Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

MS Graph API - Authentication connector via MSAL

Willy__Vanroy
Level 2

‎07-09-22 02:31 PM

The MS Graph API - Authentication connector calls the https:// login.microsoftonline.com/* endpoint directly passing the username / password provided which is hitting Azure AD and attempting to authenticate directly against the cloud.

 Because our company does not have password hash sync enabled this will not work as the account password is not stored in Azure AD.

 Is there a solution possible using one of the available MSAL library's https://aka.ms/msal which will then allow for the authentication request to be redirected back to our on-premises hybrid identity infrastructure?

-----------------
Willy Vanroy
AXA Bank
-----------------



------------------------------
Willy Vanroy
Developer
AXA Bank
Europe/Brussels
------------------------------
0 Likes
3 REPLIES 3

ewilson
Staff
Staff

‎07-09-22 10:07 PM

Hello @Willy__Vanroy,

Have you checked the MSAL.NET connector?

Cheers,


------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------
0 Likes

Willy__Vanroy
Level 2
In response to ewilson

‎08-09-22 10:36 AM

It seems there is only support for Application Permissions, thus signing in with a Client Secret,

But with this type of deployment AXA cannot control from where the traffic is coming, also the document doesn't share the API permissions for which need to be assign so they cannot until they know guarantee that the permissions will fall within the range that is 'scopeable' (not sure that's a word) …

Is there a version which uses the MSAL.NET library but provides support for Delegated Permissions please? Possibly using the ROPC credential flow …



------------------------------
Willy Vanroy
Developer
AXA Bank
Europe/Brussels
------------------------------
0 Likes

ewilson
Staff
Staff
In response to Willy__Vanroy

‎08-09-22 12:41 PM

@Willy__Vanroy,

The permissions/scope are up to you. They are set on the application registration within Azure AD​. For example, if I want to register an application that can work with email, I would add some subset of the various Mail permissions.

7592.png

According to this link, Microsoft specifically recommends not using the ROPC flow:
7593.png 
Perhaps you can provide some more detail about how authentication works in your environment?

Cheers,

------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------
0 Likes
li.common.scroll-to.top