Azure AD and Azure Functions authentication 401 problems with access tokens

This is a very annoying thing since most documentation describing Azure AD user authentication is not very clear about using access tokens to authenticate a user.

If you follow the example on Microsoft page you will be doing the all right things but if you intend to use access token to authenticate you will likely encounter 401 even if you pass a proper access token. Especially if you are using Postman.

https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

So this is because you are using the wrong version of the authenticate API URLs for Azure AD.

The fix is to use the v2.0 of the login URLs and scopes.

Auth URL:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

Access Token URL:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

Scope:

{clientId}/.default

Found the fix finally in stackoverflow after alot of searching. It’s hard to find the exact documentation that you need: https://stackoverflow.com/questions/57496143/azure-functions-returns-401-unauthorized-only-with-postman

For postman if you Authorization tab in your request you can ask Azure AD to generate you a new access token:

Mac OS X and Active Directory login problems

I’ve recently had problems with my AD login with my Macbook Pro 2017 after I had to change my password and rebooted my Macbook.

I encountered the following problems:

  1. I had to enter my credentials twice
  2. My password had not changed to the one in AD
  3. Mac OS kept telling me that network account not accessible

Fix:

  1. This problem likely caused by Filevault having the old password, after running the following command I had to enter only one password: sudo diskutil apfs updatePreboot /
  2. With this problem I had to unbind and bind my Mac OS to AD using the Discovery Utility and Active Directory option in Services tab. You probable need your system admins help.
  3. This is related the previous problem. The fix to this was to go back to my office, use an Ethernet dongle and to the actions in Step 2.

Hope this helps someone, Good Luck with this one. It’s annoying.

Fix deleted AD users from SharePoint

This is a small PowerShell script that will fix issues with removed SharePoint users. You may encounter problems if you remove an AD user but the later re-create it with the same AD user login. If such cases this script might help you with possible SharePoint issues. If this does not help then try to remove the user profile and run a full user profile synchronization and run the script again.


$sites = Get-SPSite http://portal.spdev.com

foreach ($site in $sites) {
$groups = $site.RootWeb.sitegroups
foreach ($group in $groups) {
foreach ($user in $group.users) {
# Skip All Authenticated Users, General groups
if ($user.userlogin -eq "c:0(.s|true" -or $user.userlogin -eq "c:0!.s|windows") {
continue;
}
if ($user.IsDomainGroup) {
# Skip Security Groups
}
else {
# Get user login
$splitline = $user.userlogin.split("\");
$samid = $splitline[1];
if ($user.userlogin.contains("AD domain name"))
{
if ($user.userlogin.contains("part of your login name")) {
Write-Host "user Found" $user.userlogin
$group.removeuser($user);
$site.RootWeb.SiteUsers.Remove($user.userlogin);
}
else {
Write-Host $user.userlogin
}
}
}
}
}
}

How to change SharePoint AD group names after the group name has changed in Active Directory

Well this is simple really, The code goes through each site collection, identifies groups coming from AD, then retrieves the same group using the SID value from Active Directory and updaes the SharePoint group name based on the value in the Active Directory.

param (
 [string]$SPSiteFilter = "Your application URL",
 [string]$SPADLoginNamePrefix = "c:0+.w|",
 [bool]$UseSAMAccountName = $true
 )

if ((Get-PSSnapin 'Microsoft.SharePoint.PowerShell' -ErrorAction SilentlyContinue) -eq $null){Add-PSSnapin 'Microsoft.SharePoint.PowerShell'}
 if (Get-Module -ListAvailable -Name ActiveDirectory) {
 Write-Host "ActiveDirectory Module exists"
 
} else {
 Write-Host "ActiveDirectory Module does not exist. This Script requires this module. Please check that the module is installed."
 Write-Host "To install the module through PowerShell you can use the following command:"
 Write-Host "Add-WindowsFeature RSAT-AD-PowerShell"
 return
}
 
 Import-Module ActiveDirectory
$spWebApp = Get-SPWebApplication $SPSiteFilter
foreach($site in $spWebApp.Sites)
 {
 Write-Host "Site: $($site.Url)"
 # Notice that the SPADLoginNamePrefix variable prefix is used to identify a AD group and also to parse the SID value
 $site.rootweb.siteusers | where { $_.IsDomainGroup -and $_.UserLogin.ToString().Contains($SPADLoginNamePrefix) } | %{
 
 
 $dispNameSplit = $_.UserLogin.ToString().Replace($SPADLoginNamePrefix, "")
 
 #Get the Account from AD to retrieve to correct name
 $adAccount = Get-ADGroup -Identity $dispNameSplit
 
 $newSPAccountDisplayName = ""
 #Modify the SharePoint Account DisplayName and Name based on the AD SamAccountName OR the Name 
 if($UseSAMAccountName -eq $true)
 { $newSPAccountDisplayName = $adAccount.SamAccountName }
 else
 { $newSPAccountDisplayName = $adAccount.Name }
 
 if($_.DisplayName -ne $newSPAccountDisplayName -or $_.Name -ne $newSPAccountDisplayName)
 {
 Write-Host "Changed SharePoint AD Group: $($_.DisplayName) to: $($newSPAccountDisplayName)"
 $_.DisplayName = $newSPAccountDisplayName
 $_.Name = $newSPAccountDisplayName
 $_.Update()
 } else
 {
 Write-Host "SharePoint AD Group name: $($_.DisplayName) is the same as in AD : $($newSPAccountDisplayName)"
 }
 $adAccount = $null
 }
 $site.Dispose();
}

C# .NET Getting Windows Directory File Permissions programmatically

Hi,

 

I while back I needed to do a security trim on files in a Windows file system based on returned search results by SharePoint search. Since in SharePoint 2010 search indexing does not know how to take into consideration file system rights for searches there was a need to do a security trimming based on what privileges you have in Active Directory and what you are given to the file itself.

Since there where alot of moving parts and hard to find out which classes and function where needed to actually do this specific task I finally found a source that gave a great sample how to do this:

http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/

Unfortunately the source above does not exist anymore for whatever reason. So for those who might need similar functionality through code here is the sample code from the link above and what you need class wise.

In the code below what you need is to call the following static function to check for if the user has certain privileges:

FileSystemRights rights = FileSystemEffectiveRights.GetRights(username, filelocation);

Then call the following function to test against the given file system privileges and what you want to user to have in the file system.
bool canReadExecute = rights.HasRights(FileSystemRights.ReadAndExecute);

 

Classes and enumeration needed for this functionality(there are many moving parts here and you might have to work with Active Directory and File System to test this code):

FileSystemRights Enumeration

FileSystemAccessRule Class

AccessControlType Enumeration

AuthorizationRuleCollection Class

SecurityIdentifier Class

FileSystemAccessRule Class

FileInfo Class

PrincipalContext Class

UserPrincipal Class

PrincipalSearcher Class

WindowsIdentity Class

 

Sample code – http://www.conarc.com/blog/2010/03/25/programmatically-getting-effective-directoryfile-permissions/ :

public static class FileSystemRightsEx
{
public static bool HasRights(this FileSystemRights rights, FileSystemRights testRights)
{
return (rights & testRights) == testRights;
}
}

public static class FileSystemEffectiveRights
{

public static FileSystemRights GetRights(string userName, string path)
{
if (string.IsNullOrEmpty(userName))
{
throw new ArgumentException(“UserName not defined!”);
}

//if (!Directory.Exists(path) && !File.Exists(path))
//{
// throw new ArgumentException(string.Format(“path: {0}”, path));
//}

return GetEffectiveRights(userName, path);
}

private static FileSystemRights GetEffectiveRights(string userName, string path)
{
FileSystemAccessRule[] accessRules = GetAccessRulesArray(userName, path);
FileSystemRights denyRights = 0;
FileSystemRights allowRights = 0;

for (int index = 0, total = accessRules.Length; index < total; index++)
{
FileSystemAccessRule rule = accessRules[index];

if (rule.AccessControlType == AccessControlType.Deny)
{
denyRights |= rule.FileSystemRights;
}
else
{
allowRights |= rule.FileSystemRights;
}
}

return (allowRights | denyRights) ^ denyRights;
}

private static FileSystemAccessRule[] GetAccessRulesArray(string userName, string path)
{
// get all access rules for the path – this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = (new FileInfo(path)).GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));

// get the user’s sids
string[] sids = GetSecurityIdentifierArray(userName);

// get the access rules filtered by the user’s sids
return (from rule in authorizationRules.Cast<FileSystemAccessRule>()
where sids.Contains(rule.IdentityReference.Value)
select rule).ToArray();
}

private static string[] GetSecurityIdentifierArray(string userName)
{
// connect to the domain
PrincipalContext pc = new PrincipalContext(ContextType.Domain);

// search for the domain user
UserPrincipal user = new UserPrincipal(pc) { SamAccountName = userName };
PrincipalSearcher searcher = new PrincipalSearcher { QueryFilter = user };
user = searcher.FindOne() as UserPrincipal;

if (user == null)
{
throw new ApplicationException(string.Format(“Invalid User Name: {0}”, userName));
}

// use WindowsIdentity to get the user’s groups
WindowsIdentity windowsIdentity = new WindowsIdentity(user.UserPrincipalName);
string[] sids = new string[windowsIdentity.Groups.Count + 1];

sids[0] = windowsIdentity.User.Value;

for (int index = 1, total = windowsIdentity.Groups.Count; index < total; index++)
{
sids[index] = windowsIdentity.Groups[index].Value;
}

return sids;
}
}

Good to Know: Windows Server 2012 – Part 4

Hi this is my part four of resources for Windows Server 2012(and older ones also):

Add-DnsServerDirectoryPartition http://technet.microsoft.com/en-us/library/jj649942(v=wps.620).aspx
Add-DnsServerPrimaryZone http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx
Adding a Reverse Lookup Zone http://technet.microsoft.com/en-us/library/cc961414.aspx
Add-PswaAuthorizationRule http://technet.microsoft.com/en-us/library/jj592890(v=wps.620).aspx
Add-VMRemoteFx3dVideoAdapter http://technet.microsoft.com/en-us/library/hh848520(v=wps.620).aspx
Authorize a DHCP server in Active Directory http://technet.microsoft.com/en-us/library/cc759688(v=ws.10).aspx
Block Inheritance http://technet.microsoft.com/en-us/library/cc731076.aspx
Configure a Server Core Server with Sconfig.cmd http://technet.microsoft.com/en-us/library/jj647766.aspx
Configure Memory and Processors http://technet.microsoft.com/en-us/library/cc742470.aspx
Delegate Control of an Organizational Unit http://technet.microsoft.com/en-us/library/cc732524.aspx
Deploy Clustered Storage Spaces http://technet.microsoft.com/en-us/library/jj822937.aspx 
Deploying a GlobalNames Zone http://technet.microsoft.com/en-us/library/cc731744.aspx
Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide http://technet.microsoft.com/en-us/library/ff817586(v=ws.10).aspx
Deploying Network Load Balancing (NLB) and Virtual Machines on Windows Server 2008 R2 http://blogs.msdn.com/b/clustering/archive/2010/07/01/10033544.aspx
Deployment Image Servicing and Management Command-Line Options http://technet.microsoft.com/en-us/library/dd744382(v=ws.10).aspx
Dsadd http://technet.microsoft.com/en-us/library/cc753708(v=ws.10).aspx
Enable-VMRemoteFXPhysicalVideoAdapter http://technet.microsoft.com/en-us/library/hh848506(v=wps.620).aspx
Enforce a Group Policy Object Link http://technet.microsoft.com/en-us/library/cc753909.aspx
Evaluation Versions and Upgrade Options for Windows Server 2012 http://technet.microsoft.com/en-us/library/jj574204.aspx
Evaluation Versions and Upgrade Options for Windows Server 2012 http://technet.microsoft.com/en-us/library/jj574204.aspx
Get-DnsServerDiagnostics http://technet.microsoft.com/en-us/library/jj649883(v=wps.620).aspx
Grant a Member the Right to Logon Locally http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
How to remove data in Active Directory after an unsuccessful domain controller demotion http://support.microsoft.com/kb/216498
How User Account Control Works http://technet.microsoft.com/en-us/library/jj574202.aspx
Hyper-V Dynamic Memory Configuration Guide http://technet.microsoft.com/en-us/library/ff817651(v=ws.10).aspx
Hyper-V Virtual Switch Explained, Part 2 http://www.altaro.com/hyper-v/hyper-v-virtual-switch-explained-part-2/ 
Hyper-V Virtual Switch Overview http://technet.microsoft.com/en-us/library/hh831823.aspx
ImageX Command-Line Options http://technet.microsoft.com/en-us/library/cc749447(v=ws.10).aspx
Install-PswaWebApplication http://technet.microsoft.com/en-us/library/jj592894(v=wps.620).aspx
Install-RemoteAccess http://technet.microsoft.com/en-us/library/hh918408(v=wps.620).aspx
Internet Protocol Version 6 Address Space http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
Link a Group Policy Object http://technet.microsoft.com/en-us/library/cc732979.aspx
Loopback processing with merge or replace http://technet.microsoft.com/en-us/library/cc782810(v=ws.10).aspx
Manage Multiple, Remote Servers with Server Manager http://technet.microsoft.com/en-us/library/hh831456.aspx
Managing a Server Core installation: Overview http://technet.microsoft.com/en-us/library/ee441255(v=ws.10).aspx
Migrate Print and Document Services to Windows Server 2012 http://technet.microsoft.com/en-us/library/jj134150.aspx
Operations master roles http://technet.microsoft.com/en-us/library/cc773108(v=ws.10).aspx
Print and Document Services Overview http://technet.microsoft.com/en-us/library/hh831468.aspx
Remote Desktop Gateway Manager http://technet.microsoft.com/en-us/library/cc725706.aspx
Remove-ADComputer http://technet.microsoft.com/en-us/library/ee617250.aspx
Remove-WindowsFeature http://technet.microsoft.com/en-us/library/ee662310.aspx
Sc config http://technet.microsoft.com/en-us/library/cc990290(v=ws.10).aspx
Security Tools to Administer Windows Server 2012 http://technet.microsoft.com/en-us/library/jj730960.aspx
Set up recovery actions to take place when a service fails http://technet.microsoft.com/en-us/library/cc738230(v=ws.10).aspx
Set-BCAuthentication http://technet.microsoft.com/en-us/library/hh848404(v=wps.620).aspx
Set-DnsServer http://technet.microsoft.com/en-us/library/jj649845(v=wps.620).aspx
Set-DnsServerDsSetting http://technet.microsoft.com/en-us/library/jj649874.aspx
Set-DnsServerForwarder http://technet.microsoft.com/en-us/library/jj649887(v=wps.620).aspx
Set-DnsServerSetting http://technet.microsoft.com/en-us/library/jj649909.aspx
Set-GPPermissions http://technet.microsoft.com/en-us/library/ee461038.aspx
Set-WSManInstance http://technet.microsoft.com/en-us/library/hh849875.aspx
Set-WSManQuickConfig http://technet.microsoft.com/en-us/library/hh849867.aspx
Storage Pools… Dive right in! http://blogs.technet.com/b/canitpro/archive/2012/12/13/storage-pools-dive-right-in.aspx
Switching Between the GUI and Server Core in Windows Server 2012 http://www.petri.co.il/switching-gui-server-core-windows-server-2012.htm
Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012 http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx
Updating root hints http://technet.microsoft.com/en-us/library/cc758353(v=ws.10).aspx
Using System Configuration (msconfig) http://windows.microsoft.com/en-us/windows-vista/using-system-configuration
Using the Set-Service Cmdlet http://technet.microsoft.com/en-us/library/ee176963.aspx
Verifying Your Basic DNS Configuration http://technet.microsoft.com/en-us/library/cc959303.aspx
What’s New in Hyper-V for Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831410.aspx
What’s New in Hyper-V for Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831410.aspx
Windows and GPT FAQ http://msdn.microsoft.com/en-us/library/windows/hardware/gg463525.aspx

Good to Know: Windows Server 2012 – Part 3

Here is my newest sources of knowledge to Windows Server 2012 Administration:

Access-based Enumeration http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx
Active Directory Service Interfaces http://msdn.microsoft.com/en-us/library/windows/desktop/aa772170%28v=vs.85%29.aspx
Active Directory-Integrated DNS Zones http://technet.microsoft.com/en-us/library/cc731204(v=ws.10).aspx
AD DS Installation and Removal Wizard Page Descriptions http://technet.microsoft.com/en-us/library/hh831457.aspx
Add-Computer http://technet.microsoft.com/en-us/library/hh849798.aspx
Adding Disks to the Storage Pool http://technet.microsoft.com/en-us/library/ff399688.aspx
Add-NetLbfoTeamNic http://technet.microsoft.com/en-us/library/jj130850(v=wps.620).aspx
Add-NetSwitchTeamMember http://technet.microsoft.com/en-us/library/jj553811(v=wps.620).aspx 
Add-WindowsFeature http://technet.microsoft.com/en-us/library/ee662309.aspx 
Add-WindowsPackage http://technet.microsoft.com/en-us/library/hh852164.aspx
Add-VMNetworkAdapter http://technet.microsoft.com/en-us/library/hh848564(v=wps.620).aspx
Configure Memory and Processors http://technet.microsoft.com/en-us/library/cc742470.aspx
Configuring Pass-through Disks in Hyper-V http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
Configuring the Minimal Server Interface http://blogs.technet.com/b/server_core/archive/2012/05/09/configuring-the-minimal-server-interface.aspx
Create a Rule for Packaged Apps http://technet.microsoft.com/en-us/library/hh994588.aspx
Create a Spanned Volume http://technet.microsoft.com/en-us/library/cc772180.aspx
Dcdiag http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
Delegate Control of an Organizational Unit http://technet.microsoft.com/en-us/library/cc732524.aspx
Desktop Experience Overview http://technet.microsoft.com/en-us/library/cc772567.aspx
DHCP Scopes http://technet.microsoft.com/en-us/library/cc726954(v=ws.10).aspx
DHCP Tools and Options http://technet.microsoft.com/en-us/library/dd145324(v=ws.10).aspx
DHCP: The server should be configured to send its default gateway to all clients http://technet.microsoft.com/en-us/library/ee941211(v=ws.10).aspx
Djoin http://technet.microsoft.com/en-us/library/ff793312(v=ws.10).aspx
Dsadd http://technet.microsoft.com/en-us/library/cc753708(v=ws.10).aspx
Dsquery http://technet.microsoft.com/en-us/library/cc732952(v=ws.10).aspx 
Enable and Configure MAC Address Filtering http://technet.microsoft.com/en-us/magazine/ff521761.aspx
Features Removed or Deprecated in Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831568.aspx
FSMO placement and optimization on Active Directory domain controllers http://support.microsoft.com/kb/223346
Group scope http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Group types http://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx
How manage Published (a.k.a Metro) Apps in Windows 8 using Group Policy http://www.grouppolicy.biz/2012/08/how-manage-published-a-k-a-metro-apps-in-windows-8-using-group-policy/
How to configure a connection to a virtual private network (VPN) in Windows XP http://support.microsoft.com/kb/314076/en-us
How to create and delete hidden or administrative shares on client computers http://support.microsoft.com/kb/314984
How to create the Central Store for Group Policy Administrative Template files in Windows Vista http://support.microsoft.com/kb/929841
How To Remove the Root Zone (Dot Zone) http://support.microsoft.com/kb/298148
How to View Printer Objects in Active Directory http://support.microsoft.com/kb/235925
Hyper-V Virtual Fibre Channel Overview http://technet.microsoft.com/en-us/library/hh831413.aspx
Install a New Windows Server 2012 Active Directory Forest http://technet.microsoft.com/en-us/library/jj574166.aspx
Installing AD DS by using Server Manager http://technet.microsoft.com/en-us/library/hh472162.aspx#BKMK_GUI
Installing Windows Server 2012 http://technet.microsoft.com/en-us/library/jj134246.aspx
Local Users and Groups Extension http://technet.microsoft.com/en-us/library/cc731972.aspx
Managed-By attribute http://msdn.microsoft.com/en-us/library/windows/desktop/ms676857(v=vs.85).aspx
Net services commands http://technet.microsoft.com/en-us/library/bb490949.aspx
Netsh Technical Reference http://technet.microsoft.com/en-us/library/cc725935(v=ws.10).aspx
New-ADComputer http://technet.microsoft.com/en-us/library/ee617245.aspx
New-NetSwitchTeam http://technet.microsoft.com/en-us/library/jj553814.aspx
NIC Teaming Overview http://technet.microsoft.com/en-us/library/hh831648.aspx
Redircmp http://technet.microsoft.com/en-us/library/cc770619(v=ws.10).aspx
Remote Management with Server Manager http://technet.microsoft.com/en-us/library/dd759202.aspx
Remove-NetLbfoTeam http://technet.microsoft.com/en-us/library/jj130848(v=wps.620).aspx
Restricted Groups http://technet.microsoft.com/en-us/library/cc957640.aspx
Restricted Groups http://technet.microsoft.com/en-us/library/cc957640.aspx 
Securing DNS zones http://technet.microsoft.com/en-us/library/cc755193.aspx
Set-NetAdapter http://technet.microsoft.com/en-us/library/jj130875(v=wps.620).aspx
Storage Spaces Overview http://social.technet.microsoft.com/wiki/contents/articles/15198.storage-spaces-overview.aspx
To rename the Administrator account using the Group Policy Management Console http://technet.microsoft.com/en-us/library/cc747484(v=ws.10).aspx
Understanding AppLocker Rules http://technet.microsoft.com/en-us/library/dd759068.aspx
Using WinRS http://technet.microsoft.com/en-us/library/dd163506.aspx
Verifying Your Basic DNS Configuration http://technet.microsoft.com/en-us/library/cc959303.aspx
What’s New in Hyper-V for Windows Server 2012 http://technet.microsoft.com/en-us/library/hh831410.aspx
Which ports do you need to open on a firewall to allow PPTP and L2TP over IPSec VPN tunnels? http://www.windowsitpro.com/article/pptp/which-ports-do-you-need-to-open-on-a-firewall-to-allow-pptp-and-l2tp-over-ipsec-vpn-tunnels–46811
Viewing advanced settings in Active Directory Users and Computers http://searchwindowsserver.techtarget.com/tip/Viewing-advanced-settings-in-Active-Directory-Users-and-Computers
Windows PowerShell 3.0 and Server Manager Quick Reference Guides http://www.microsoft.com/en-us/download/details.aspx?id=30002
Windows Server 2008 R2 and Windows Server 2008 http://technet.microsoft.com/en-us/library/dd349801(v=ws.10).aspx
Windows Server Installation Options http://technet.microsoft.com/en-us/library/hh831786(v=ws.11).aspx
Work with Software Restriction Policies Rules http://technet.microsoft.com/en-us/library/hh994597.aspx#BKMK_Cert_Rules