Menu
I'm setting up authentication with Azure AD for an ASP.NET Web API 2 REST API. I'd like all clients to be able to use a username & password to authenticate with the REST API. I've setup Azure AD (full steps below, but essentially - created a directory, added a user, added an application, added roles to application in manifest, assigned user to application). However, when I try to test via a Console Application (full code at bottom), I get the exception:
An unhandled exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Additional information: AADSTS50105: The signed in user '[email protected]' is not assigned to a role for the application '8ed6bbe9-dce7-4bed-83af-aa5472ac4eef'.
I'm guessing something needs to be tweaked in the Manifest, but I don't know.
Here is the code:
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
namespace WebApiClientTest
{
class Program
{
static void Main(string[] args)
{
const string authorityUri = "https://login.microsoftonline.com/azureadwebapitest.onmicrosoft.com/";
const string resource = "https://azureadwebapitest.onmicrosoft.com/test";
const string clientId = "8ed6bbe9-dce7-4bed-83af-aa5472ac4eef";
const string userId = "[email protected]";
const string password = "[REMOVED for StackOverflow post]";
UserCredential credentials = new UserCredential(userId, password);
AuthenticationContext context = new AuthenticationContext(authorityUri);
var authresult = context.AcquireToken(resource, clientId, credentials);
Console.WriteLine("Access token: {0}", authresult.AccessToken);
Console.ReadLine();
}
}
}
Full repro steps below:
1. Create new Azure AD Directory:
2. Add new Application:
3. Set "User assignment required to access app" to "YES". Set "Read directory data" application permissions. Copy client ID. Save:
4. Download manifest. Edit manifest and add two roles. Upload manifest:
5. Go back to directory from step 1 and Add User
6. Open new browser to https://account.activedirectory.windowsazure.com/ and sign in as user. Change password. Notice no applications available:
7. Go back to Classic Portal. Assign the user to the generalclient role in Application. Notice the user is now assigned to the application
8. Go back to user account portal and refresh. You might have to refresh a few times or click around. Notice the application is now shown
It seems at this point, setup should be complete.
Create a new console application.
Install the Nuget package "Microsoft.IdentityModel.Clients.ActiveDirectory"
Copy the code into the console application (top of post), insert your password into the "password" string, and Start Debugging:
Result:
An unhandled exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' occurred in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Additional information: AADSTS50105: The signed in user '[email protected]' is not assigned to a role for the application '8ed6bbe9-dce7-4bed-83af-aa5472ac4eef'.
Expected Result:
The access token is written to the console output.
633
Application Administrator Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings.
Worked for me :
Changing the property User assignment required? value to No worked for me. This can be found under Enterprise application --> Name of your registered application --> Properties
81
I had a similar issue for a different scenario. The reason was, the logged in user was not part of the application user list. This error got resolved as soon as I added that user in the Azure AD target application(The application you referring through the c# code). Also make sure the user is also part of a group.(If not create a group and just add the application users as members in that.)
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
