Is there a possible framework or connection to make to make it possible to receive the AD Groups an user is part of using Azure AD from a Xamarin iOS app.
I have the authentication part down using ADAL but in the iOS app I want to display certain parts or hide certain parts based on what roles the user has within the domain.
To get group information you should use the Microsoft Graph. You'll need to add some delegated permissions to your app in the Azure Portal, then sign in the user, and finally can make an http request to get the group info providing the access token from the authentication.
The endpoints that will be useful for doing group operations are listed out here.
Related
We want to build a Sass application. We separated individual servers/instances and DB for every customer.
Our sass model:
As part of our app, we want to use Azure Ad (Multitenant) for Identity management. We have a few cases:
Our few customers don't have organizational email then how can we manage them in Azure ad (they have maybe Gmail)
We decided to set application-level roles/permission for every API endpoint, for this scenario how to manage those roles/permission in the azure ad, Who is responsible for assigning those roles to every client's users after onboarding?
For every company, we have a users limit then how can we restrict a company's users (like only 5 users from a company able to use our application)
We have a special case like module-based permission for our customers. How can we manage this?
When an organization/company starts to use our application, If we want to give them an admin panel where they are able to manage their permission-related stuff, like adding or removing roles to their users, is it possible? (all roles/permissions are fixed from our side, they only assigned those roles to their users)
++Our few customers don't have organizational email then how can we manage them in Azure ad
->You can invite them into the tenant, then they can use their gmail account to sign in the tenant.
++set application-level roles/permission for every API endpoint ... how to manage... responsible for assigning ..
->I can't understand it but I think it's based on your requirement, user who has admin role may take the responsibility.
++have a users limit then how can we restrict a company's users...
->follow this document to set who can use the azure ad application you registered for the authentication to sign in the application.
++module-based permission for our customers
-> role management?
++adding or removing roles to their users, is it possible
-> if there's no admin panel for each company, then you may follow this answer to set role for users and validate if the access token contained correct role so that this user can access the page.
Let's assume you had an application which has a frontend app as the client and an web api project as the server. Then in the front app, you need to integrate msal lib to let users sign in with their user#xx.onmicrosoft.com account or gmail account. Then the frontend app need to generate access token and call api via it. The token should contain enough information so that the api can validate if the token had enough priority to get the data. And in the frontend app, you also need to control the page direct via the access token or id token.
Then here's the official sample document.
In the end, azure ad provides user management and sign in feature. It also provides api management feature. If you have any other questions, I recommend you creating a new question with more specific requirement.
I'm doing a POC of a an application for use on a touch screen device running windows 10.
The currently UWP (although open to nearly any app that can run full screen for a kiosk) app already has a webview control and I can control the url where I want to navigate to. In some situations, I'd like to navigate to a 3rd party webapp that is using Azure AD authentication.
Interactively, we can login but I'd like to have the login happen automatically using a known azure ad username and password or ideally a certificate we can install on the device. We don't own the web app (so we can't change any properties on it) but its connected to our Azure AD tenant so we own the azure ad app configuration. The web application does not have API's yet to consume the information. The device uses local accounts, per the guidance on https://learn.microsoft.com/en-us/windows/configuration/kiosk-prepare.
I've used the (Public/Confidential)ClientApplicationBuilder which works for getting tokens to talk to web apis but I'd like to do a form post to something (https://login.microsoftonline.com/{tenantid}) ? and then redirect to the web app when done. I've looked into OAuth 2.0 Resource Owner Password Credentials (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) and it seems the closest but I'm not sure how to take the access token I receive and somehow save it (in a cookie?) so the web app will log the user in when navigated to. I'm sure I could watch the various URLS and fill in the credentials programatically but that seems wrong. I've reviewed the various Azure AD samples but I've not seen one that fits my scenario (which might indicate a flaw in the plan...).
Problem Statement:
I'm trying to create a module in C# console application that I intend to plug and use in Azure Bot once it is operational. I want to connect my bot with Azure DevOps. I am able to do that with PAT token but I need the bot to only display the resources from DevOps on which the logged in user has access.
Attempts:
I am able to get the necessary details using PAT token. It gives me all projects irrespective of the logged in user details.
I have tried to use the Azure AD token for the logged in user but it gives me unauthorized error on trying to use it to invoke Azure DevOps REST APIs
Referred this article but I am unable to get the auth code or token silently.
To summarize, I'm basically looking to:
Obtain a user token for Azure DevOps silently (without user confirming with a click)
Use REST APIs to fetch details like projects, work items etc.
A Personal Access Token inherits the permissions from the user that created it. So if you, as a project collection administrator, create a token, that token has the samwe permissions as you do.
Unfortunately there is no public REST API that you can use to create a token at runtime. They have to be created by a logged in user through the portal.
Another option is using OAuth. OAuth asks the user to login and then gives you a token that you can use in the REST APIs. Unfortunately that doesn't meet your criteria where a user doesn't have to do anything,
The only other way I see is adding the users to the resources they have permissions for. Then from your REST API you can use the admin PAT to check their permissions and then retrieve only what they are allowed to see. Which also isn't really pretty :-(
I am trying to enable cross app SSO into our Xamarin apps so that if a user has installed and signed in to one of the apps, he is automatically logged in to other apps of my organization. The following document claims to achieve the requirement
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-sso-android. We are following the non broker assisted login flow.
I have carefully fulfilled the three conditions stated below-
The apps are using the same android:sharedUserId in the manifest file.
The native client used for them is the same. Only the redirect url is different for the apps.
All of them are signed using the same keystore.
But still the functionality is not yet achieved. When i installed and logged in to one app, the second app is still prompting for credentials when i try to acquire the access token using the below line
authResult = await authContext.AcquireTokenAsync(resource, clientId, new Uri(returnUri), new PlatformParameters((Activity)Forms.Context));
Kindly help me know if there is something that i can do to achieve that.
Due to restrictions in Xamarin.Forms, SSO without a broker (Microsoft Authenticator or Company portal) does not work with current version of ADAL.
We have a work item to update the documentation.
This is a Xamarin.Forms issue. In order for SSO to work across apps without broker, you need to enable the "Ignore Security" flag, which is not recommended. This requires the app name to be hardcoded and "ignore security".
For example: Application.Context.CreatePackageContext(“com.companyname.ReproApp1”, PackageContextFlags.IgnoreSecurity).GetSharedPreferences(..)…
For the time being, it's recommended to use broker for SSO. You can use Authenticator for both iOS and Android.
I have been working in Facebook ad API. I am able to create abs in sandbox mode as well live mode. Our application is approved. I am getting a strange issue when I try to create ad for my facebook pages its created but when any other user tries to create ad its giving error message like
"{"error":{"message":"Unsupported post request. Object with ID 'act_facebookadaccountid' does not exist, cannot be loaded due to missing permissions, or does not support this operation. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api","type":"GraphMethodException","code":100,"error_subcode":33,"fbtrace_id":"B27E15+gMhB"}}"
We have taken following permission
business_management
manage_pages
Ads Management
Basic Access
My main aim is my customer can connect with our app they can select page for whom they want to run ad and create ad using our app.
Please help me to sort out this
This may have to do with your access level? You need Standard access so any ad account may be used. Otherwise you are limited to the max. 25 ad accounts you specify in the Ads API account configuration tool.
https://developers.facebook.com/docs/marketing-api/access/#limits