Microsoft Identity Platform

From MgmtWiki
Jump to: navigation, search

Full Title

Microsoft Identity Platform allows sign in with a Microsoft personal or work account.

AKA Microsoft Graph in early 2021 as a replacement for Azure AD Graph.

Context

Microsoft has their own terminology, the following applies to Azure Active Directory (AAD) application management

Term Description
Active Directory Microsoft's Identity and Access Management (IAM) system
On Premise not in Azure
Portal A GUI to control an Azure Tenant(s).
Tenant A named administrative entity on Azure
Enterprise App Named software application that needs to know the identifier for users
MyApps A Microsoft site that list all of the apps you have access to
SSO Single Sign-On is the use of Azure AD for user access to more than one app or API.
Principal An Identifier that owns a running process on Windows.
User A Principal on a computing device, typically a smartphone or laptop. It MIGHT identify a human.
Conditional Access Additional annoyance placed in the path of user access to an app.
User Agent a software application that interfaces between a human user and the internet. Typically a browser.
Application Proxy Any code between your app and AAD.
OIDC OpenID Connect (as well as SAML) is a protocol to access AAD.
OAuth client Used synonymously with Relying Party (see RP)
IdP Identifier Provideer (may also include attributes or claim of the subject)
OP OpenID Provider (one form of IdP) as per [OIDC.Core]
SIOP Self-Issued OpenID Provider as per [OIDC.Core] section 7.
RP Relying Party, as used in [OIDC.Core] for any website the relies on claims produced by a CP for example an OP.
CP Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc.
Identifier Wallet An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc.
Trust Authority A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets
Trusted Wallet code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence.

Problems

  • The package Microsoft.Identity.Web requires that a new trusted signer key is added to nuget.config (2020-10-06). The following command fixed this.
nuget.exe trusted-signers Add -Name Microsoft2021 -CertificateFingerprint AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27 -FingerprintAlgorithm SHA256

Install and Run

Run the following command in PowerShell to open port 5000 of board:

 netsh advfirewall firewall add rule name=”ASP.NET Core Web Server port” dir=in action=allow protocol=TCP localport=5000

Troubleshooting

  • We're unable to complete your request - unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
  • Trouble with Application Management certificates.
  • Using powershell with Application Management
  • AADSTS700016: Application with identifier '4ab79763-17de-4d91-a797-69ea667c6cb7' was not found in the directory 'aaaaaaaaa'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant (where the tenant had been set to "common") The error means that there is a mismatch between the tenant where your app is registered and where you have stated in either the application code or the portal that your application is registered. In your code for the application you need to set the tenant ID. This is generally located in either the web.config or the app settings. Then you need to register the application in the portal under the same tenant ID that you have set in your code. Also ensure that your application ID/client ID are matching on both sides and all of the values set in your app settings/web.config match what you have in the portal.
  • AADSTS50020: User account 'tom@tomcjones.onmicrosoft.com' from identity provider 'https://sts.windows.net/8b3032c7-772d-4996-9cdf-542bd3c057fb/' does not exist in tenant 'Default Directory' and cannot access the application '647796f4-c852-424d-bc3e-8ff7377b01d5'(TomCJones) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. << problem tomcjones.on~ had to use the domain name that was provided already in Azure.

User Application Development

  • Since this platform is based on OpenID Connect (OIDC) user applications are considered to be clients ins the sense described in OAuth 2.0.
  • Apps first call PublicClientApp = PublicClientApplicationsBUilder.Create(ClientID).{other options}.Build().
  • call PublicClientApp,GetAccountsAsync() and pick one of the proffered accounts.

Registration

  • The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security.
  • Configure how end-users consent to applications The guidance "reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, by allowing user consent only for applications that have been published by a verified publisher." was not followed during development and needs to be enabled.
  • Admin consent workflow allows the user to ask an admin to approve an app.

References