In this blog, I’ll show how to enable MSAL4J logging using the logback framework in a spring boot web application. I’ll use our Azure AD B2C web sample here. The complete code for this blog is on github. Refer to the MSAL for Java logging documentation for more info. There are 3 main things you need to do for logging to work 1) Include the logback package in the pom.xml…
Read MoreUse the Microsoft.Graph PowerShell SDK to get a list of Devices that do not have BitLocker Recovery Keys
As you may be aware, the AzureAD powershell module is being deprecated at the end of the year along with the AD Graph endpoint. As a result, all customers need to migrate their code to the Microsoft Graph endpoint. This blog post will show you how to use the Microsoft.Graph PowerShell module to get a list of devices that do not have a BitLocker Recovery key in Azure. This would…
Read MoreUsing AdditionalData property in Microsoft Graph SDK for .Net
The AAD Directory Object classes in Microsoft Graph SDK for .Net have a generic property called ‘AdditionalData’ that can be used to send and receive data in the json payload. In certain scenarios where the regular class members are not available in the SDK we can still set their values via AdditionalData property. An example of this is to create a group that has resourceBehaviorOptions attribute (array of strings) populated…
Read MorePython Scripts may be detected as web-crawler when making Microsoft Graph requests.
Sometimes, a python script that is making Microsoft Graph requests may be detected by the gateway as a web-crawler if you are using a pool manager and block the request. The error will look similar to this: {‘error’: {‘code’: ‘UnknownError’, ‘message’: ‘\r\n403 Forbidden\r\n\r\n 403 Forbidden \r\n Microsoft-Azure-Application-Gateway/v2 \r\n\r\n\r\n’, ‘innerError’: {‘date’: ‘{UTC Date/Time}’, ‘request-id’: ‘{guid}’, ‘client-request-id’: ‘{guid}’}}} To overcome this issue the easiest way is to use the MS Graph SDK…
Read MoreDownload the user signInActivity from the beta endpoint using Microsoft Graph Powershell module.
You can use the Microsoft Graph Powershell module to download last sign in date / time for users from the Beta endpoint ( the signInActivity is currently not available in v1.0 ) and save the list to a .csv file. You must have the Microsoft Graph powershell module installed. This document will help you get started. My powershell script:
Read MoreUsing Microsoft.Identity.Web to request multiple different Azure AD Access Tokens
There are times a web application may need to log in a user and call different backend Azure AD protected web APIs. The web application would need to obtain different Access Tokens, one for each web API. In this post I will attempt to demonstrate how this can be done using MIcrosoft.Identity.Web nuget package. This sample shows how to get tokens for Microsoft Graph resource and a custom web API…
Read MorePackage Inspector for MSAL Android Native Guide
Package Inspector for MSAL Android Native Guide The Microsoft Authentication Library (MSAL) for Android Native contains a tool called Package Inspector. This tool presents a list of packages installed on an Android device and allows the user to view, copy, and paste the signature hash used to sign the application’s package. It can be very useful in troubleshooting and verifying the signature hash for applications installed on an Android device.…
Read MoreUsers unable to lookup other users in the MS Graph Users endpoint
The Microsoft Graph endpoint is how you can interact programmatically with your tenant data. One of the most common scenarios is a MS Graph request to look up a user or users in the tenant. If you’re using delegated permissions in your access token, for a user to look up another user, the access token will need the delegated permission of User.Read.All However, there are ways to prevent users from…
Read MoreHow to logout of an OAuth2 application without getting prompted to select a user
By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…
Read MoreTroubleshooting Signature validation errors
These signature validation errors are caused when the resource provider (not Azure AD) is unable to validate the signature of the token, either because the signing key could not be found or the signing key used was not able to validate the signature. This article will describe the most common scenarios and solutions. The concept and root cause is still the same and will continue to apply. Unfortunately, many developers…
Read More