000000000 Microsoft Graph https://graph.microsoft.com/ 00000003-0000-0000-c000-000000000000 Azure Key Vault https://vault.azure.net cfa8b339-82a2-471a-a3c9-0fc0be7a4093 Azure Service Management https://management.azure.com/ 797f4846-ba00-4fd7-ba43-dac1f8f63013 Power BI Service https://analysis.windows.net/powerbi/api/ 00000009-0000-0000-c000-000000000000 Azure Storage https://storage.azure.com/ e406a681-f3d4-42a8-90b6-c2b029497af1 Azure DevOps https://app.vssps.visualstudio.com/ 499b84ac-1321-427f-aa17-267ca6975798 Office 365 Management API https://manage.office.com/ c5393580-f805-4401-95e8-94b7a6ef2fc2 Intune https://api.manage.microsoft.com/ c161e42e-d4df-4a3d-9b42-e7a3c31f59d4 SharePoint https://microsoft.sharepoint-df.com/ 00000003-0000-0ff1-ce00-000000000000 Exchange https://outlook.office365.com/ 00000002-0000-0ff1-ce00-000000000000 Azure SQL…
Read MoreInfinite sign in loop between MVC application and Azure AD
In a previous post I talked about an infinite redirect loop issue between an MVC application and Azure AD when performing sign in. In this post, we will look at another scenario which can lead to the same type of problem. Background Applications running an old version of OWIN middleware can run into this issue because of a known Katana bug. Due to a cookie mismanagement issue in the old…
Read MoreConfiguring Options and MaxRetries for Graph Java Client
We have a great Java Graph SDK sample in our tutorial document located here. Pay special attention to the versions as not having the correct version of the prerequisites will give you difficulty! The sample will run a console application and uses the Oauth2 Device Code flow for authentication. Once it compiles and runs, you will get a message like this for the device code flow sign in: “To sign…
Read MoreDownload the user signInActivity from the beta endpoint using Microsoft Graph Powershell module.
You can use the Microsoft Graph Powershell module to download last sign in date / time for users from the Beta endpoint ( the signInActivity is currently not available in v1.0 ) and save the list to a .csv file. You must have the Microsoft Graph powershell module installed. This document will help you get started. My powershell script:
Read MoreUsing MS Graph to get both Interactive and non Interactive sign in events log
Microsoft Graph API can be used to get different types of Sign-In event similar to what’s available in the Azure AD portal As of this writing, this functionality is only available in the beta endpoint. By default the following MS Graph request only gets a list of interactive user sign-ins GET https://graph.microsoft.com/beta/auditLogs/signIns To pull the other types of Sign-In logw you will have to use signInEventTypes filter query as followed:…
Read More