stackoom
  简体   繁体   中英

Authenticate in Azure AD silently from a domain joined machine

 原文  2022-06-28 04:28:41       .net/ azure/ azure-active-directory/ msal

Question

In our environment Windows machines are domain joined, and Azure AD Connect Sync is used to connect the domain to Azure AD. My goal to authenticate in Azure using the context of the currently logged in user.

As I understand, I need to use Integrated Windows authentication (IWA) among the available methods.

Allows applications on domain or Azure Active Directory (Azure AD) joined computers to acquire a token silently (without any UI interaction from the user).

The description looks great. I am trying to usethis example . I created an app registration as per the instructions, the only thing that I failed to do is Step 2:(Optional) / Register the client app / item 6 :

At this stage permissions are assigned correctly but the client app does not allow interaction. Therefore no consent can be presented via a UI and accepted to use the service app. Click the Grant/revoke admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant.

First of all, I do not understand what it is saying. How is that it does not allow interaction? What interaction?

Secondly, the value of "Admin consent required" is "No":

在此处输入图像描述

I am not a tenant admin, but I assume "Grant admin consent for ..." button is greyed because there is nothing to grant (it turns active once I add something).

Nevertheless I copied TenantId and app ClientId into the example and tried to run it. It is failing with the following error:

AADSTS65001: The user or administrator has not consented to use the application with ID 'b5e9bd68-5326-44ff-9fc6-c933227708ff' named 'foo-bar'. Send an interactive authorization request for this user and resource. Trace ID: 77c69007-80cb-4eb2-b60b-f029928c5f00 Correlation ID: 63be7460-11e6-49b2-88b9-a3b56025ee43 Timestamp: 2022-06-27 23:08:08Z

Again, what an interactive request? Isn't the purpose of this example to illustrate how I can authenticate silently and transparently for the user, without any interaction?

Please help me to find missing pieces.

1 answers

solution1
 1 ACCPTED  2022-06-28 06:55:00

IWA is a silent flow that doesn't need user interaction, you must grant consent to all users in the tenant to use the application.

To perform the above action, you must have the tenant admin role as mentioned in the MsDoc .

When that role is enabled, make sure to Grant Admin Consent like below after adding the required API permissions.

在此处输入图像描述

You can also make use of below admin consent endpoint that will give consent form like below:

https://login.microsoftonline.com/{your_tenant_id}/v2.0/adminconsent?
&client_id=Your_client_id
&state=12345
&redirect_uri=Your_redirect_uri
&scope= https://graph.microsoft.com/.default

在此处输入图像描述

After accepting the above consent, you can get rid of "The user or administrator has not consented to use the application" error.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access AD from machine not part of domain How to detect if machine is joined to domain? Failing to authenticate BlobServiceClient and Azure AD Programmatically authenticate with Azure AD for Application Proxy What ports need to be open to authenticate to an AD server from an asp.net site on IIS web server outside the domain? How to authenticate web api in WPF app using Azure AD .NET Core 2 Authenticate with Azure AD - Custom Login Page AZURE AD SSO does not authenticate my .NET application IIS how to authenticate ldap when not joined to a domain in Microsoft Active Directory using c# Failed to acquire token silently using WebApp after login using Azure AD?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM