Troubleshooting CORS to Azure AD/Entra ID

You are developing an app and see one of the following CORS related errors in the console logs… Notice it starts with “https://login.microsoftonline.com“, you might have a Azure B2C scenario, so in that case it might start with “https://youdomain.b2clogin.com/…“ It is outside of scope for this article If the error is not generated by Azure AD/Entra ID, and the error looks something like this… Access to XMLHttpRequest at ‘https://app.contoso.com/…‘ We…

Read More

How to bundle consent

You have a custom client and a custom API. There is an application registration in Azure AD for each of these apps, one for the custom client, and one for the custom API. You want your users to be able to bundle the consent for these apps. You might see one of the following errors… Step 1: Configure knownClientApplications for the API app registration First, you will need to add…

Read More

Implementing SwaggerUI and API for Azure AD

Do not forget the basic principles of Open ID Connect and OAuth2. When you want to protect an API with OAuth2 and Azure AD, you must pass an access token that will be validated. So if you want to test with SwaggerUI, on accessing the API portion, SwaggerUI must be configured to authenticate, acquire an access token, and pass it to the API. Before we get started, ensure you create…

Read More

Adding multiple issuer and audience validation in C#

You have an custom developed Web app or Web API using Asp.Net or Asp.Net Core and you want to control which issuers have access to your app. There are a couple ways to do this. Use Multiple Authentication schemes One way to do this and is probably the most recommended way is to perform what is documented here… https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes In this solution, you’ll want to have different Web App or…

Read More

Add Azure AD roles claim support in WebAssembly Authentication

You are developing a WebAssembly authentication app and trying to implement Roles based access control. You are getting a similar error like… The WebAssembly Authentication stack appears to cast the roles claim into a single string. We need this User Factory to modify its behavior so that each role has its own unique value. Create the Custom User Factory First, create a custom User Factory (CustomUserFactory.cs)… Add the roles mapping…

Read More

Microsoft.Identity.Client.MsalClientException: Failed to get user name

You might be using the following method to attempt Integrated Windows Auth while using Microsoft Authentication Library (MSAL)… and you are getting one of the following errors… Make sure you at least meet these minimum requirements: What is actually failing? MSAL makes a call to GetUserNameEx function from secur32.dll… https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/01ecd12464007fc1988b6a127aa0b1b980bca1ed/src/client/Microsoft.Identity.Client/Platforms/Features/DesktopOS/WindowsNativeMethods.cs#L66 For more information about GetUserNameEx… https://learn.microsoft.com/en-us/windows/win32/api/secext/nf-secext-getusernameexa Windows is returning this error message. There is a number of reasons this can…

Read More

How to resolve “No account or login hint was passed to the AcquireTokenSilent” with a Web App and no persistent token cache

You have implemented Microsoft Authentication Library or Microsoft Identity Web and now you are seeing the following error message: No account or login hint was passed to the AcquireTokenSilent The root cause is because the Token Cache is empty when you are trying to acquire a token silently when account was attempted to be pulled from MSAL. So on Web Applications like Asp.Net or Asp.Net Core, this is generally when…

Read More

The identity of the calling application could not be established

You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph… The identity of the calling application could not be established This error is thrown because the “oid” and “sub” claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application. Partner Scenario If this is a Partner application,…

Read More

Managing Microsoft Graph requests in Microsoft Graph PowerShell

Basics of using Microsoft (MS) Graph PowerShell to update objects using Hashtables and JSON. These are just some examples that could be used. By no means would I consider these the “best” way to handle each scenario, however, this should get you started in the right direction. In general, a good thing to keep in mind, a Microsoft Graph type could be resembled as a PowerShell Hashtable or Array. To…

Read More

How to logout of an OAuth2 application without getting prompted to select a user

By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…

Read More