Reputation: 21
Authenticating User to use the graph api in the german national cloud
I have an application that uses the following scopes to access data in Microsoft Graph:
[
'openid',
'offline_access',
'email',
'profile',
'https://graph.microsoft.com/Mail.ReadWrite',
'https://graph.microsoft.com/Mail.Send',
'https://graph.microsoft.com/User.Read',
'https://graph.microsoft.com/Contacts.ReadWrite',
'https://graph.microsoft.com/Calendars.ReadWrite'
]
I am using passport-oauth in my node application for authentication.
It works perfectly fine for Office 365 emails of different companies but it doesn't work for German domains (e.g. [email protected]).
I already tried solutions specified in Registering an application for the Microsoft Graph API in the German National Cloud
with graph.microsoft.de as the Microsoft Graph URI and login.microsoft.de as the authorization endpoint.
Currently, the app I am using is registered on apps.dev.microsoft.com.
I get this error when I try to login with my german o365 account
TokenError: AADSTS90043: Confidential Client is not supported in Cross Cloud request.
My question is where do I register an app that works for all German O365 instances since the app needs to support multiple domain accounts. I tried authenticating with The authorize url that results in invalid client secret error is as follows
https://login.microsoftonline.de/common/oauth2/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A1345%2Fauthorize&scope=openid%20offline_access%20email%20profile%20https%3A%2F%2Fgraph.microsoft.de%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.de%2FMail.Send%20https%3A%2F%2Fgraph.microsoft.de%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.de%2FContacts.ReadWrite%20https%3A%2F%2Fgraph.microsoft.de%2FCalendars.ReadWrite&state=key%3Dlocal-dt&client_id=7beb27dd-805c-47e5-bbb4-639a3e41a9dd
Upvotes: 2
Views: 1467
Answers (1)
Reputation: 33114
The apps.dev.microsoft.com portal is a Global registration for "Converged" app authentication (i.e. the v2 Endpoint that support both AAD and personal MSA accounts). This v2 Endpoint isn't supported by National cloud deployments at the moment.
From the documentation:
Note: The Azure AD v2.0 authorization and token endpoints are available on the global service only; they are not yet supported for use with national cloud deployments.
In order to have an application that works with both Global and National Cloud Endpoint, you need to use the v1 Endpoint. This is done via an Azure AD portal rather than apps.dev.microsoft.com.
The Authorization URI you're navigating too has the correct v1 Endpoint URL (https://login.microsoftonline.de/common/oauth2/authorize) but you're providing v2 Endpoint query parameters:
https://login.microsoftonline.de/common/oauth2/authorize
?response_type=code
&redirect_uri=http://localhost:1345/authorize
&scope=openid offline_access email profile https://graph.microsoft.de/Mail.ReadWrite https://graph.microsoft.de/Mail.Send https://graph.microsoft.de/User.Read https://graph.microsoft.de/Contacts.ReadWrite https://graph.microsoft.de/Calendars.ReadWrite
&state=key=local-dt
&client_id=7beb27dd-805c-47e5-bbb4-639a3e41a9dd
The v1 Endpoint doesn't support dynamic scopes. Instead, scopes are defined by your Application Registration via the Azure Portal.
Your URL prototype should look like this:
https://login.microsoftonline.de/common/oauth2/authorize?
client_id=7beb27dd-805c-47e5-bbb4-639a3e41a9dd
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A1345%2Fauthorize
&response_mode=query
&state=key=key%3Dlocal-dt
Upvotes: 2
Related Questions
- AAD microsoft graph, client credentials
- MS Graph api user authentication failing
- Microsoft graph api access
- Azure API Authentication and MSGraph
- Programmatical Authentication to Graph API
- Authenticate Azure AD user using graph api
- Microsoft graph and Azure Ad user authentication
- Authenticate a user on Azure AD B2C using Graph API
- Using Microsoft Graph APIs with Azure AD 1.0 Authentication
- Authenticate imported Azure AD user using Graph API