There are a couple of ways to call an Easy Auth enabled web API. You can either call the web API with: an Easy Auth session cookie (via a previously authenticated browser session to the web API) or An Azure AD Bearer JWT token In this post I will show you how to use MSAL.JS v2 in a Single Page Application (SPA) to get an access token for the web…
Read MoreUsing OpenID Connect OWIN middleware to validate an Azure AD JWT token signed with a symmetric key
Azure AD by default uses a certificate to sign an OAuth2 JWT token using an asymmetric algorithm (RS256). Alternatively a JWT token can be signed with a “shared” secret using a symmetric algorithm (HS256). Asymmetric signing algorithm is always more secure in preventing the token to be tampered with compared to a symmetric algorithm since the private key is always kept at the Identity Provider (IDP) and the token consumer…
Read MoreWhat’s the security implication of changing the default client type from confidential to public in Azure AD?
From time to time, I get asked this question by a few different customers especially when they encounter the error “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’” when authenticating to Azure AD. The error is related to the following Default client type setting in the Authentication blade of a registered application: By default the setting is set to No (confidential client). Changing to ‘Yes’ converts…
Read MoreUsing PowerShell to configure a signing certificate for a SAML-based SSO Enterprise Application
In my last blog post I talked about how to use PowerShell to instantiate an MSAL Confidential Client Application to acquire an access token using Client Credentials Grant flow. In this post we will use PowerShell to instantiate an MSAL Public Client Application to perform an Authorization Code Grant flow to obtain a delegated permission Access Token for Microsoft Graph. We will then use that access token to call Microsoft…
Read MorePerforming Azure AD OAuth2 Authorization Code Grant flow with PKCE in PostMan
Proof Key for Code Exchange (PKCE) is a mechanism, typically used together with an OAuth2 Authorization Code Grant flow to provide an enhanced level of security when authenticating to an Identity Provider (IDP) to get an access token. In fact for Single Page Applications (SPA), Authorization Code Grant flow with PKCE is now the recommended OAuth2 authentication protocol over its predecessor, the Implicit Grant flow, for acquiring an access token.…
Read MoreUsing PostMan to request an Azure AD token via SAML Assertion Grant flow
Azure Active Directory (Azure AD) supports an OAuth2 Extension Grant called “SAML Bearer Assertion flow” which allows an application to request an JWT OAuth2 token from Azure AD by providing a SAML Assertion (Token) acquired during an authentication process to a different Authorization Server. As you can imagine in order for this token exchange mechanism to happen, a trust relation between Azure AD and that Authorization Server must have already…
Read MoreConfigure .Net Application to call Microsoft Graph in a National Cloud Tenant
When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…
Read MoreReceiving error “Change enumeration is not supported for requested tenant.” from MS Graph Delta query
Problem Customer receives the following error when running an MS Graph delta query, for instance the following: GET https://graph.microsoft.com/beta/users/delta ‘error’: { ‘code’: ‘Request_UnsupportedQuery’, ‘message’: ‘Change enumeration is not supported for requested tenant.’, ‘innerError’: { ‘request-id’: ‘xxx’, ‘date’: ‘2020-05-22T13:17:45’ } } Root Cause This error can happen if the tenant is an Azure AD B2C tenant. More Information Differential or Delta query is currently not supported in an Azure AD B2C…
Read MoreUsing Azure Management Libraries for .NET to manage Azure AD users, groups, and RBAC Role Assignments
In this blog, we will use Azure SDK for .NET to perform the following tasks: Create an Azure Active Directory (Azure AD) user, query for the created user, and delete the user. Create an Azure AD group, query for the created group, and delete the group. Add a user to the group’s members. Create an Role-based Access Control (RBAC) Role Assignment: we will assign the group created above ‘Storage Blob…
Read MoreControl access to your apps in Azure AD
We get this kind of question all the time. It comes in many variations and forms like… “I only want to consent for some users to access the app.” “I only want my service account to access this app” Before we get started… First and foremost, only consenting for allowed users is not the solution. This is not the purpose for consent. Consent is to inform a user or admin…
Read More