问题描述

我正在尝试使用 .NET ADAL 库验证 Azure AD 中的用户密码.这适用于没有 MFA 的普通用户帐户，但我遇到了为已激活 MFA 的用户执行此操作的问题.

I'm trying to verify a user's password in Azure AD using the .NET ADAL library. This works fine for a regular user account without MFA, but I ran into problems doing this for a user who has MFA activated.

当使用用户的实际密码时，我得到了 AADSTS50076: Application password is required.，这很公平，但是当我创建一个新的应用程序密码时，我收到了错误 AADSTS70002: 验证凭据时出错.AADSTS50020:用户名或密码无效.我已经创建了多个应用密码，但它们都不起作用.

When using the user's actual password, I got AADSTS50076: Application password is required., which is fair enough, but when I then created a new app password, I received the error AADSTS70002: Error validating credentials. AADSTS50020: Invalid username or password. I've created multiple app passwords but they all do not work.

用于尝试验证的代码如下:

The code used to attempt authentication is as follows:

var ac = new AuthenticationContext("https://login.windows.net/my-tenant.com");
var authResult = ac.AcquireToken("https://graph.windows.net", "my-client-id", new UserCredential("my.account@my-tenant.com", "my-password"));

尝试进行身份验证的用户是此 AD 中的全局管理员.

The user that is trying to authenticate is a Global Admin in this AD.

是否甚至可以为具有 MFA 的用户进行这样的身份验证?

Is it even possible to do authentication like this for a user with MFA?

推荐答案

所以，为了回答我自己的问题，我采取了以下措施(为简洁起见):

So, to answer my own question somewhat, I resorted to doing the following (cleaned up for brevity):

public class AzureAdAuthenticationProvider
{
    private const string AppPasswordRequiredErrorCode = "50076";
    private const string AuthorityFormatString = "https://login.windows.net/{0}";
    private const string GraphResource = "https://graph.windows.net";

    private AuthenticationContext _authContext;
    private string _clientId;

    public AzureAdAuthenticationProvider()
    {
        var tenantId = "..."; // Get from configuration

        _authContext = new AuthenticationContext(string.Format(AuthorityFormatString, tenantId));
    }

    public bool Authenticate(string user, string pass)
    {
        try
        {
            _authContext.AcquireToken(GraphResource, _clientId, new UserCredential(user, pass));

            return true;
        }
        catch (AdalServiceException ase)
        {
            return ase.ServiceErrorCodes.All(sec => sec == AppPasswordRequiredErrorCode);
        }
        catch (Exception)
        {
            return false; // Probably needs proper handling
        }
    }
}

它不漂亮，但它可以完成工作.

It's not pretty, but it does the job.

通过使用ServiceErrorCodes.All()，我保证只有当一个AppPasswordRequired错误发生时，认证成功.

By using ServiceErrorCodes.All(), I ensure that only when a single AppPasswordRequired error occurs, authentication has succeeded.

此方法的唯一缺点是启用 MFA 的用户必须使用其实际帐户密码才能登录.似乎不支持使用应用密码.

The only disadvantage to this method, is that a user with MFA enabled has to use their actual account password to login. Using an app password does not seem to be supported.

这篇关于Azure AD AcquireToken 不适用于应用密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！