ADAL4J in java application not working for native application(Azure Active Directory) when Multi Factor Authentication is enabled

0
votes

Hi We have created a native application in AAD and we are trying to get the access token from Azure using Adal4j in our java application following is the snippet

AuthenticationContext authContext;
    AuthenticationResult authResult;
    String loginUrl="https://login.microsoftonline.com/"+TENANTID+"/oauth2/authorize";
    service = Executors.newFixedThreadPool(1);
    authContext = new AuthenticationContext(loginUrl, false, service);
    Future<AuthenticationResult> future = authContext.acquireToken("https://management.azure.com/", clientId, username,password, null);
    authResult = future.get();
    System.out.println("Token :"+authResult.getAccessToken());

but recently our organisation has enabled multi factor authentication and since then we are getting the below error.

java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '797f4846-ba00-4fd7-ba43-dac1f8f63013'.\r\nTrace ID: c0ac222e-5a9b-417e-8360-d42712f43c00\r\nCorrelation ID: 96cc11c4-3196-448d-a416-a9373b8059a6\r\nTimestamp: 2018-08-13 12:57:59Z","error":"interaction_required"}

Please help me on how i can fix this error ADAL4j version is 1.1.3

I have created app registrations using below enter image description hereenter image description hereenter image description here

Please let me know what im missing as i see it is displaying for your account bt not for my account. MFA is enabled for my tenant.

1
javaazureazure-active-directoryazure-resource-manager

1 Answers

0
votes

Please help me on how i can fix this error ADAL4j version is 1.1.3

If the user is enabled with multi factor authentication, we can't use that to get access token to access the resource directly.

The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

we are trying to get the access token from Azure using Adal4j in our java application

You could registry an Azure AD web application and use the following way to instead of using the username and password to get the access token. How to registry Azure AD webapp and get the secret key from it, please refer to this tutorial.

String resourceUrl = "https://management.azure.com";
AuthenticationContext context = new AuthenticationContext(authority, true, service);
// Acquire Token
Future<AuthenticationResult> result = context.acquireToken(
resourceUrl,
new ClientCredential(APP_ID, APP_SECRET),
null
);
String token = result.get().getAccessToken();

Update:

Add the demo code for geting subscription. If you get the empty list means that there is no subscription with your tenant.

String authority = "https://login.microsoftonline.com/{tenantId}";
String resourceUrl = "https://management.azure.com";
ExecutorService service = Executors.newFixedThreadPool(1);
AuthenticationContext context = new AuthenticationContext(authority, true, service);
    // Acquire Token
Future<AuthenticationResult> result = context.acquireToken(
            resourceUrl,
         new ClientCredential(APP_ID, APP_SECRET),
    null
    );
String token = result.get().getAccessToken();
HttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet("https://management.azure.com/subscriptions?api-version=2016-06-01");
request.addHeader("Authorization",result.get().getAccessTokenType()+ " "+ result.get().getAccessToken());
HttpResponse response = client.execute(request);
HttpEntity entity = response.getEntity();
// Read the contents of an entity and return it as a String.
String content = EntityUtils.toString(entity);
System.out.println(content);

Test Result:

enter image description here

Update2:

How to switch the directory with Azure portal.

enter image description here

Try it with List subscriptions Rest API directly.

enter image description here