Recently I came across an interesting infinite redirection problem between an OpenID Connect (OIDC) Application and Azure AD as demonstrated in the Fiddler screen shot below. After authentication to Azure AD, we are stuck in an infinite loop between the web site and Azure AD. Eventually the browser gives up and throws an error. This problem only occurs if I start browsing to the site by http protocol (frame 3).…
Read MoreGraph Client Authentication Provider
The Graph Client Authentication Providers allows for each authentication to the graph endpoint implementing a variety of OAUTH2 flows. I will demonstrate the use of this library in c# code based on this GitHub. Previously, you had to build your own Authentication Provider ( see my creation of the client credentials provider in a vb.net application here ) . This library will allow you to use the following flows: Confidential…
Read MoreSome notes regarding the Microsoft Graph Subscription and webhook
For certain Azure AD resources or Directory Objects you can use Microsoft Graph to create Subscriptions to receive change notifications event. Below are some notes to be aware of: Subscription object Lifetime Each subscription object (except for Security alerts) is only valid for 3 days maximum, so make sure you renew the subscription before it expires to keep receiving change notifications. See https://docs.microsoft.com/en-us/graph/api/resources/subscription?view=graph-rest-1.0 for more detail on maximum subscription length…
Read MoreControl access to your apps in Azure AD
We get this kind of question all the time. It comes in many variations and forms like… “I only want to consent for some users to access the app.” “I only want my service account to access this app” Before we get started… First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin…
Read MoreWhy /memberOf Microsoft Graph API returning null fields for some attributes.
What do below API calls do? https://graph.microsoft.com/v1.0/me/memberOf https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf These API calls gives us the list of groups and directory roles that the user is a direct member of. API Call: GET JSON response: { “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”, “value”: [ { “@odata.type”: “#microsoft.graph.group”, “id”: “b0a133d4-3f3d-4990-be22-879151155f19”, “deletedDateTime”: null, “classification”: null, “createdDateTime”: null, “creationOptions”: [], “description”: null, “displayName”: null, “expirationDateTime”: null, “groupTypes”: [], “isAssignableToRole”: null, “mail”: null, “mailEnabled”: null, “mailNickname”: null, “membershipRule”: null, “membershipRuleProcessingState”: null, } } What is the reason behind seeing null values? When we make a call…
Read MoreAADSTS50000: There was an error issuing a token or an issue with our sign-in service
This error can occur during Azure AD authentication process or during any token acquisition flow using the token endpoint. There are multiple causes for this error to happen. Below are a few scenarios that can lead to the error . Root Cause 1: the user password is either expired, invalid, or out of sync This can happen more predominantly in a hybrid environment. The authenticated federated account’s password may be…
Read MoreUsing MSAL in a VB.Net Winforms application
All of our MSAL samples are for either Web, mobile client or console applications in c#. This blog post will show how you can also use MSAL in vb.net in a Winforms desktop application. When creating a winforms application, the thing to remember is that code in your form will run under the UI thread, which, for the most part is ok. However, when MSAL prompts for credentials, it will…
Read MoreAzure AD-protected Web API using Spring Boot Starter for Azure Active Directory
In this blog post, I will demonstrate a simple Azure AD-protected Web API sample using Spring Boot Starter for Azure Active Directory. If you are not familiar with Spring Boot Starter for Azure Active Directory, please take a look at azure-sdk-for-java/sdk/spring/azure-spring-boot-starter-active-directory at main · Azure/azure-sdk-for-java (github.com) and the Azure AD Spring Developer’s Guide. Requirement: You must have a Web API Application registered in Azure Active Directory and expose its permission…
Read MoreHow to avoid the MS Graph error “Authorization_RequestDenied” while managing users
Problem: You may see the error “Authorizaion_RequestDenied” below ‘error’: { ‘code’: ‘Authorization_RequestDenied’, ‘message’: ‘Insufficient privileges to complete the operation.’, ‘innerError’: { ‘date’: ‘2020-11-09T20:28:42’, ‘request-id’: ‘604e410b-4af8-4b79-9f48-fe0cf905a759’, ‘client-request-id’: ‘d6350bb5-3660-1f44-01a8-8a3b86a4c12a’ } } when using Microsoft Graph to manage users. The error happens most likely because the user does not have sufficient permissions. In summary the call requires both of the following: 1) The user or application needs to be in an Administrative role2)…
Read MoreUse the Microsoft.Graph PowerShell SDK to get a list of Devices that do not have BitLocker Recovery Keys
As you may be aware, the AzureAD powershell module is being deprecated at the end of the year along with the AD Graph endpoint. As a result, all customers need to migrate their code to the Microsoft Graph endpoint. This blog post will show you how to use the Microsoft.Graph PowerShell module to get a list of devices that do not have a BitLocker Recovery key in Azure. This would…
Read More