How do you I get a user_impersonation token from an app-only token?










0















So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.



During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:



  • Read directory data

  • Access the directory as the signed-in user

For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.



However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".



In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.



What are we supposed to do in this situation?










share|improve this question



















  • 1





    I'm confused: do I understand that the Web API requires a refresh token?

    – Jean-Marc Prieur
    Nov 13 '18 at 9:51












  • please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.

    – astaykov
    Nov 13 '18 at 15:27











  • Updated question to more clearly explain what it is that we are coming across.

    – Dana Epp
    Nov 14 '18 at 0:54











  • If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..

    – Rohit Saigal
    Nov 14 '18 at 1:45











  • We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.

    – Dana Epp
    Nov 14 '18 at 1:51















0















So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.



During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:



  • Read directory data

  • Access the directory as the signed-in user

For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.



However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".



In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.



What are we supposed to do in this situation?










share|improve this question



















  • 1





    I'm confused: do I understand that the Web API requires a refresh token?

    – Jean-Marc Prieur
    Nov 13 '18 at 9:51












  • please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.

    – astaykov
    Nov 13 '18 at 15:27











  • Updated question to more clearly explain what it is that we are coming across.

    – Dana Epp
    Nov 14 '18 at 0:54











  • If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..

    – Rohit Saigal
    Nov 14 '18 at 1:45











  • We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.

    – Dana Epp
    Nov 14 '18 at 1:51













0












0








0








So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.



During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:



  • Read directory data

  • Access the directory as the signed-in user

For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.



However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".



In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.



What are we supposed to do in this situation?










share|improve this question
















So there are some APIs in Azure that work fine when I use my logged in access token. But they just won't work with the app-only token issued to my app.



During onboarding of our multi-tenant Azure app the administrator consents/approves access into their tenant, which requests a set of permissions including:



  • Read directory data

  • Access the directory as the signed-in user

For everything up to now, this was good enough. When our Azure Function needs to act on behalf of the admin we can call AcquireTokenAsync() to get the app-only token and use it to query the resources we need.



However, we have come across some resources that give us a 400 error saying "AADSTS50058: A silent sign-in request was sent but no user is signed in.".



In these situations where it needs a signed-in user token (and we can't get one as its a backend function doing automated processing after hours), what are we supposed to do? I don't want to have to store the user's credentials in KeyVault to do a password auth to get such a token. The whole point of using app-only tokens was to avoid this.



What are we supposed to do in this situation?







azure azure-active-directory azure-sdk-.net






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 14 '18 at 0:53







Dana Epp

















asked Nov 13 '18 at 4:01









Dana EppDana Epp

72118




72118







  • 1





    I'm confused: do I understand that the Web API requires a refresh token?

    – Jean-Marc Prieur
    Nov 13 '18 at 9:51












  • please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.

    – astaykov
    Nov 13 '18 at 15:27











  • Updated question to more clearly explain what it is that we are coming across.

    – Dana Epp
    Nov 14 '18 at 0:54











  • If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..

    – Rohit Saigal
    Nov 14 '18 at 1:45











  • We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.

    – Dana Epp
    Nov 14 '18 at 1:51












  • 1





    I'm confused: do I understand that the Web API requires a refresh token?

    – Jean-Marc Prieur
    Nov 13 '18 at 9:51












  • please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.

    – astaykov
    Nov 13 '18 at 15:27











  • Updated question to more clearly explain what it is that we are coming across.

    – Dana Epp
    Nov 14 '18 at 0:54











  • If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..

    – Rohit Saigal
    Nov 14 '18 at 1:45











  • We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.

    – Dana Epp
    Nov 14 '18 at 1:51







1




1





I'm confused: do I understand that the Web API requires a refresh token?

– Jean-Marc Prieur
Nov 13 '18 at 9:51






I'm confused: do I understand that the Web API requires a refresh token?

– Jean-Marc Prieur
Nov 13 '18 at 9:51














please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.

– astaykov
Nov 13 '18 at 15:27





please go through all the guides regarding multi-tenant applications here and the guide about application permissions here. At the end make sure you have read and understood Azure AD Authentication. Then please come back here and rephrase your question.

– astaykov
Nov 13 '18 at 15:27













Updated question to more clearly explain what it is that we are coming across.

– Dana Epp
Nov 14 '18 at 0:54





Updated question to more clearly explain what it is that we are coming across.

– Dana Epp
Nov 14 '18 at 0:54













If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..

– Rohit Saigal
Nov 14 '18 at 1:45





If you've never authenticated as an end user to acquire first token for a backend API to call the further APIs (because you say it's a backend Azure function so no user interaction) then AFAIK you will not be able to use On Behalf Of flow to get user_impersonation token. Please include the full code that you're using to acquire app-only token and make further calls. Looking at the error you're probably not using correct ADAL overload to acquire token using application's identity.. and trying to get the token in User's context.. that's just a guess..

– Rohit Saigal
Nov 14 '18 at 1:45













We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.

– Dana Epp
Nov 14 '18 at 1:51





We authenticate the user in a web app the first time they login. It redirects to Microsoft's IdP to do OAUTH consent which in turn registers our app in their tenant, gives us perms to their subscription, creates the service principal and then redirects back. At this point, we can use our app to access their tenant. This follows Microsoft guidance on using multitenant apps with app-only tokens.

– Dana Epp
Nov 14 '18 at 1:51












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53273586%2fhow-do-you-i-get-a-user-impersonation-token-from-an-app-only-token%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53273586%2fhow-do-you-i-get-a-user-impersonation-token-from-an-app-only-token%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto