locked
Azure Ad apps from sudomain in iframe RRS feed

Answers

  • Yes there is a non-interactive mode which doesn't require to display the UI, it will attempt to auto-login based on your cookies. However it means it will not be able to show the "do you accept xyz application has access to your profile" - so you have to make xyz app a pre-requisite permission of abc application in the AAD, so when a user signs in to ABC for the first time they also give permission to xyz application.
    Friday, November 9, 2018 12:50 PM
  • thanks it helped.
    • Marked as answer by som nath Friday, November 23, 2018 3:17 PM
    Monday, November 19, 2018 11:58 AM

All replies

  • Yes there is a non-interactive mode which doesn't require to display the UI, it will attempt to auto-login based on your cookies. However it means it will not be able to show the "do you accept xyz application has access to your profile" - so you have to make xyz app a pre-requisite permission of abc application in the AAD, so when a user signs in to ABC for the first time they also give permission to xyz application.
    Friday, November 9, 2018 12:50 PM
  • thanks it helped.
    • Marked as answer by som nath Friday, November 23, 2018 3:17 PM
    Monday, November 19, 2018 11:58 AM
  • Hi Bryan Trach - MSFT<abbr class="affil"></abbr>

    I had one question regarding this. when User singns in ABC it is giving consent for xyz and every thing is working.

    Now I have one more scenario let say I have added one more application xyz2 and configured the same.

    I am expecting ABC should ask for the consent again but it is not asking. so the user is not able to give the consent for xyz2 and will face the same issue. My expectation was Azure AD forces for consent if there is any permission change but some how it is not asking.

    Friday, November 23, 2018 11:29 AM
  • Hmm, I also thought it would re-ask for consent if you changed the permissions of ABC application.

    However, I also believe that you can force consent for existing users so maybe you will need to do that.

    Friday, November 23, 2018 1:36 PM
  • is there a way for force consent from azure AD without doing any code change.
    Friday, November 23, 2018 2:52 PM
  • Yes, that's what I meant - force consent from the permissions screen of the app registration in AAD.
    Friday, November 23, 2018 4:26 PM
  • Hi craigwardman I could  not find it. Please let me know where I can see
    Tuesday, November 27, 2018 7:33 AM
  • Azure AAD Directory > App Registrations > [your app] > Settings > Required Permissions

    In that screen there is a button "Grant permissions"

    Tuesday, November 27, 2018 4:05 PM
  • Hi craigwardman 

    these steps are for granting permission in your organization.

    My requirement is I have a Multitenant app and if I change any permission. users who are in different  tenant and has already using the app should again be asked for consent.  

    Thursday, November 29, 2018 5:15 AM
  • Hi I'm not sure that the button wouldn't work for any already signed up user.

    If it doesn't work, then the only real solution is to have a process of users approving new sub-sites outside of an iframe scenario first (maybe email the users or display a message when they login, or try to detect when the iframe fails to load and display a link to open in a new window)

    Friday, November 30, 2018 9:16 AM
  • I have the same issue as above. We have 2 web applications, both are set up for azure AD and they work fine separately. However, I cannot call one app from the other in an iframe. I configured Azure AD authentication for both apps through Visual studio, by selecting "This web service accepts programmatic calls from clients that supply an authentication token". I tried with the other option as well and that did not work too, "This web site should offer an interactive login for browsers".

    Both web apps have their app registrations in azure portal. In each of the app registrations/API Permissions, I added the other with user_impersonation permission (Allow the application to access on behalf of the signed-in user). In each of the app registrations/Expose an API, I added the other as an authorized client application.

    Am I missing something? 

    How do I exactly configure non-interactive mode that attempts auto-login based on cookies. and how do i make one application a pre-requisite permission of the other in AAD. 

    Your help is much appreciated. Thank you.

    Monday, August 12, 2019 11:10 PM