Azure Active Directory: How to get the signed in users groups when there is a groups overage claim in an Access token.

Azure AD has a maximum number of groups that can be returned in an access token when you have selected to include the groups claim for your access token. This post will show you how to reproduce the scenario and then how to get the users groups using Microsoft Graph when a groups overage claim is present in the token instead of actual groups. For a JWT token, Azure has…

Read More

Understanding the difference between application and delegated permissions from OAuth2 Authentication Flows perspective

It’s well documented in the Permissions and consent docs and the Developer Glossary page that there are 2 types of permissions for an access token: delegated permission and application permission. In simpler terms, delegated permission is the permission granted to a signed in user while application permission is the permission granted to an application. The main difference between the two is that the former requires a user to sign in…

Read More

Setup POSTMAN to get Azure access tokens automatically for you

Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…

Read More

Understanding Azure AD token signing certificate (kid)

Introduction Upon successful authentication, Azure AD issues a signed JWT token (id token or access token). The resource application needs to know the public key of the certificate used sign the token in order to validate the token signature. Depending upon the type (OAuth2 or SAML Application) of the resource application, the steps to obtain the pubic key information are different. An OWIN asp.net application can throw the following error…

Read More

How to Use the ADAL .NET library to Call the Microsoft Graph API in a Console Application (Using Authorization Code Flow)

Introduction This post is to show how to use the ADAL .NET library to acquire a token interactively in a console application. It will go through setting up an Azure Active Directory Application, setting up the .net console application, acquiring an access token, and then make a HTTP request using the token acquired from the ADAL .net library to get 5 users using the Microsoft Graph API.   Setting up your…

Read More

Implementing Service to Service Authorization and Getting the Access Token with Postman Utilizing Client Credential Grant Type

Introduction This article is meant to show how one can set up a client application to obtain a service to service access token, to get access to a web API from a web App. This document will be following the grant type client credential flow to do this, and will utilize Postman to get the access token via client credentials. This tutorial will not set up the backend web API,…

Read More

Configuring an App Service to get an Access Token for AAD Graph API

Introduction This post should show how to create an app service, configure authentication for the service, and then configure the authentication to get permissions to the AAD Graph API on behalf of the logged-in user. This post is an extension of the Azure App Service Token Store, the link to that can be found here. This is the entire setup scenario from scratch, starting with creating the web app, and…

Read More