AADSTS76020: Azure Entreprise Application cannot signing in graph client while having validation certificate configured for SSO

Antoine Gorin 0 Reputation points
2023-02-27T11:12:37.84+00:00

Hello,

I believe I have an issue with the Verification certificates preview feature in Azure Enterprise app SSO.

For the context, I have an Azure enterprise application configured so Azure can act as an IDP for an authentication server of mine (acting like a Service Provider). But that authentication server must gather the group names of the users it signs-in, so I must use a Graph API to recover the names from the ids I received from Azure in the claims.

In order to do this, I configured SAML single sign-on my Azure enterprise application and I gave it User.Read.All and Groups.Read.All Graph API access.

In my authentication app, I authenticate my app to Graph using a certificate or a client secret.

To that point, everything works well.

The issue arise when I configure the Vérification certificates in the SSO configuration on my Azure Enterprise application so that my SAML requests can be signed and verified. Then, I can authenticate my user and SAML exchanges run fine but when my app tries to authenticate to Graph, I receive the following error:

AADSTS76020: Application configured to use only protocols with signed requests

I can't find any informations about this error, not even here https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes.

What I don't uderstand here is why my SSO configuration impacts the graph authentication process.

I am missing some information? Should I configure two different Apps (one for SSO, the other for Graph access)?

Thanks

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,585 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shivam Dhiman 5,946 Reputation points
    2023-03-23T08:21:30.2033333+00:00

    Hi @Antoine Gorin

    To resolve this issue create Azure AD Application and granted API permissions Group.Read.All, User.Read, User.Read.All in delegated reference.

    Get Delegated Access toke Refer to this document for more details: https://learn.microsoft.com/en-us/graph/auth-v2-user#3-get-a-token
    Sample:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default

    Now use the access token which you got from the above into the below Graph API endpoint 

    GET https://graph.microsoft.com/v1.0/users/UserID/memberOf

    Reference documentation: https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

    0 comments