ImmutableID of the user missing when trying to acquire a token for MS Graph API (Windows auth)

Sora 1 Reputation point
2021-09-28T08:25:09.867+00:00

Hi,

I'm developing an API that uses the Microsoft Graph Client SDK to make multiples calls to a Sharepoint site.

To authenticate the users making the calls to the API, I'm using the Integrated Windows Provider method, with this very simple code: 

var clientApp = PublicClientApplicationBuilder
    .Create(_apiSettings.Value.AzureClientId)
    .WithTenantId(_apiSettings.Value.AzureTenantId)
    .Build();

var token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl })
    .ExecuteAsync().Result;

When calling the method containing this code in local, it works flawlessly. But when I deploy the app to our test server, and by using the NTLM authentication with the same user than in local, I'm having this error:

Microsoft.Identity.Client.MsalUiRequiredException: AADSTS90020: The SAML 1.1 Assertion is missing ImmutableID of the user.

When printing the content of the HttpContext.User, I see that the same user, connected to the same group, is both used on the "online" and the local version.

I already tried adding this header, but it's not doing anything: 

var immId = new Dictionary<string, string>();
immId.Add("Prefer", "IdType=\"ImmutableId\"");

var token = clientApp.AcquireTokenByIntegratedWindowsAuth(new string[] { _apiSettings.Value.MicrosoftGraphApiScopeUrl })
    .WithExtraHttpHeaders(immId)
    .ExecuteAsync().Result;

What can I do ?

Thanks!

C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,245 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,469 questions
0 comments