Problem: This blog provides more information about the error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”. This error typically occurs when a user uses a public cloud endpoint to sign in to an application registered in Azure Government sovereign cloud. It is known fact that the official Azure Active Directory (AAD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government…
Read MoreUsing PostMan to request an Azure AD token via SAML Assertion Grant flow
Azure Active Directory (Azure AD) supports an OAuth2 Extension Grant called “SAML Bearer Assertion flow” which allows an application to request an JWT OAuth2 token from Azure AD by providing a SAML Assertion (Token) acquired during an authentication process to a different Authorization Server. As you can imagine in order for this token exchange mechanism to happen, a trust relation between Azure AD and that Authorization Server must have already…
Read MoreConfigure .Net Application to call Microsoft Graph in a National Cloud Tenant
When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…
Read MoreReceiving error “Change enumeration is not supported for requested tenant.” from MS Graph Delta query
Problem Customer receives the following error when running an MS Graph delta query, for instance the following: GET https://graph.microsoft.com/beta/users/delta ‘error’: { ‘code’: ‘Request_UnsupportedQuery’, ‘message’: ‘Change enumeration is not supported for requested tenant.’, ‘innerError’: { ‘request-id’: ‘xxx’, ‘date’: ‘2020-05-22T13:17:45’ } } Root Cause This error can happen if the tenant is an Azure AD B2C tenant. More Information Differential or Delta query is currently not supported in an Azure AD B2C…
Read MoreHow to get and display the user photo with Graph SDK for .Net in a WPF application
Occasionally, we get requests asking how to get the user photo using the Graph SDK. This blog post will show you how to do that in a WPF application but I will also show you a method for getting the photo and saving it to disk with a .Net console application. You can download the sample project here: https://github.com/RayGHeld/GraphClient_GetUserPhoto This project also utilizes the Authentication Provider code in this blog…
Read MoreUsing Azure Management Libraries for .NET to manage Azure AD users, groups, and RBAC Role Assignments
In this blog, we will use Azure SDK for .NET to perform the following tasks: Create an Azure Active Directory (Azure AD) user, query for the created user, and delete the user. Create an Azure AD group, query for the created group, and delete the group. Add a user to the group’s members. Create an Role-based Access Control (RBAC) Role Assignment: we will assign the group created above ‘Storage Blob…
Read MoreControl access to your apps in Azure AD
We get this kind of question all the time. It comes in many variations and forms like… “I only want to consent for some users to access the app.” “I only want my service account to access this app” Before we get started… First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin…
Read MoreTroubleshooting consent in Azure AD
This is a general guide for troubleshooting consent in Azure AD. It will help resolve majority of the consent related scenarios (Not all of them). In general, the application is trying to sign-in or get an access token for a resource which has not been consented by the user or admin. In general, you want to make sure all of the permissions needed by the application have been consented to.…
Read MoreImplement Client Credentials flow for Graph Java Client
In my previous article , I showed you how to modify our great Graph Client for Java sample to add some additional options for things like filtering, setting the max retries for 429 errors, etc. That sample uses the Oauth2 Device Code flow. In this article, I will show you how to convert that and use the Client Credentials Flow. Although, you will not be able to retrieve the same…
Read MoreUsing PowerShell to get Azure AD audit logs
In my previous blog, I talked about how to use PowerShell with Microsoft Graph Reporting API. In that blog, I used the Client Credentials grant flow to acquire an access token for Microsoft Graph against the V1 endpoint. Also the code sample in that blog only works if all the reporting data result set is small. In this blog I’ll discuss how to get a Microsoft Graph access token using…
Read More