I have registered APP in Azure Portal and successfully generated credentials in Microsoft Graph API. after outlookmail.init Operation in WSO2 EI, i am getting below ERROR.
ERROR:
{"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'a4935017-80e8-4413-a762-780b32d8f968' was not found in the directory 'e5e67d60-adf4-40b4-883c-351dc2feef4e'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 4ecb19d5-e66b-40c1-9a15-7237a0d4c801\r\nCorrelation ID: 818ba54d-f5e5-43df-9201-96d71f598b1f\r\nTimestamp: 2021-07-08 10:14:35Z","error_codes":[700016],"timestamp":"2021-07-08 10:14:35Z","trace_id":"4ecb19d5-e66b-40c1-9a15-7237a0d4c801","correlation_id":"818ba54d-f5e5-43df-9201-96d71f598b1f","error_uri":"https://login.microsoftonline.com/error?code=700016"}
CODE:
<outlookmail.init>
<accessToken>{$ctx:accessToken}</accessToken>
<apiUrl>{$ctx:apiUrl}</apiUrl>
<apiVersion>{$ctx:apiVersion}</apiVersion>
<refreshToken>{$ctx:refreshToken}</refreshToken>
<clientSecret>{$ctx:clientSecret}</clientSecret>
<clientId>{$ctx:clientId}</clientId>
<redirectUri>{$ctx:redirectUri}</redirectUri>
<resource>{$ctx:resource}</resource>
<registryPath>{$ctx:registryPath}</registryPath>
<intervalTime>{$ctx:intervalTime}</intervalTime>
</outlookmail.init>
<log level="full"/>
Application in Azure Portal:
I have seen error code in this site which says like below.
This usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD
Can anyone please help me to resolve this?
Not sure if it helps, but I had a lot of similar problems with graph / wso2. Here a few things to check.
1.) check that the access/api is created by an administrator
2.) check that the api has "admin consent"
3.) i had to add a "access key" and use that one
4.) check that you use the ConfidentialClientApllication builder if you use JAVA SDK
Beside that there were a few pages that helped me to get it working.
https://blogs.aaddevsup.xyz/2020/04/implement-client-credentials-flow-for-graph-java-client/
https://learn.microsoft.com/en-us/graph/tutorials/java
Regards
Martin
Related
I have set up a B2C instance OK and managed to get a basic Blazor (server) app working with it a using the Microsoft Identity Platform (using AD groups for permissions - it was a hassle but works).
However, I'm trying to use an external Azure AD as a custom identity provider in the user flow, so that I am not just restricted to just email/id/social accounts, but can have guest accounts from other directories use the app without having to manage their sign-in's. To do that I performed a web app registration in the AD tenant that I wanted to use to authenticate those accounts against (as suggested in a couple of tutorials).
The application I registered in the external AD has a Redirect URI in the format "https://{My B2C Directory Name}.b2clogin.com/{My B2C Directory Name}.onmicrosoft.com/oauth2/authresp", which matches the name of my B2C instance, and I have added the client id and secret generated from that app registration and put the details into the custom identity provider I have created for the sign-in flow, as per the instructions here (including the mappings etc.):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I also found a slightly older tutorial here, which is pretty similar (different mappings) that I've tried to follow (and adapt the bits that are out-of-date).
https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32
However when I run the user flow I get "AADSTS900971: No reply address provided." - this happens even when I run the flow directly from the User Flows tab in B2C with a 'Reply URL' explicitly set to "http://jwt.ms" (just to capture the token contents).
I'm confused about the reply URL being missing because they exist in both registered apps. Also, it's not saying they're mismatched, just that one isn't set at all (but appears to be).
It feels like I'm missing something simple - does anyone have any idea what that might be?
Ok so I did a couple of things to resolve this:
Re-registered the application in the AD I want to authenticate with (following this tutorial again: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow)
I was careful to ensure that the redirect URI in the format:
https://{B2C Instance Name}.b2clogin.com/{B2C Instance Name}.onmicrosoft.com/oauth2/authresp
was all lower case.
I also had to change from just a 'sign-in' user flow to the 'sign-up, sign-in' one, and then applied the custom identity provider to that flow. Apparently you need that even for users from another AD to be able to complete their invite process (otherwise you just end up with a user doesn't exist error - even if you've invited/added them to the B2C users list).
I also elected to 'Grant admin consent for Default directory' under the API Permissions tab for the application being registered in the external AD (to be used for the custom identity provider).
The flow seems to work now. The only thing that would be useful would be to have an invite only sign-up, sign-in flow so that you could invite specific people without breaking the invite process.
If anyone knows how to do that please do post something.
I am facing ERROR like below when connecting Microsoft Azure AD after enabling MFA. Before that it gets connected. Today while login, it required me to enable this security feature in my Phone(Microsoft Auithenticator APP). Unless this feature added, i can't able to access MS Outlook in Microsoft 365.
I am using WSO2 Outlook Connector to make connection with Microsoft Graph API
ERROR:
"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0ff1-ce00-000000000000
Possible solutions:
Use a interactive flow instead.
If you are using a interactive flow and still getting this error, ensure openid is one of the scopes during the interactive sign-in. You might be getting the error after the interactive sign-in and trying to exchange the authorization code for a access token...
https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/authorize
?client_id=########-####-####-####-############
&response_type=code
&scope=openid groups.read.all
&nonce=1234
&redirect_uri=https://app.contoso.com
Notice "scope=openid groups.read.all" in the request above.
Add the client application to the exception list of the Conditional Access Policy
Add the user to the exception list of the Conditional Access Policy
If not using conditional access policies and the user is directly enabled for MFA, then as a last resort, disable MFA for the user if solutions above (specifically solution #1 and #2) do not work for you.
This situation made me create a real monstrous work-around, but sometimes, you don't have an option right?
The problem is basically bumping into 503: 'serviceUnavailable' messages when several (specific?) Azure AD Application permissions are set in your Azure AD Application, which should not happen.
Context and technical queries
The context is specifically for Application permissions (app-only auth) and NOT delegated permissions. Token is retrieved by:
HTTP POST https://login.microsoftonline.com/e6fcb01a-f706-4b1b-872b-1e7645d78491/oauth2/v2.0/token
headers:
Content-Type=application/x-www-form-urlencoded
-------------
client_id=<App GUID>
client_secret=<App SECRET>
scope=https://graph.microsoft.com/.default
grant_type=client_credentials
/sites/root query retrieved by:
HTTP GET https://graph.microsoft.com/v1.0/sites/root
headers: Authorization=Bearer <AccessToken>
-------------
Reproduce this situation:
Create an Azure AD Application
Add Application Permission > Sites.ReadWrite.All
Grant Admin Consent for
Create Secret
Generate Access Token (using)
Run Query with token (works)
Forcing it to break (either add all at once or 1-by-1)
Add Application Permission > Group.Create
Grant Admin Consent for
Generate Access Token
Run Query with token (fails?)
Does it work?
Add Application Permission > Group.ReadWrite.All
Grant Admin Consent for
Generate Access Token
Run Query with token (fails?)
Repeat for another permission. until it breaks.
Does it break?
Fails forever
Workaround:
Split up App Permission across multiple AD applications.
I tested this and the issue is there but a workaround is you don't need Group.Create permission if you have Group.ReadWrite.All.
So in summary a single AD app can have Group.ReadWrite.All and Sites.ReadWrite.All permission and it will work but a single AD app will fail if it has all three permissions of Group.Create, Group.ReadWrite.All and Sites.ReadWrite.All
Based on my test (Did not test all permissions), the issue does exist.
There are two main permissions that affect the calling of this API endpoint.
They are Group.Create and Group.Selected.
I'm not sure why they cause the failure of the calling of /sites/root. But it's strongly recommended to remove these two permissions (maybe there are some more other permissions) from the Azure AD app which is used to access /sites/root.
At the same time, opening a support ticket on Azure portal for your Graph request is a good choice.
Unfortunately this was a previously known issue in SharePoint. A fix is on its way but I don't have an ETA for rollout to share.
I am working on a Onedrive CoAuthoring Application. In which users can Co Author the document and Sync their changes. The application flow is First user initiates the CoAuthoring, the document will moved from Source to Onedrive. For the subsequent users, Permisson will added for those users and they open the document directly from onedrive. so everybody can work on the same document and the final user will sync back it from onedrive to Source.
I have implemented a PoC by creating office 365 trial accounts. I have hard coded the Admin account User credentials, and the admin account will talk to Onedrive on behalf of user using Microsoft Graph and Coauthoring works perfectly.
Now I want to Implement the real version on top of Onedrive Buisness for my organization. My organization using hybrid azure, so that the same onpermise user id is used in Azure too. I have created the application in Azure, created a key(Client secret) and gave necessary permission for the app. i am facing the following issues.
First i tried to pass my onpermise credential, but I am getting invalid password.
Next i tried the code flow, in which i have passed the client id and client secret and got the access token.But when i pass the Access token to the graph api I am getting Code: AccessDenied Message: Either scp or roles claim need to be present in the token.
Next I have created a X509 cert and getting the same error while calling Graph API Code: AccessDenied Message: Either scp or roles claim need to be present in the token.
Need your help/suggestion: I want to talk to onedrive using admin account/app. so that I will move the doc to onedrive and add permission for the subsequent users, and this has to be implemented without user interaction even for the first time. Please help me to overcome the issue.
Thanks,
Subbiah K
I created an AD B2C Tenant in the legacy Azure portal. When I click the link that takes me to the new Azure portal to continue managing my new Tenant I get an "Access Denied" error on the blade, followed by the message:
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Does this have anything to do with the fact that my Microsoft account (that I used to manage Azure) is also tied to Office 360?
elabs - a few questions for you:
when you say your MSA used to manage Azure is tied to your O365 subscription, do you simply mean that you have both an MSA and a AAD account with the same name? what do you mean that your accounts are tied?
What OS are you seeing this issue on?
are you sure your signed in with an MSA or Work Account
How to Find out - from the old portal use CTRL+ALT+A and look at EMAIL Address; You'll see either (Org) or (MSA) at the end.
What is the exact error message and the URL where the error is received. Do you see a correlation ID or Request ID along with the message?
I've tried every avenue possible to reproduced this issue that I know and simply can't get the result you encountered.
Chris