question

AllanFernandes-2221 avatar image
0 Votes"
AllanFernandes-2221 asked ·

Correct Authentication method for Windows Service Application connecting to O365 accounts linked with AD

Hi,

I have a application consisting both UI and Service Exe's that saves critical data files from users machine to his Onedrive Cloud space. My application handles the Authentication using Microsoft Graph and gets the required Access token / Refresh Token by allowing the user to entering his credentials .

Now I have this prospective customer who may have above 500 users. He says the O365 logins are integrated with his Domain's Active Directory and the passwords change every 15 days. It is not possible for user to enter all these passwords every 15 days.

Please advice what I should use, there are loads of documentation on Microsoft website and I am unable to pin on anything specific.

I have a free microsoft developer account. Will I need to convert it to paid one ?


Regards
Allan

azure-ad-microsoft-accountazure-ad-passwordless-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered ·

You might try authenticating as an application using client credentials grant from your service exe. Users will still need to input their new password but the application itself will be capable of authenticating w/o interruption to AAD/MS Graph.


Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


>> Users will still need to input their new password
It is OK to ask user the first time to enter credentials, but I cannot ask every 15 days.

Customer says all his other Products are integrated with Active Directory and do not need user intervention.




0 Votes 0 ·
AllanFernandes-2221 avatar image
0 Votes"
AllanFernandes-2221 answered ·

anonymous user-msft the RefreshTokens are discarded the moment the password is changed. Microsoft does it for Security reasons.

Please tell me how to integrate with AD.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered ·

As initially suggested you can use client credentials flow to keep getting access tokens silently using a certificate, a secret or a refresh token, this without any user intervention. Your problem might be the session lifetime for your UI application which does not rely on access or refresh tokens but session tokens. Lifetime for the later can be managed using Conditional Access sign in frequency. Please expand more on your application architecture and authentication flow to get a better idea of what issues are you facing.

· 4 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank You for the support. Truly appreciate.
Application architecture : Both my Server Module and Client Modules are Native Windows applications (having Service Module and UI Module running on all the machines of my customer). On the Server Machine my Customer's User via UI modules authenticates the Onedrive account via Microsoft Graph and I get the Access Token and Refresh Token. I Save the Refresh Token only in my database. Next day I use the Refresh Token to get the Access Token and connect. At the same time I again save my RefreshToken so that it is Renewed once a day.

To test I have changed my Onedrive account password and immediately the saved RefreshToken is rendered useless.
Regarding Client Credential Flow if I have understood it correctly the onus of data and compliance comes upon my Tenant and My Microsoft Account, I would rather each customer hold his own responsibilities.

0 Votes 0 ·

Hello @AllanFernandes-2221, it's correct that application (client) credentials permissions are considered highly privileged, however you can control the degree of access from your service business logic. Since the passwords are going to change and thus refresh tokens will get invalidated using standard flows such as authorization or ropc you might try using Integrated Windows Authentication with MSAL.


0 Votes 0 ·

Thanks Alfred this should be my solution. Wishing you a safe and blessed 2021

0 Votes 0 ·
Show more comments