active-directory-dotnet-daemon | Windows console application that calls a web API | Web Framework library
kandi X-RAY | active-directory-dotnet-daemon Summary
kandi X-RAY | active-directory-dotnet-daemon Summary
A Windows console application that calls a web API using its app identity (instead of a user's identity) to get access tokens in an unattended job or process.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-dotnet-daemon
active-directory-dotnet-daemon Key Features
active-directory-dotnet-daemon Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-dotnet-daemon
QUESTION
I am creating a console application that connects to Microsoft Graph using the Microsoft Graph API (as shown in https://github.com/microsoftgraph/console-csharp-connect-sample). Everything is working fine, but I wonder if there is a way where I can authenticate a user (when I already know their user/password) without them needing to manually enter their credentials on the "Sing in to your account" window rendered on the desktop. The idea is basically to run the application unattended, so there is no need for the user to be entering their credentials when the application starts. I can´t find any relevant information on the subject. Is that even possible?
EDIT
After following the link @DanSilver posted about geting access without a user, I tried the sample suggested in that link (https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2). Although that is an MVC application that forces users to authenticate (precisely what I wanted to avoid) I have managed to use part of the authentication code in that sample with my console application. After giving authorization to the application manually through a request to https://login.microsoftonline.com/myTenantId/adminconsent I can create a GraphServiceClient in my console app that connects to Graph without user interaction. So I mark the answer as valid. Just in case someone is in the same situation, the GraphServiceclient is created as:
...ANSWER
Answered 2018-Jan-16 at 05:43One idea is using the "app only" authorization flow. The idea is that you can have long running apps access the Microsoft Graph without user authentication. The main difference is instead of the access token granting access to a particular user, it grants your app access to resources that you've consented to in advance. There will be no user login dialog and you can programmatically fetch access tokens to call the Graph API.
To reiterate that these tokens aren't for a particular user, consider making a GET request to 'https://graph.microsoft.com/v1.0/me'. This will return an error since the access token isn't for a particular user and "me" doesn't mean anything. Requests should be sent with full user ids "like graph.microsoft.com/users/someuser@contosos.com".
More information on this can be found at the Get access without a user documentation page.
Another idea is to let the user authenticate the first time they use your app and then store a refresh token. These tokens live longer (a few months IIRC) and then you won't need to prompt for user consent each time the app runs. Refresh tokens can be exchanged for access tokens that live 60 minutes and those can be used to call Graph API on behalf of users.
More info on refresh tokens: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user#5-use-the-refresh-token-to-get-a-new-access-token
QUESTION
I have .net daemon that is calling ASP.NET Web API using AzureAD authentication. My authentication flow follows this sample: https://github.com/Azure-Samples/active-directory-dotnet-daemon
I would like to create a separate AD App registration for each daemon instance and identify instances in the Web API app by the Display name property of the App registration. Is there any way to achieve this?
...ANSWER
Answered 2019-Sep-04 at 07:54There is a REST API available for getting the application object data :
QUESTION
I am setting a background process which will communicate with API secured by Azure AD. Without giving delegate access to API, Client App is able to generate access token
Using client credential flow, Is it possible to generate access token for web api without giving delegate permission. I am able to generate it but according to it should not happen. Any app created in my tenant is able to generate the token for web api without delegate permission.
I have followed below sample on github. https://github.com/Azure-Samples/active-directory-dotnet-daemon
It should not be able to generate access token, if no delegate access is provided.
...ANSWER
Answered 2019-Apr-17 at 09:54This is normal. If you are using client credential flow, even if your client app not have the application permission and delegated permission, it will be able to generate the access token. But you could not use this token to call the api, because the token does not have the permissions in its claim. You could decode the token in https://jwt.io/ , then you can see the permissions as below.
Update:
If you want to check the delegated permissions, you need to use ropc flow. Check the scope in the response, they are the delegated permissions.
QUESTION
I'm new to OAuth and its app identity method. I use app identity to access an API using OAuth. I found a tutorial here.
In the source code, since both web application and API will be using AAD, why does it not have AADAuthenticationExtensions.cs and AADOptions.cs classes?
ANSWER
Answered 2019-Mar-13 at 03:05QUESTION
Hi I have a daemon application which will access Azure AD graph API. I am trying to have certificate based authentication,Hence first creatinga self signed certificate. I have followed this article https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-daemon-certificate-credential/
I am using windows 10 machine.
When I try to modify the manifest file of registered application of Azure AD I get below error
Failed to update application graphapi2. Error details: KeyValue cannot be null or empty Request ID: fea0789a-b8fd-4001-83c4-f74d67fb9812, Timestamp: 12/13/2018 11:56:08
Has any one faced this issue?How will I be able to create self signed certificate to azure ad registered applications.
...ANSWER
Answered 2018-Dec-17 at 17:10This seems to be happening in the Azure Portal when using the "App registrations (preview)" rather than the normal "App registrations". If you try "App registrations" and edit the manifest there and add your KeyCredentials it seems to work fine.
QUESTION
All I am trying to do is to fetch emails for a userID which is accessible to other users without having them logging into their Microsoft accounts. I have looked at numerous SO posts (this), code samples (this, this) and looked into the specs of OpenID and other docs (this), but still not able to figure it out.
I have registered app in azure portal and granted required permissions. Using the sample app I am able to fetch user list, but not the email list. I compared the request headers for both user query and email query. Both look the same. Can someone please tell me what I am doing wrong?
Code is given below:
Startup.Auth.cs
...ANSWER
Answered 2018-Nov-02 at 21:25You're using Client_Credentials to authenticate the app and using the /me path in your REST call. These two do not work together.
Behind the scenes /me is translated into the currently authenticated user (i.e. /users/user@domain. Since you don't have a user authenticated, it simply isn't possible for the Graph to translate your request into an actionable call.
You need to explicitly reference the user using either their id or their userPrincipalName:
QUESTION
I am following this example: https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential
I am able to successfully run the sample, get the access token (JWT) and access the Web API.
However, I would like to have a claim containing the value of the certificate subject (in this case, it is CN=TodoListDaemonWithCert) in the returned token from the Azure AD. This is because I will have some more certificates with different subjects (CN=TodoListDaemonWithCert-1, CN=TodoListDaemonWithCert-2...) and they will be also registered with the TodoListDaemonwithCert app.
The Web API will use the subject (CN=TodoListDaemonWithCert) read from the token as an identity to proceed next.
Any idea would be appreciated.
...ANSWER
Answered 2018-Mar-20 at 19:42A feature like this is not currently supported in Azure Active Directory. Multiple certificates added to a single application are all interchangeable, and using a specific one does not affect any part of the authentication experience, including claims in the token.
Remember that an Application Object represents a single application identity. If you are trying to represent multiple applications, you should adopt a different design pattern:
For example, if you are trying to support a multi-tenant application where each tenant has their own secret, then you should be using the tenant specific Service Principal to register the custom certificate.
If you are trying to represent multiple different application identities, then you should register multiple applications, each with their own certificate.
Let me know if this helps.
QUESTION
OK, so I am creating a new project in VS2017 for an ASP.Net Core 2.0 API. I have and Azure AD set up and on the wizard to set up a new project, I select Change Authentication and schhose "Work or School accont" then enter the name of my Azure AD (i.e. mycompany.onmicrosoft.com). The project gets created and I can see the addition of this code in the Startup.cs
...ANSWER
Answered 2017-Dec-19 at 06:43Put simply, you need an access token.
How do you get an access token? Through an authentication flow like OAuth Client Credentials: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service.
Or you might need to use OpenID Connect: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code.
Client credentials will make the call as an app, while OIDC (and some other flows) allows you to call the API as a user.
You will have to call as a user unless you add some permissions: https://joonasw.net/view/defining-permissions-and-roles-in-aad
Anyway, you will have to register the app that will call the API, and give it access to the API.
QUESTION
I want to lookup people Name and email address using their ADID/SAMAccountName/UPN from a console app running with its own credentials and not under my account.
How would I do this with Microsoft Graph?
I was following up on https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2 but that seem to require admin access. (BTW is there an easy way to figure out the admin on my company's graph?)
I did lookup LDAP querying but domain limitations limit the search scope ,and would rather do this via Microsoft Graph.
...ANSWER
Answered 2017-Jul-21 at 14:41Accessing Microsoft Graph without user credentials (i.e. using the OAUTH client credentials flow) requires Admin Consent for your application. Typically this consent would be handled by your IT department.
QUESTION
In my scenario, I'm attempting to automate creation of one of my AAD applications in order for it to make calls to another another WebAPI service (different AAD app) using the instructions laid out for Daemon processes here:
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-daemon/
I've been able to automate creation of the AAD application and the required access key via PowerShell.
Here's how I create the application with the key added:
...ANSWER
Answered 2017-Jun-17 at 05:19To assign permissions you would need to use New-AzureRmRoleAssignment. That will allow you to assign permissions to an object (user\group\application) at a certain scope. if you need built-in role you are good to go. if you need to create a role use New-AzureRmRoleDefinition.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-dotnet-daemon
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
