By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…
Read MoreHow to Add an Azure AD Role to a Enterprise Application (Service Principal)
Introduction This post is to help users be able to assign administrative roles to Enterprise Applications/Service Principals so that they can perform duties that would otherwise require a user with elevated permissions to accomplish. This is convenient when a user wishes to use a service principal in order to reset a password, or to perform some activity that requires admin privileges programmatically without an interactive sign in (using client credentials…
Read MoreRetrieving Azure Key Vault Secret using System MSI in an Azure VM in Python
Introduction This is a walk-through showing how to use System Managed Service Identity (MSI) from an Azure VM to retrieve an Azure Key Vault secret in python. Pre-requisite To use the steps in this walk-through you need to have the following: Azure VM Azure Key Vault Python is already installed in the Azure VM (can be downloaded at https://www.python.org/downloads/) The steps Enable System MSI for the Azure VM in the…
Read MoreCommon Microsoft First Party Apps resource table
The information below is taken from the manifest file in the App Registration portal Azure Resource Resource URL Resource App ID Azure AD Graph https://graph.windows.net/ 00000002-0000-0000-c000-000000000000 Microsoft Graph https://graph.microsoft.com/ 00000003-0000-0000-c000-000000000000 Azure Key Vault https://vault.azure.net cfa8b339-82a2-471a-a3c9-0fc0be7a4093 Azure Service Management https://management.azure.com/ 797f4846-ba00-4fd7-ba43-dac1f8f63013 Power BI Service https://analysis.windows.net/powerbi/api/ 00000009-0000-0000-c000-000000000000 Azure Storage https://storage.azure.com/ e406a681-f3d4-42a8-90b6-c2b029497af1 Azure DevOps https://app.vssps.visualstudio.com/ 499b84ac-1321-427f-aa17-267ca6975798 Office 365 Management API https://manage.office.com/ c5393580-f805-4401-95e8-94b7a6ef2fc2 Intune https://api.manage.microsoft.com/ c161e42e-d4df-4a3d-9b42-e7a3c31f59d4 SharePoint https://microsoft.sharepoint-df.com/ 00000003-0000-0ff1-ce00-000000000000 Exchange https://outlook.office365.com/ 00000002-0000-0ff1-ce00-000000000000 Azure SQL…
Read MoreConfiguring Options and MaxRetries for Graph Java Client
We have a great Java Graph SDK sample in our tutorial document located here. Pay special attention to the versions as not having the correct version of the prerequisites will give you difficulty! The sample will run a console application and uses the Oauth2 Device Code flow for authentication. Once it compiles and runs, you will get a message like this for the device code flow sign in: “To sign…
Read MoreDownload the user signInActivity from the beta endpoint using Microsoft Graph Powershell module.
You can use the Microsoft Graph Powershell module to download last sign in date / time for users from the Beta endpoint ( the signInActivity is currently not available in v1.0 ) and save the list to a .csv file. You must have the Microsoft Graph powershell module installed. This document will help you get started. My powershell script:
Read MoreUsing MS Graph to get both Interactive and non Interactive sign in events log
Microsoft Graph API can be used to get different types of Sign-In event similar to what’s available in the Azure AD portal As of this writing, this functionality is only available in the beta endpoint. By default the following MS Graph request only gets a list of interactive user sign-ins GET https://graph.microsoft.com/beta/auditLogs/signIns To pull the other types of Sign-In logw you will have to use signInEventTypes filter query as followed:…
Read MoreChanging an existing Native Application to a Web App/API to get existing keys
Introduction This article is meant to help get the keys from your native application. We used to show the keys in native applications however we took out that feature because the native application is not meant to have keys/secrets. As a result some people have had keys/secrets with their native applications however they currently still use those keys/secrets. This article is to help those people in order to get…
Read MoreHow to Update an Application Logo in Azure using AAD Graph
Introduction For branding purposes, you can customize the logo for your app registration. Normally, this is done manually through the portal: However, if you have a scenario where you have many tenants to update, this can be a very tedious process and so automation can come in handy. The purpose of this blog post is to show you how this can be updated via code. Since the endpoint requires a…
Read MoreUnderstanding Azure AD token signing certificate (kid)
Introduction Upon successful authentication, Azure AD issues a signed JWT token (id token or access token). The resource application needs to know the public key of the certificate used sign the token in order to validate the token signature. Depending upon the type (OAuth2 or SAML Application) of the resource application, the steps to obtain the pubic key information are different. An OWIN asp.net application can throw the following error…
Read More