I have an Azure Api REST which can be reach by entering a username/password .
how can i get access to this API from C# ?
after a little search , i found somthing about using AuthenticationContext .. but it couldn't work for me Authenticationcontext .AcquireToken(resource, clientId, credential);
where can i get the 'resource' parameter and the ClientID .
Thanks a lot
I based most of my work on this post that laid some groundwork.
You need to create a Native Application in your Azure AD first and add the Windows Azure Service Management API permission.
The ClientID is obtained from this App.
This is the code I'm currently using to obtain a Token that can be used with the Management SDK:
string userName = "yourUserName";
string password = "yourPassword";
string directoryName = "yourDirectory.onmicrosoft.com";
string clientId = "{ClientId obtained by creating an App in the Active Directory}";
var credentials= new UserPasswordCredential(string.Format("{0}#{1}", userName, directoryName), password);
var authenticationContext = new AuthenticationContext("https://login.windows.net/" + directoryName);
var result = await authenticationContext.AcquireTokenAsync("https://management.core.windows.net/", clientID, credentials);
var jwtToken = result.AccessToken;
//Example accesing Azure Cdn Management API
string subscriptionId = "xxxx-xxxxxx-xxxx-xxxxxxx";
using (var cdn = new CdnManagementClient(new TokenCredentials(jwtToken)) { SubscriptionId = subscriptionId })
{
//do something...
}
Your directory name can be obtained in the Azure Portal > Azure AD section, on Domain names.
Related
I have a ASP.Net application that uses Azure AD Authentication, howver i want to connect to the azure database using the loggedin users identity. "Active Directory Integrated is not working for this scenario.
When a user logs into my application using microsoft login page, the same user should be able to login ( not the application identity) to the database and perform some execution.
You can refer the code below:
public async Task<string> GetTokenForApplicationAsync()
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
ClientCredential clientcred = new ClientCredential(Startup.ClientId, Startup.AppKey);
// initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the token cache
AuthenticationContext authenticationContext = new AuthenticationContext(Startup.AadInstance + tenantID, new ADALTokenCache(signedInUserID));
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenSilentAsync("https://database.windows.net/", clientcred, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
return authenticationResult.AccessToken;
}
Here is an webapp sample which integrate with Azure AD and get access token for calling Microsoft Graph API. Just replace the GraphResourceId with https://database.windows.net/.
I want to access one API by its Client Credential directly not via any web application
private async Task<string> GetAutheticationToken(string APITypeSelected, string APIKeySelected=null)
{
string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
string tenant = ConfigurationManager.AppSettings["ida:AADTenant"];
string appKey = ConfigurationManager.AppSettings[APIKeySelected];
string apiID = ConfigurationManager.AppSettings[APITypeSelected];
//appKey = HttpUtility.UrlEncode(appKey);
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
using (HttpClient client = new HttpClient())
{
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authContext = null;
ClientCredential clientCredential = null;
authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
//encodeURIComponent(client_secret);
clientCredential = new ClientCredential(apiID, appKey);
AuthenticationResult authResult = null;
authResult = await authContext.AcquireTokenAsync(apiID, clientCredential);
return authResult.AccessToken;
}
}
while executing I am getting bellow error(AADSTS501051) in this line
authResult = await authContext.AcquireTokenAsync(apiID, clientCredential);
AADSTS501051: Application '{API GUID}'(DEV-API) is not assigned to a
role for the application '{API GUID}'(DEV-API).
Do I have to give API permission to itself.
What I need to do.
Thanks,
First you need to make a user role for application if app assignment is required. if not there is no problem. If app assignment is required, Go back to api permission and in my api give permission for the created role, see Microsoft documentation url
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration
Ahh so you want an access token to the API itself? Not sure if that's possible..
If this in another app, it should be registered as another app in Azure AD.
It can then require application permissions on the API and call it via client credentials.
You can see how to define permissions here: https://joonasw.net/view/defining-permissions-and-roles-in-aad
If this is within the same app, it sounds odd that it would acquire a token for itself.
This error message indicates that you need to add an "App role" to your app registration. You can do so by first adding a new App role on {API GUID}
and then assign the app {API GUID} this role (don't forget to give admin consent)
Essentially what is happening here is that your app registration {API GUID} got a role on {API GUID} to create access tokens for the audience {API GUID}, so: itself.
When you use "authContext.AcquireTokenAsync(apiID, clientCredential);" to get the access token, you need to use identifierUri of your ad application as resource.
For example:
string tenantId = "your tenant id or name, for example: hanxia.onmicrosoft.com";
string clientId = "your client id";
string resource = "the identifierUri of your ad application ";
string clientSecret = "";
ClientCredentia clientCredentia = new ClientCredentia(clientId,clientSecret);
var context = new AuthenticationContext("https://login.microsoftonline.com/" + tenantId);
AuthenticationResult result = context.AcquireTokenAsync(resource, clientCredentia);
For more details, please refer to the document.
I have a c sharp class library that connects to Azure Analysis Services using the AMO library.
I'd like to use this as part of my data factory pipeline to refresh cube partitions. This is done through Azure batch as a custom .net activity.
var server = new Server();
server.Connect("Provider=MSOLAP;Data Source=asazure://uksouth.asazure.windows.net/abcd;Initial Catalog=xyz");
Running this locally works fine, however this will not run in the cloud. It currently errors out as it is not being run under my user account. I know that I can add a username and password to the connection string, but I would much rather give it some form of authorisation if that is possible.
Are there any other methods for authenticating with Azure Analysis services?
It's possible to connect to AAS using service account now.
See working example of custom activity here.
Connection part from it can be simplified as:
var authority = "https://login.windows.net/<tenant-id>";
var resource = "https://southcentralus.asazure.windows.net";
var appId = "***";
var appSecret = "***";
AuthenticationContext authContext = new AuthenticationContext(authority);
ClientCredential credentials = new ClientCredential(appId, appSecret);
var task = authContext.AcquireTokenAsync(resource, credentials);
task.Wait();
string token = task.Result.AccessToken;
var connectionStringTemplate = "Provider=MSOLAP;Data Source=asazure://southcentralus.asazure.windows.net/xxxxxx;Initial Catalog= xxx;User ID=;Password={0};Persist Security Info=True;Impersonation Level=Impersonate";
var connectionString = string.Format(CultureInfo.InvariantCulture, connectionStringTemplate, token);
var server = new Server();
server.Connect(connectionString);
You need to give your service account access to AAS model in format app:<appId>#<tenantId>.
I'm assuming that you can register a service principal within the context of your Azure Active Directory that can be used by the custom activity code to authenticate against SSAS. This is certainly the case for other services like Azure Data Lake.
For example create you credential using a method like this:
private static ServiceClientCredentials AuthenticateAzure(string domainName, string clientID, string clientSecret)
{
SynchronizationContext.SetSynchronizationContext(new SynchronizationContext());
var clientCredential = new ClientCredential(clientID, clientSecret);
return ApplicationTokenProvider.LoginSilentAsync(domainName, clientCredential).Result;
}
Check out this MS docs page on service to service authentication:
https://learn.microsoft.com/en-us/azure/data-lake-store/data-lake-store-authenticate-using-active-directory
If not, you might have to do this using Azure Functions instead...
https://azure.microsoft.com/en-gb/blog/automating-azure-analysis-services-processing-with-azure-functions/
Hope this helps.
I need a server-side task on my .NET 4.6.1/MVC 5 app that will periodically check a specific O365 email address for new emails and retrieve them if found. This seems like a stupidly simple task, but I cannot find documentation anywhere for creating a server-side process to accomplish this. The only documentation Microsoft seems to have is for OAuth2 and passing through credentials when users sign in. I don't want that. I want to check one specific account, that's it. How would I accomplish this?
These are the pages I've found. There are others, but all are along these lines.
Intro to the Outlook API - I don't see a way to use a service account with the v2 endpoint.
Get Started with the Outlook REST APIs - This is specific to logging users in with OAuth2, unhelpful for my purposes.
Intro to the Outlook API - I don't see a way to use a service account with the v2 endpoint.
The v2 endpoint doesn’t support client credential at present( refer to the limitation). You need to register/configure the app using Azure portal and use the original endpoint to authenticate the app. More detail about register the app please refer to here. And we need to ‘read mail in all mailbox’ to use the client credential to read the messages like figure below.
And here is the code that using client credential to read messages using the Microsoft Graph:
string clientId = "";
string clientsecret = "";
string tenant = "";
string resourceURL = "https://graph.microsoft.com";
string authority = "https://login.microsoftonline.com/" + tenant + "/oauth2/token";
string userMail = "";
var accessToken = new TokenHelper(authority).AcquireTokenAsync(clientId, clientsecret, resourceURL);
var graphserviceClient = new GraphServiceClient(
new DelegateAuthenticationProvider(
(requestMessage) =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
var items = await graphserviceClient.Users[user].Messages.Request().OrderBy("receivedDateTime desc").GetAsync();
foreach (var item in items)
{
Console.WriteLine(item.Subject);
}
class TokenHelper
{
AuthenticationContext authContext;
public TokenHelper(string authUri)
{
authContext = new AuthenticationContext(authUri);
}
public string AcquireTokenAsync(string clientId, string secret,string resrouceURL)
{
var credential = new ClientCredential(clientId: clientId, clientSecret: secret);
var result = authContext.AcquireTokenAsync(resrouceURL, credential).Result;
return result.AccessToken;
}
}
In addition, if we authenticate the app with code grant flow we can also create a subscription which notify the app when the mail box receive the new messages.( refer to webhoocks/subscription)
I create a Native client application. I have got access token result from Azure AD by the article given below:
https://msdn.microsoft.com/en-us/library/dn531009.aspx
code give below:
Uri serviceUrl = new System.Uri(CrmServiceUrl + "/XRMServices/2011/Organization.svc/web");
string _oauthUrl = "https://login.windows.net/00000000-0000-0000-0000-000000000000/oauth2/authorize"; // DiscoveryAuthority
String resource = "https://****.crm.dynamics.com/";
authenticationContext = new AuthenticationContext(_oauthUrl, false);
//custom test code
AuthenticationResult result = authenticationContext.AcquireToken(resource, _clientID, serviceUrl, PromptBehavior.Auto);
return result.AccessToken;
now my question is this, How i can create service proxy from that "Access token" to make CRUD operations?
is it possible to create record in dynamic crm using access token or not?
your response should be appreciated.
thanks.