通过用户名和密码从Azure广告获取AccessToken

Question

I have a Native Client registered in our Azure AD.

When i'm using

var ar = _context.AcquireToken(resource, clientId, returnUri);

It opens the Prompt for Username and Password. If I enter them correctly I get a valid AccessToken and everything is fine.

When I'm now trying to enter the credentials in code, via UserCrendtial:

var credential = new UserCredential("username", "password");

var ar = _context.AcquireToken(resource, clientId, credential);

But both resulting in an Error when I'm trying it with the directly entered Credentials.

AADSTS65001: No permission to access user information is configured for '4915f024-blah-blah-blah-f580ab5b0487' application, or it is expired or revoked.

I have tried the normal (string, string) and the (string, SecureString) overload of the UserCredential. I have tried it with the exact same combination of username & password, which I have entered in the Prompt, of the first overload from AcquireToken.

I have also tried to give the Application in Azure all the Delegated Permissions:

• Read directory data
• Read and write directory data
• Access your organization's directory

And added Windows Azure Service Management API Application with Permission:

• Access Azure Service Management

Nothing helped.

As a sidenote, the Application in the Azure has permissions to a SharePoint O365 Tenant. To Read and Write ListItems I don't know if this is relevant. The Resource i'm passing through is the SharePoint Adress.

I don't need any user access over the Graph Api to the Azure. I only need that AccessToken to access our SharePoint Online.

Edit:

Architecture:

Description:

We have a Web Api Project which handles the User Authorization, Load Balancing etc. This Web Api Project, will be queried by either Native Dekstop Clients or Hybrid HTML5 & Javascript Mobile Device Apps.

The Web Api Project needs to Read, Create, Update & Delete Data from our SharePoint O365 Tenant. So this where I need the AccessToken to init a ClientContext or send i via a rest response.

Since the Web Api handles the User authorization, there is an endpoint for users to login already and in this endpoint I want to acquire the Token. That's why I want it to be silent, because the "flexbile browser popup" is already there.

Maybe I don't need in this scenario the Token acquiring with Username / Password, but then I don't know how to configure the Azure App right to work with all the different native client's.

Answer 1

not sure if it's your case but you can use :

• built in auth (setting 'on' in webapp options; then create express app or/and then chose advanced mode with same apps ids);
• then add AD native client app;
• login to old classic portal there select native app and in config add access to you express/advacsed web app;
• after that you will able login in browser; and with adal lib will able login to access you api from mobile devices;

for more see ms docs and samples;

Answer 2

The direct use of username and password has important limitations, please make sure you are not stumbling on any of the ones listed in http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/ . Also note, nothing that requires displaying a user consent screen (as all the permissions you described will) or specific disambiguation steps (like trying to use a guest user from X to access a resource protected by tenant Y) will work. What is your scenario? Any specific reason for which you want to use username/password instead of the more flexible browser popup?