topic RE: MS Graph API - Authentication connector via MSAL in Digital Exchange

MS Graph API - Authentication connector via MSAL

Willy__Vanroy — Wed, 07 Sep 2022 13:31:00 GMT

The MS Graph API - Authentication connector calls the https:// login.microsoftonline.com/* endpoint directly passing the username / password provided which is hitting Azure AD and attempting to authenticate directly against the cloud.

Because our company does not have password hash sync enabled this will not work as the account password is not stored in Azure AD.

Is there a solution possible using one of the available MSAL library's https://aka.ms/msal which will then allow for the authentication request to be redirected back to our on-premises hybrid identity infrastructure?

-----------------
Willy Vanroy
AXA Bank
-----------------

------------------------------
Willy Vanroy
Developer
AXA Bank
Europe/Brussels
------------------------------

RE: MS Graph API - Authentication connector via MSAL

ewilson — Wed, 07 Sep 2022 21:07:00 GMT

Hello @Willy__Vanroy,

Have you checked the MSAL.NET connector?

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

RE: MS Graph API - Authentication connector via MSAL

Willy__Vanroy — Thu, 08 Sep 2022 09:36:00 GMT

It seems there is only support for Application Permissions, thus signing in with a Client Secret,

But with this type of deployment AXA cannot control from where the traffic is coming, also the document doesn't share the API permissions for which need to be assign so they cannot until they know guarantee that the permissions will fall within the range that is 'scopeable' (not sure that's a word) …

Is there a version which uses the MSAL.NET library but provides support for Delegated Permissions please? Possibly using the ROPC credential flow …

------------------------------
Willy Vanroy
Developer
AXA Bank
Europe/Brussels
------------------------------

RE: MS Graph API - Authentication connector via MSAL

ewilson — Thu, 08 Sep 2022 11:41:00 GMT

@Willy__Vanroy,

The permissions/scope are up to you. They are set on the application registration within Azure AD. For example, if I want to register an application that can work with email, I would add some subset of the various Mail permissions.

According to this link, Microsoft specifically recommends not using the ROPC flow:

Perhaps you can provide some more detail about how authentication works in your environment?

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------