Azure的AD AcquireToken不与应用程序密码工作 [英] Azure AD AcquireToken does not work with app password

问题描述

我想验证使用.NET库ADAL Azure中AD用户的密码。
这对于没有MFA普通用户帐户工作正常，但我遇到了问题，这样做对谁已经MFA激活用户。

I'm trying to verify a user's password in Azure AD using the .NET ADAL library. This works fine for a regular user account without MFA, but I ran into problems doing this for a user who has MFA activated.

在使用用户的实际密码，我得到了 AADSTS50076：需要申请密码，这是很公平，但是当我再创建一个新的应用程序密码，我收到错误 AADSTS70002：错误验证凭据。 AADSTS50020：无效的用户名或密码。我创建了多个应用程序的密码，但他们都没有工作。

When using the user's actual password, I got AADSTS50076: Application password is required., which is fair enough, but when I then created a new app password, I received the error AADSTS70002: Error validating credentials. AADSTS50020: Invalid username or password. I've created multiple app passwords but they all do not work.

用于尝试验证的code是如下：

The code used to attempt authentication is as follows:

var ac = new AuthenticationContext("https://login.windows.net/my-tenant.com");
var authResult = ac.AcquireToken("https://graph.windows.net", "my-client-id", new UserCredential("my.account@my-tenant.com", "my-password"));

这是试图进行身份验证的用户是全球管理员在本适航指令。

The user that is trying to authenticate is a Global Admin in this AD.

它甚至有可能为有MFA？

Is it even possible to do authentication like this for a user with MFA?

推荐答案

因此​​，要回答我的问题有点，我使出执行以下操作（清理为了简洁）：

So, to answer my own question somewhat, I resorted to doing the following (cleaned up for brevity):

public class AzureAdAuthenticationProvider
{
    private const string AppPasswordRequiredErrorCode = "50076";
    private const string AuthorityFormatString = "https://login.windows.net/{0}";
    private const string GraphResource = "https://graph.windows.net";

    private AuthenticationContext _authContext;
    private string _clientId;

    public AzureAdAuthenticationProvider()
    {
        var tenantId = "..."; // Get from configuration

        _authContext = new AuthenticationContext(string.Format(AuthorityFormatString, tenantId));
    }

    public bool Authenticate(string user, string pass)
    {
        try
        {
            _authContext.AcquireToken(GraphResource, _clientId, new UserCredential(user, pass));

            return true;
        }
        catch (AdalServiceException ase)
        {
            return ase.ServiceErrorCodes.All(sec => sec == AppPasswordRequiredErrorCode);
        }
        catch (Exception)
        {
            return false; // Probably needs proper handling
        }
    }
}

这不是pretty，但它的工作。

It's not pretty, but it does the job.

通过使用服务错误codes.All（），我保证，只有当出现一个错误AppPasswordRequired，认证成功。

By using ServiceErrorCodes.All(), I ensure that only when a single AppPasswordRequired error occurs, authentication has succeeded.

这种方法唯一的缺点，就是启用了MFA用户必须使用自己的实际帐号密码登录。使用一个应用程序的密码似乎并没有得到支持。

The only disadvantage to this method, is that a user with MFA enabled has to use their actual account password to login. Using an app password does not seem to be supported.

这篇关于Azure的AD AcquireToken不与应用程序密码工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！