Introduction This article is meant to help get the keys from your native application. We used to show the keys in native applications however we took out that feature because the native application is not meant to have keys/secrets. As a result some people have had keys/secrets with their native applications however they currently still use those keys/secrets. This article is to help those people in order to get…
Read MoreHow to Update an Application Logo in Azure using AAD Graph
Introduction For branding purposes, you can customize the logo for your app registration. Normally, this is done manually through the portal: However, if you have a scenario where you have many tenants to update, this can be a very tedious process and so automation can come in handy. The purpose of this blog post is to show you how this can be updated via code. Since the endpoint requires a…
Read MoreUnderstanding Azure AD token signing certificate (kid)
Introduction Upon successful authentication, Azure AD issues a signed JWT token (id token or access token). The resource application needs to know the public key of the certificate used sign the token in order to validate the token signature. Depending upon the type (OAuth2 or SAML Application) of the resource application, the steps to obtain the pubic key information are different. An OWIN asp.net application can throw the following error…
Read MoreInfinite redirect between OpenID Connect Application and Azure AD
Recently I came across an interesting infinite redirection problem between an OpenID Connect (OIDC) Application and Azure AD as demonstrated in the Fiddler screen shot below. After authentication to Azure AD, we are stuck in an infinite loop between the web site and Azure AD. Eventually the browser gives up and throws an error. This problem only occurs if I start browsing to the site by http protocol (frame 3).…
Read MoreGraph Client Authentication Provider
The Graph Client Authentication Providers allows for each authentication to the graph endpoint implementing a variety of OAUTH2 flows. I will demonstrate the use of this library in c# code based on this GitHub. Previously, you had to build your own Authentication Provider ( see my creation of the client credentials provider in a vb.net application here ) . This library will allow you to use the following flows: Confidential…
Read MoreSome notes regarding the Microsoft Graph Subscription and webhook
For certain Azure AD resources or Directory Objects you can use Microsoft Graph to create Subscriptions to receive change notifications event. Below are some notes to be aware of: Subscription object Lifetime Each subscription object (except for Security alerts) is only valid for 3 days maximum, so make sure you renew the subscription before it expires to keep receiving change notifications. See https://docs.microsoft.com/en-us/graph/api/resources/subscription?view=graph-rest-1.0 for more detail on maximum subscription length…
Read MoreControl access to your apps in Azure AD
We get this kind of question all the time. It comes in many variations and forms like… “I only want to consent for some users to access the app.” “I only want my service account to access this app” Before we get started… First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin…
Read MoreWhy /memberOf Microsoft Graph API returning null fields for some attributes.
What do below API calls do? https://graph.microsoft.com/v1.0/me/memberOf https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf These API calls gives us the list of groups and directory roles that the user is a direct member of. API Call: GET JSON response: { “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”, “value”: [ { “@odata.type”: “#microsoft.graph.group”, “id”: “b0a133d4-3f3d-4990-be22-879151155f19”, “deletedDateTime”: null, “classification”: null, “createdDateTime”: null, “creationOptions”: [], “description”: null, “displayName”: null, “expirationDateTime”: null, “groupTypes”: [], “isAssignableToRole”: null, “mail”: null, “mailEnabled”: null, “mailNickname”: null, “membershipRule”: null, “membershipRuleProcessingState”: null, } } What is the reason behind seeing null values? When we make a call…
Read MoreAADSTS50000: There was an error issuing a token or an issue with our sign-in service
This error can occur during Azure AD authentication process or during any token acquisition flow using the token endpoint. There are multiple causes for this error to happen. Below are a few scenarios that can lead to the error . Root Cause 1: the user password is either expired, invalid, or out of sync This can happen more predominantly in a hybrid environment. The authenticated federated account’s password may be…
Read MoreUsing MSAL in a VB.Net Winforms application
All of our MSAL samples are for either Web, mobile client or console applications in c#. This blog post will show how you can also use MSAL in vb.net in a Winforms desktop application. When creating a winforms application, the thing to remember is that code in your form will run under the UI thread, which, for the most part is ok. However, when MSAL prompts for credentials, it will…
Read More