Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,258 questions
Acces MsGraph by Hybrid Azure AD Joined
Vernou
61
Reputation points
Hi,
I have a WPF application (target the old .NET Framework runtime) that request to MsGraph with the NuGet package Micrsoft.Graph. That work perfectly.
We try to adapt the WPF application to run out of our enterprise domain.
We have configured Azure Conditionnal Access and all computers are configured to be Hybrid Azure AD Joined. We have checked with dsregcmd /status.
But out of our domain, the application fail to request to MsGraph. I reproduce with this minimal example that retrieve the followed SharePoint site (work in domain/not work out of domain) :
static void Main(string[] args)
{
Console.WriteLine("Try get token");
var auth = new AuthenticationContext($"https://login.windows.net/common");
var token = auth.AcquireTokenAsync(
"https://MyCompany.onmicrosoft.com/MyApplication",
"ClientGuid",
new UserCredential()
).Result.AccessToken;
Console.WriteLine("ToKen : " + token);
var graphService = new BetaGraphServiceClientO365(
new AzureOnBehalfAccessToken(
new AuthenticationAzureOptions {
AadInstance = "https://login.microsoftonline.com/",
AppIdUri = "https://MyCompany.onmicrosoft.com/MyApp",
ClientId = "ClientGuid",
Tenant = "TenandGuid",
ClientSecret = "ClientSecret"
},
new Microsoft.Extensions.Caching.Distributed.MemoryDistributedCache(new OptionCaching()),
4269, //User id
token
),
"https://graph.microsoft.com/"
);
var sites = graphService.Me.FollowedSites.Request().GetAsync().Result;
Console.WriteLine();
Console.WriteLine("Followed sites : " + sites.Count);
foreach(var site in sites)
{
Console.WriteLine(site.DisplayName);
}
}
This fail on AcquireTokenAsync with the error :
Exception non gérée : System.AggregateException: Une ou plusieurs erreurs se sont produites. --->
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalClaimChallengeException: AADSTS53001: Device is not in required device state: domain_joined.
Conditional Access policy requires a domain joined device, and the device is not domain joined.
Trace ID: 08692b13-4a26-4668-9ab0-c361cfa02a00
Correlation ID: bc0ebc0b-22cf-435e-b9c5-b3ab34b3905a
Timestamp: 2021-04-02 07:16:47Z --->
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Response status code does not indicate success: 400 (BadRequest).
à Microsoft.Identity.Core.OAuth2.OAuthClient.<GetResponseAsync>d__18`1.MoveNext()
--- Fin de la trace de la pile d'exception interne ---
à Microsoft.Identity.Core.OAuth2.OAuthClient.<GetResponseAsync>d__18`1.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.Identity.Core.OAuth2.OAuthClient.<HandleDeviceAuthChallengeAsync>d__21`1.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.Identity.Core.OAuth2.OAuthClient.<GetResponseAsync>d__18`1.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.Identity.Core.OAuth2.OAuthClient.<GetResponseAsync>d__17`1.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendHttpMessageAsync>d__75.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__72.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<CheckAndAcquireTokenUsingBrokerAsync>d__62.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__60.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__40.MoveNext()
--- Fin de la trace de la pile à partir de l'emplacement précédent au niveau duquel l'exception a été levée ---
à System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
à System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
à Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.<AcquireTokenAsync>d__0.MoveNext()
--- Fin de la trace de la pile d'exception interne ---
à System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
à MsGraphDemo.Program.Main(String[] args) dans D:\users\cevernou\Projects\Vrac\MsGraphDemo\Program.cs:ligne 14
How request to MsGraph from a Hybrid Azure AD Joined computer?
Microsoft Graph
.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,136 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,361 questions
{count} votes
-
Deva-MSFT 2,256 Reputation points Microsoft Employee2021-04-14T08:27:04+00:00 Adding right tags/teams to assist
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 70%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Nandeesh Swami-MSFT 1 Reputation point Microsoft Employee2021-04-14T16:13:00.967+00:00 Hey,
It looks like CA(Conditional Access) policy is blocking it. Please check sign in logs for an affected user in Azure AD. Look for a successful and a failed one. When you click on it, a window will open from the bottom up, there's a tab there that reads 'Conditional Access'. This should ideally give you some hints on CA policies. https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
-
Vernou 61 Reputation points
2021-04-19T07:39:50.823+00:00 Good point, I replaced MSDAL by ADAL tag (the example use the old library).
-
Vernou 61 Reputation points
2021-04-19T07:44:34.02+00:00 From Migrating applications to MSAL.NET, this post explain ADAL.NET is the old library and MSAL.NET is the new library.
I use the old ADAL.NET library.
Can ADL.NET library get access token by conditional access? -
Nandeesh Swami-MSFT 1 Reputation point Microsoft Employee
2021-04-25T17:37:51.957+00:00 If your question is that if conditional access applies to ADAL.NET, yes indeed. How ever the look out was for checking out sign in logs.
Sign in to comment