You are developing an app and see one of the following CORS related errors in the console logs… Notice it starts with “https://login.microsoftonline.com“, you might have a Azure B2C scenario, so in that case it might start with “https://youdomain.b2clogin.com/…“ It is outside of scope for this article If the error is not generated by Azure AD/Entra ID, and the error looks something like this… Access to XMLHttpRequest at ‘https://app.contoso.com/…‘ We…
Read MoreAdding multiple issuer and audience validation in C#
You have an custom developed Web app or Web API using Asp.Net or Asp.Net Core and you want to control which issuers have access to your app. There are a couple ways to do this. Use Multiple Authentication schemes One way to do this and is probably the most recommended way is to perform what is documented here… https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes In this solution, you’ll want to have different Web App or…
Read MoreUsing MSAL for Python to perform interactive sign in from a local script
This blog shows how to use MSAL for Python to perform an interactive sign in to Azure AD from running a local python script. The sample also demonstrates how to enable MSAL logging along with how to capture Python SSL web traffic using Fiddler Classic App Registration: You will need to have an Azure AD App Registration with “http://localhost” reply URL configured in the ‘Mobile and desktop applications’ platform The…
Read MoreMicrosoft Graph PowerShell SDK – Use Client Secret instead of Certificate for Service Principal login
The AAD Graph PowerShell SDK allowed you to use a client secret for the Application only ( Service Principal ) login flow – also known as the client_credentials grant flow. The documentation for the new Microsoft Graph PowerShell SDK does not tell you how to use a client secret but instead, uses the more secure certificate method for the flow: Use app-only authentication with the Microsoft Graph PowerShell SDK |…
Read MoreHow to enable MSAL for Java (MSAL4J) logging in a Spring Boot application
In this blog, I’ll show how to enable MSAL4J logging using the logback framework in a spring boot web application. I’ll use our Azure AD B2C web sample here. The complete code for this blog is on github. Refer to the MSAL for Java logging documentation for more info. There are 3 main things you need to do for logging to work 1) Include the logback package in the pom.xml…
Read MoreUsing Microsoft.Identity.Web to request multiple different Azure AD Access Tokens
There are times a web application may need to log in a user and call different backend Azure AD protected web APIs. The web application would need to obtain different Access Tokens, one for each web API. In this post I will attempt to demonstrate how this can be done using MIcrosoft.Identity.Web nuget package. This sample shows how to get tokens for Microsoft Graph resource and a custom web API…
Read MoreTroubleshooting Signature validation errors
These signature validation errors are caused when the resource provider (not Azure AD) is unable to validate the signature of the token, either because the signing key could not be found or the signing key used was not able to validate the signature. This article will describe the most common scenarios and solutions. The concept and root cause is still the same and will continue to apply. Unfortunately, many developers…
Read MoreMSAL.JS SPA client performing Authorization Code Grant flow to ADFS 2019
This blog walks through how to set up MSAL.JS to authenticate directly to ADFS 2019 Server using Authorization Code Grant flow to get an Access Token and then call a Web API with that Access Token. We will go over the following steps to get this the samples working: App Registrations for both the Single Page Application (SPA) client app and the web API app Enable Cross-origin Request Sharing (CORS)…
Read MoreReceiving error AADSTS7500514: A supported type of SAML response was not found when authenticating to Azure AD with a federated account
Customers can get the following error when authenticating to Azure Active Directory with a federated account using MSAL (or now deprecated ADAL) Authentication library. { error: “invalid_request”, error_description: “AADSTS7500514: A supported type of SAML response was not found. The supported response types are ‘Response’ (in XML namespace ‘urn:oasis:names:tc:SAML:2.0:protocol’) or ‘Assertion’ (in XML namespace ‘urn:oasis:names:tc:SAML:2.0:assertion’). …. error_uri: “https://login.microsoftonline.com/error?code=7500514” } The error is typically seen in the following environment: A federated account…
Read MoreMicrosoft Graph: Why you cannot call the “me” endpoint with a token acquired via the client credentials grant flow
Introduction Microsoft Graph has a couple of primary ways you can get information about a user in Azure AD. This not only includes things like the user attributes but also groups the user is a member of, access to mail, and etc. Each endpoint does require specific permissions but generally speaking, a user can get the basic information about him/herself via the “me” endpoint. The “me” endpoint From our docs…
Read More