User information from Microsoft Graph

0
votes

Background information.
I have an application (MS Teams Bot) that I have hosted in Microsoft Azure as an "App Service". This application. This application has its own application Id. In its "Settings" I have amended the "Authentication/Authorization" to be enabled as such,
auth for app service

Azure ad info

So I have created a new Azure Active Directory Application within my existing app service in Azure. Now this application has its own application ID and key. The Multi-tenant feature has been enabled on this.
azure app id
This application has the following permissions,
azure app permissions
Application permissions.
app permissions
Delegated permissions.
enter image description here
Problem.
I have 2 unrelated environments in Azure. One (we can call this Azure A), which is for hosting test applications and the other (Azure B) is for hosting live applications and is host to our live active directory. My bot application is in Azure A but when a user from Azure B uses the bot, the bot tries to authenticate the user against the active directory it came from, it is unable to do so. My bot application gains an access token to run against the api "https://graph.microsoft.com", which it successfully acquires. Here I have a class, which acquires an access token for my bot application to run against, 

class AzureAuthenticationProvider : IAuthenticationProvider
    {
        public async Task AuthenticateRequestAsync(HttpRequestMessage request)
        {
            string clientId = "client-id";   // azure ad app id
            string clientSecret = "client-secret";   // azure ad app secret

            string authority = "https://login.microsoftonline.com/tenant-id"; // Authentication URI. tenant-id taken from Azure B

            AuthenticationContext authContext = new AuthenticationContext(authority);

            ClientCredential creds = new ClientCredential(clientId, clientSecret);

            AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", creds);

            request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
        }
    }

I then run the following to try and access user information from Azure B, 

GraphServiceClient client = new GraphServiceClient(new AzureAuthenticationProvider());
                string userId = user object id from Azure B;
                User user = await client.Users[userId].Request().GetAsync();

I then receive the following error,

Microsoft.Graph.ServiceException: Code: Authorization_IdentityNotFound Message: The identity of the calling application could not be established.

So my questions are,
i) Should the client id and secret used in AuthenticateRequestAsync() be of the Azure Active Directory application or should this be taken from my bot application? These 2 are run in the same app service in Azure A.
ii) If the Azure Active Directory application has multi-tenant enabled for it, will it be able to authenticate against users from an active directory from outside of my domain?
iii) I suspect the authentication URI has to contain the tenant id of where the user is from (Azure B) and not the tenant id of where the application is hosted (Azure A), is this correct?

1
c#azureauthenticationazure-active-directorymicrosoft-graph-api

1 Answers

0
votes

  1. From the AAD registration:

    • clientid = Application ID of AAD Application.
    • clientSecret = the generated key of the AAD Application .

  2. Yes, this is one of the use cases of the multi-tenanted solution.

  3. In this instance, you want to use the /common endpoint(https://login.microsoftonline.com/common). This will authenticate the user against the tenant they live in.

    If it were a single-tenant application, you would use /{tenant-id} in place of /common. Also, note the /common endpoint isn't supported with the client_credential OAuth flow.