I have a web app that uses the Azure Active Directory (AD) login (Microsoft login), where I have a development environment, staging, and production environment.
The AD login works for my development environment, but I am getting an error when I try to use the same login for my staging environment.
The error I am getting is
Your sign-in was successful but did not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location your admin restricts
I am attaching the screenshot for more details. Any help is highly appreciable.
Best Regards,
Janak Darji
I have tried to enter my public IP under the network tab as an allowed IP but that didn't work.
You can follow steps below to find which policy cause the issue.
Sign-in your azure portal, and click Azure Active Directory.
Find the user, and click it.
Find the sign-in logs.
Then you can find the login record. And Click it to check the Conditional Access. You can find which policy block it.
You can disable all the policy for test.
You are being blocked by a conditional access policy
In your Azure AD you can use the What If tool to troubleshoot Conditional Access policies
The Conditional Access What If policy tool allows you to understand the impact of Conditional Access policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
You can find the What If tool in the Azure portal under Azure Active Directory > Security > Conditional Access > What If.
Before you can run the What If tool, you must provide the conditions you want to evaluate.
The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions
Hope this helps!
Related
I am implementing Azure AD and need to utilize SSO. After logging in to the website, the user can open another tab within the same instance and it automatically authorizes this user. If another instance (as opposed to a new tab on the original instance) of the same browser is opened then the user must log in again. I'm sure this is because the instances don't share sessions even though they are the same browser. Is there a way to configure Azure AD to allow sharing of sessions across browser instances? Or is this something that can be set in the browser?
The issue usually occurs if the browser cookie session memory is getting expired. Make sure to enable cache or cookie access in the browser.
To keep the session cookies active across the browser instances, you can try click Yes when it asks if should be kept signed in. Make sure you have not included prompt=login while configuring the SSO application.
You can also create conditional access policy for the persistent browser to keep the session active for the user like below:
Go to Azure Portal -> Security -> Conditional access -> Policy -> New Policy
Select the Users or workload identities like below:
Please note that, Persistent browser works only for cloud apps option, select All cloud apps like below:
For session, select persistent browser and Always persistent:
And hit create and the conditional access Policy will be created successfully:
Select all the options based on your requirement and configure the conditional policy.
The session cookie lifetime depends on the conditional access policy created in Azure Active Directory tenant for which user wants to sign in to and authenticate.
Please note that, to create a conditional Policy Azure AD Premium license is required.
Reference:
Configure authentication session management - Azure Active Directory - Microsoft Entra
I am trying to setup MaaS360 device compliance through Azure AD Conditional Access and having an issue with Azure Integration menu in MaaS360.
Basically one of the steps requires to setup "Device compliance status sync for Android and iOS" which requires the Azure tenant ID and Client ID established.
I am not able to see this checkbox when I go to the Setup->Azure Integration menu in MaaS360.
I only have 2 checkboxes that I allowed to configure:
User Authentication
User Visibility
I have been provided full admin roles on my account and I am not sure why else I cannot see this menu.
Here is the IBM article that I am following and if you see step 7 it shows the menu option.
https://www.ibm.com/docs/en/maas360?topic=iaam-integrating-maas360-microsoft-enforce-device-compliance-through-azure-ad-conditional-access
Any help is appreciated.
Thanks
I was able to solve this, needed to enable this by opening a case with IBM to enable Azure conditional access.
The problem: I'm getting errors from Google while attempting SSO through Azure AD and can't even begin to guess why or how to go about debugging the issue.
The story:
My org is looking at leveraging Microsoft's nonprofit benefits by setting up Azure for web hosting and Sharepoint to start with, which also entails using Active Directory. As it stands right now, we've successfully gotten our website running and accessible to the world on our custom domain, and our AD is populated with a copy of what's in our Google Workspace directory so we can use Active Directory as our authoritative directory.
We've been trying to implement SSO with the Azure/Gsuite connector, to have them auth with their Azure credentials to get into GMail, Docs, Drive, etc, but Google Workspace seems to choke. I have gone over the setup instructions repeatedly, ensured we're using all of the proper URLs in the Connector's SAML settings and in Workspace's "SSO with third party IDPs" settings, the proper certificate is in place... Provisioning is set up but not active, and I have successfully provision-on-demanded my account and an unprivileged test account.
Here are my settings in Azure:
Here are my settings in Google:
And to test this here's what I've done:
I open up a fresh InPrivate/Incognito window.
I go to https://myapplications.microsoft.com/ and am prompted to login. I use my unprivileged test account credentials.
Upon auth I click on the Connector app to attempt to go to my Gmail inbox.
After a wait on a white screen, I get a Google error screen with "Invalid Email - We are unable to process your request at this time, please try again later."
If I disable the SSO settings for my org in Google Admin, I'm able to log into the account just fine with Google, get to the gmail inbox, etc.
Conversely, if I attempt the same steps with my admin account, I get a similar page with a slightly different message, "Server Error - We are unable to process your request at this time, please try again later."
I have been bashing my head against this for two whole nights and can't make any headway. What gives? I can't even figure out how to debug these errors.
Somebody (me) failed their perception check repeatedly because the problem was that the Unique User Identifier SAML claim in Azure was set to user.mail instead of user.userprincipalname as it should have been as per the tutorial.
I'll see myself out now.
I have recently Registered a Keycloak Application on my Azure AD B2C tenant, one of my colleagues accidentally deleted the registration, so i have restored the application on the Azure portal, Later i tried changing the Redirection URI, but the Azure portal doesn't allow me to do so and shows the below error
"Failed to update KeyCloak application. Error detail: Encountered an internal server error."
I have tried to change the same in the Manifest and tried to upload file, even it shows the same error.
Did my application restore made any difference here, if it was so please suggest me some check points to solve this.
Note : The other applications in this tenant allow me to do same changes, I have issue only with this application registration.
A bug has been filed and the product team is working on it. In the mean time for the work around Please re-create another app if possible.
You could also try to change "SignInAudience" to "AzureADMultipleOrgs" (if it works) - than you'll be able to modify reply urls and switch "SignInAudience" back.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern