question

Sora-8410 avatar image
0 Votes"
Sora-8410 asked Deva-MSFT edited

ImmutableID of the user missing when trying to acquire a token for MS Graph API (Windows auth)

Hi,

I'm developing an API that uses the Microsoft Graph Client SDK to make multiples calls to a Sharepoint site.

To authenticate the users making the calls to the API, I'm using the Integrated Windows Provider method, with this very simple code:

 var clientApp = PublicClientApplicationBuilder
     .Create(_apiSettings.Value.AzureClientId)
     .WithTenantId(_apiSettings.Value.AzureTenantId)
     .Build();
    
 var token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl })
     .ExecuteAsync().Result;


When calling the method containing this code in local, it works flawlessly. But when I deploy the app to our test server, and by using the NTLM authentication with the same user than in local, I'm having this error:

Microsoft.Identity.Client.MsalUiRequiredException: AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.

When printing the content of the HttpContext.User, I see that the same user, connected to the same group, is both used on the "online" and the local version.

I already tried adding this header, but it's not doing anything:

 var immId = new Dictionary<string, string>();
 immId.Add("Prefer", "IdType=\"ImmutableId\"");
    
 var token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl })
     .WithExtraHttpHeaders(immId)
     .ExecuteAsync().Result;

What can I do ?

Thanks!


dotnet-csharpazure-active-directoryazure-ad-authenticationazure-ad-saml-ssoazure-ad-msal
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers