How to logout of an OAuth2 application without getting prompted to select a user

By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…

Read More

Troubleshooting Signature validation errors

These signature validation errors are caused when the resource provider (not Azure AD) is unable to validate the signature of the token, either because the signing key could not be found or the signing key used was not able to validate the signature. This article will describe the most common scenarios and solutions. The concept and root cause is still the same and will continue to apply. Unfortunately, many developers…

Read More

Using the Application.ReadWrite.OwnedBy API permission

You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate. The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API: For more information…

Read More

Update Asp.Net or Asp.Net Core app session to last longer than Azure AD tokens

Azure AD tokens (ID tokens, access tokens, and SAML tokens) by default last one hour. Asp.Net and Asp.Net Core Middleware sets their authentication ticket to the expiration of these tokens by default. If you do not want your web application to kick the user out redirecting them to Azure AD to sign-in again, you can customize the Middleware authentication ticket. For Asp.Net… In most cases within your Startup.Auth.cs under ConfigureAuth,…

Read More

NetLog: Alternative to Fiddler and HAR captures

Have you run across where you can’t get a standard Fiddler capture, and furthermore, HAR captures from developer tools is truncating the information you need to see? I ran across the NetLog tool built into Chromium based browsers. So, this will work in the new Microsoft Edge, Chrome, and Electron. Here are couple known limitations before we get started… POST request bodies are not captured. Sites running in compatibility mode…

Read More

Control access to your apps in Azure AD

We get this kind of question all the time. It comes in many variations and forms like… “I only want to consent for some users to access the app.” “I only want my service account to access this app” Before we get started… First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin…

Read More

Troubleshooting consent in Azure AD

This is a general guide for troubleshooting consent in Azure AD. It will help resolve majority of the consent related scenarios (Not all of them). In general, the application is trying to sign-in or get an access token for a resource which has not been consented by the user or admin. In general, you want to make sure all of the permissions needed by the application have been consented to.…

Read More

AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for ‘AAD Graph’ in the requested permissions in the client’s application registration.

Let’s get started… You are getting the following similar message… AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for ‘AAD Graph’ in the requested permissions in the client’s application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your…

Read More

How to acquire bearer token non-interactively with a federated user

You are looking for a way to acquire an access token from Azure Active Directory without user interaction. We highly recommended to always use an interactive user sign-in experience as this is the most secured method. Especially when your organization has conditional access policies which require Multi-Factor Authentication. If at all possible, please use the methods for interactive sign-in. Here are some general guidance on how to non-interactively acquire a…

Read More

Troubleshooting Asp.Net OWIN and Asp.Net Core Authentication sign-in failures with Azure Active Directory

Let get started! This article assumes you are using your own code to perform the authentication to Azure Active Directory. IMPORTANT: So if your using Azure App Services or Azure Function Apps Authentication/Authorization feature, this article is not for you. You are developing a Asp.Net OWIN or Asp.Net Core Authentication web application and integrating it with Azure Active Directory. You run into some issues during the sign-in process with no…

Read More