cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting up an AAD SSO solution with notification subscriptions

FrederikStenberg
Copper Contributor

‎Aug 14 2023 04:16 AM

‎Aug 14 2023 04:16 AM

Setting up an AAD SSO solution with notification subscriptions

I've been looking into MS Graph for the last week or so, as we have clients interested in their users on our web application also be controlled through their AAD.

 

The requirements are quite simple:
- Users from specific tenants be able to login/create account using their Microsoft account. Not all our clients have access to this integration, so we use the tenant id to verify the users come from an acceptable source.

- Their account should get soft deleted and deleted on our application when their deletion status is changed in AAD

- Their role should change on our application, when their role for our application is changed in their AAD

 

For this I will need the following data from AAD on the user:
- Name

- Email

- Tenant id

- Role for our application

 

As of now I've created an application under "App Registration" with a working redirect URL. Now I'm a bit uncertain what solution to setup:

 

All user handled (Use Graph API as user):
1. User logs in to our application using a "Microsoft Login" button

2. They're redirected to my redirect URL and created/logged in if we have their tenant id accepted

3. We create a subscription on the user, so we get notified when they change

4. When notified we call information on the user and update accordingly

 

The problem I'm facing with this method, is getting user information when a webhook triggers. I tried using https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, but it seems like it wants a code I can't seem to locate in the flow so far.

 

Admin approval (Use Graph API as admin):

1. An admin from the client receives a consent URL, which gives the application access to User.Read.All, so we can call info on their users at any time.

2. Login flow will be the same for the user, except we can call the Graph API as an application when a webhook triggers.

 

Trouble I'm having with this solution is the admin consent flow, I keep running into errors such as this:
AADSTS650053: The application 'XXX' asked for scope '"User.Read.All"' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

 

Having all these options, I decided to make a post here to get some direction in case I'm completely off track and missing something obvious. I believe the second approach will create overall simpler implementation, but the first approach is more strict and only gives my application access to the users actually affiliated with my application.

 

Do any Graph guru's have suggestions on how to solve this kind of setup?

 

Labels:
159 Views
0 Likes
0 Replies
Reply
0 Replies