Add Azure AD roles claim support in WebAssembly Authentication

You are developing a WebAssembly authentication app and trying to implement Roles based access control. You are getting a similar error like… The WebAssembly Authentication stack appears to cast the roles claim into a single string. We need this User Factory to modify its behavior so that each role has its own unique value. Create the Custom User Factory First, create a custom User Factory (CustomUserFactory.cs)… Add the roles mapping…

Read More

Microsoft.Identity.Client.MsalClientException: Failed to get user name

You might be using the following method to attempt Integrated Windows Auth while using Microsoft Authentication Library (MSAL)… and you are getting one of the following errors… Make sure you at least meet these minimum requirements: What is actually failing? MSAL makes a call to GetUserNameEx function from secur32.dll… https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/01ecd12464007fc1988b6a127aa0b1b980bca1ed/src/client/Microsoft.Identity.Client/Platforms/Features/DesktopOS/WindowsNativeMethods.cs#L66 For more information about GetUserNameEx… https://learn.microsoft.com/en-us/windows/win32/api/secext/nf-secext-getusernameexa Windows is returning this error message. There is a number of reasons this can…

Read More

How to resolve “No account or login hint was passed to the AcquireTokenSilent” with a Web App and no persistent token cache

You have implemented Microsoft Authentication Library or Microsoft Identity Web and now you are seeing the following error message: No account or login hint was passed to the AcquireTokenSilent The root cause is because the Token Cache is empty when you are trying to acquire a token silently when account was attempted to be pulled from MSAL. So on Web Applications like Asp.Net or Asp.Net Core, this is generally when…

Read More

The identity of the calling application could not be established

You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph… The identity of the calling application could not be established This error is thrown because the “oid” and “sub” claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application. Partner Scenario If this is a Partner application,…

Read More

Managing Microsoft Graph requests in Microsoft Graph PowerShell

Basics of using Microsoft (MS) Graph PowerShell to update objects using Hashtables and JSON. These are just some examples that could be used. By no means would I consider these the “best” way to handle each scenario, however, this should get you started in the right direction. In general, a good thing to keep in mind, a Microsoft Graph type could be resembled as a PowerShell Hashtable or Array. To…

Read More

How to logout of an OAuth2 application without getting prompted to select a user

By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…

Read More

Troubleshooting Signature validation errors

These signature validation errors are caused when the resource provider (not Azure AD) is unable to validate the signature of the token, either because the signing key could not be found or the signing key used was not able to validate the signature. This article will describe the most common scenarios and solutions. The concept and root cause is still the same and will continue to apply. Unfortunately, many developers…

Read More

Using the Application.ReadWrite.OwnedBy API permission

You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate. The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API: For more information…

Read More

Update Asp.Net or Asp.Net Core app session to last longer than Azure AD tokens

Azure AD tokens (ID tokens, access tokens, and SAML tokens) by default last one hour. Asp.Net and Asp.Net Core Middleware sets their authentication ticket to the expiration of these tokens by default. If you do not want your web application to kick the user out redirecting them to Azure AD to sign-in again, you can customize the Middleware authentication ticket. For Asp.Net… In most cases within your Startup.Auth.cs under ConfigureAuth,…

Read More

NetLog: Alternative to Fiddler and HAR captures

Have you run across where you can’t get a standard Fiddler capture, and furthermore, HAR captures from developer tools is truncating the information you need to see? I ran across the NetLog tool built into Chromium based browsers. So, this will work in the new Microsoft Edge, Chrome, and Electron. Here are couple known limitations before we get started… POST request bodies are not captured. Sites running in compatibility mode…

Read More