Is it possible to Validate an Azure Active Directory User's Password

Question

We are leveraging the Azure Graph API and are able to get attributes to return, but unable to validate the User's Password using the Standard .Net library that hashes the password in the same manner used for On-Prem Active Directory. Is it possible to validate a User's Azure Active Directory Password?

Answer 1

Short answer is No.

Ideally your application code should never have user's password available to it in first place as that violates security best practices and is discouraged/not recommended. User credentials should only be provided directly to Azure AD endpoints through different supported OAuth 2.0 grant flows and application should work with the tokens/auth code returned by Azure AD.

With ADAL libraries (as well as Azure AD endpoints), you will not find anything specific to just validate user credentials, only methods to acquire tokens.

Workaround - ROPC - Resource Owner Password Credentials Grant (Not recommended, multiple issues)

When using ROPC your application code has a user's password available to it. It violates security best practices and also does not work with MFA and federated authentication users. Using this grant is highly discouraged as it brings potential attack risks, so not recommended.

Workaround would be to use ROPC to acquire a token for user. If either username or password is incorrect, you will get an exception, otherwise you get back a valid token which means credentials are good.

Here are a couple of links that cover details on ROPC (and recommend not using it at the same time..):

• ADAL.NET library documentation on acquiring tokens with username and password
• Resource Owner Password Credentials Grant in Azure AD OAuth

For example, code would look like this for a native application.

result = await context.AcquireTokenAsync(resource, clientId, new UserPasswordCredential("john@contoso.com", johnsPassword));