How do you I get a user_impersonation token from an app-only token?
So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.
During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:
- Read directory data
- Access the directory as the signed-in user
For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.
However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".
In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.
What are we supposed to do in this situation?
azure azure-active-directory azure-sdk-.net asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
|
show 6 more comments
So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.
During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:
- Read directory data
- Access the directory as the signed-in user
For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.
However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".
In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.
What are we supposed to do in this situation?
azure azure-active-directory azure-sdk-.net asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
1
I'm confused: do I understand that the Web API requires a refresh token?
– Jean-Marc Prieur
Nov 13 '18 at 9:51
please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.
– astaykov
Nov 13 '18 at 15:27
Updated question to more clearly explain what it is that we are coming across.
– Dana Epp
Nov 14 '18 at 0:54
If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..
– Rohit Saigal
Nov 14 '18 at 1:45
We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.
– Dana Epp
Nov 14 '18 at 1:51
|
show 6 more comments
So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.
During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:
- Read directory data
- Access the directory as the signed-in user
For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.
However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".
In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.
What are we supposed to do in this situation?
azure azure-active-directory azure-sdk-.net asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.
During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:
- Read directory data
- Access the directory as the signed-in user
For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.
However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".
In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.
What are we supposed to do in this situation?
azure azure-active-directory azure-sdk-.net azure azure-active-directory azure-sdk-.net asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
edited Nov 14 '18 at 0:53
Dana Epp
asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
asked Nov 13 '18 at 4:01
Dana EppDana Epp
72118
72118
1
I'm confused: do I understand that the Web API requires a refresh token?
– Jean-Marc Prieur
Nov 13 '18 at 9:51
please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.
– astaykov
Nov 13 '18 at 15:27
Updated question to more clearly explain what it is that we are coming across.
– Dana Epp
Nov 14 '18 at 0:54
If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..
– Rohit Saigal
Nov 14 '18 at 1:45
We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.
– Dana Epp
Nov 14 '18 at 1:51
|
show 6 more comments
1
I'm confused: do I understand that the Web API requires a refresh token?
– Jean-Marc Prieur
Nov 13 '18 at 9:51
please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.
– astaykov
Nov 13 '18 at 15:27
Updated question to more clearly explain what it is that we are coming across.
– Dana Epp
Nov 14 '18 at 0:54
If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..
– Rohit Saigal
Nov 14 '18 at 1:45
We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.
– Dana Epp
Nov 14 '18 at 1:51
1
1
I'm confused: do I understand that the Web API requires a refresh token?
– Jean-Marc Prieur
Nov 13 '18 at 9:51
I'm confused: do I understand that the Web API requires a refresh token?
– Jean-Marc Prieur
Nov 13 '18 at 9:51
please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.
– astaykov
Nov 13 '18 at 15:27
please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.
– astaykov
Nov 13 '18 at 15:27
Updated question to more clearly explain what it is that we are coming across.
– Dana Epp
Nov 14 '18 at 0:54
Updated question to more clearly explain what it is that we are coming across.
– Dana Epp
Nov 14 '18 at 0:54
If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..
– Rohit Saigal
Nov 14 '18 at 1:45
If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..
– Rohit Saigal
Nov 14 '18 at 1:45
We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.
– Dana Epp
Nov 14 '18 at 1:51
We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.
– Dana Epp
Nov 14 '18 at 1:51
|
show 6 more comments
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53273586%2fhow-do-you-i-get-a-user-impersonation-token-from-an-app-only-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53273586%2fhow-do-you-i-get-a-user-impersonation-token-from-an-app-only-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
I'm confused: do I understand that the Web API requires a refresh token?
– Jean-Marc Prieur
Nov 13 '18 at 9:51
please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.
– astaykov
Nov 13 '18 at 15:27
Updated question to more clearly explain what it is that we are coming across.
– Dana Epp
Nov 14 '18 at 0:54
If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..
– Rohit Saigal
Nov 14 '18 at 1:45
We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.
– Dana Epp
Nov 14 '18 at 1:51