I'm trying to implement the on behalf flow with Azure AD following this Microsoft sample documentation, all is good on the client-side but in the
the service app side (the azure function that obtains another Access Token using the on user's behalf and calls the MS Graph API on user's behalf again), it fails to obtain the access a new access token (getNewAccessToken) and shows:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant 'xyz' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\r\nTrace ID: xxx \r\nCorrelation ID: yyy \r\nTimestamp: 2021-01-04 07:17:15Z",
"error_codes": [
90002
],
"timestamp": "2021-01-04 07:17:15Z",
"trace_id": "xxx",
"correlation_id": "yyy",
"error_uri": "https://login.microsoftonline.com/error?code=90002"
}
any clue how to solve this issue?
Based off your error message, you can navigate to your Azure Active Directory and make sure your TenantID matches what's in your application.
Error Message:
AADSTS90002: Tenant 'xyz' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID.
TenantID
Related
B2C uses an alternative security ID to uniquely identify users from social accounts. We have a problem where a user enters credentials for a user, but somehow B2C authenticates the user as someone else. I suspect the IDP is returning bad claims data or the alternative security IDs are the same. How do I view the alternative security ID of a user in Active Directory?
I tried the following MS Graph query trying all the attributes I can think of (including the ones listed in this article), but graph doesn't return data for these attributes.
https://graph.microsoft.com/v1.0/users/<userId>?$select=id,alternativeSecurityId,alternativeSecurityIds,extension_<b2cExtensionAppId>_alternativeSecurityId,extension_<b2cExtensionAppId>_alternativeSecurityIds
Thanks in advance!
AlternativeSecurityId for a B2C user is found in the Identities collection via MS Graph API.
The AlternativeSecurityId claim used in the B2C policy maps to the Identities: issuerAssignedId value for the corresponding issuer.
Eg, for issuerAssignedId: 123 (id from google token) from issuer: google.com
"identities": [
{
"signInType": "federated",
"issuer": "google.com",
"issuerAssignedId": "123"
}
],
You can return the identities collection by calling the /users endpoint of MS Graph API. https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http
In Azure Active Directory I've registered a new app and given it the Read and create online meetings permissions. I've granted admin consent for the permission and now I'm trying to create a meeting through the command line.
I generated a client secret for the app.
Then I'm requesting a access token using my tenant GUID, client ID of the app and client secret I generated. This gives me back a jwt. When I decode the JWT amongst the roles I can see "OnlineMeetings.ReadWrite.All" which gives me hope that I can actually create meetings using this bearer token.
I then send a POST request to https://graph.microsoft.com/v1.0/users/<my-user-guid>/onlineMeetings
with the following body:
{
"startDateTime":"2021-03-16T14:33:30.8546353-07:00",
"endDateTime":"2021-03-16T15:03:30.8566356-07:00",
"subject":"Application Token Meeting",
"participants": {
"organizer": {
"identity": {
"user": {
"id": "<my-user-guid>"
}
}
}
}
}
and the response comes back with
"code": "Forbidden",
"message": "Application does not have permission to Create online meeting on behalf of this user.",
Am I missing something?
Edit:
As some of the comments have suggested I should create an application access policy. So I'm following the documentation which asks me to Connect using admin credentials
When i run Connect-MicrosoftTeams -Credential $userCredential with my account it fails with the following error:
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed
Connect-MicrosoftTeams: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: : Unknown error
But this is what is confusing me. I don't really know if I'm trying to login with the correct account. I'm using my personal account on azure which is (afaik) not a business account with skype for business.
I'm running the commands to log in on the azure portal's PowerShell interface. Am I supposed to run this on my local machine instead?
I think I'm not fully understanding what all of the moving parts are that need configuration.
Can I add those application Access Policies in the azure portal interface somewhere?
According to the api documentation, make sure you grant the OnlineMeetings.ReadWrite.All application permission to the application. Then you need to use the client credential flow to obtain an access token.
Please note that when you create an online meeting with an application token, administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).
I am trying to create a "service principal" for application and to grant admin consent for the permissions using Microsoft graph API.
I followed the following steps:
Created application in a tenant using graph API. My request body is:
{
"displayName": "AppWithPermissions",
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
}
]
}
]
}
Created a service principal for the above-created application. The creation was successful.
Now, I want to grant admin consent to each assigned permission programmatically using graph API.
To grant application permissions, I created an app role assignment in the appRoleAssignedTo collection of the API's service principal:
The request was as follows:
Post request:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Request body:
{
"principalId": "principal_id",
"resourceId": "resource_id",
"appRoleId": "approle_id"
}
Here,
"principal_id" is the "id" of service principal created in step 2 above.
"approle_id" is the id of the appRole you want to grant. (taken "id" value from "resourceAccess" array present in "requiredResourceAccess")
"id" in http request url and "resource_id" are the same. (taken "resourceAppId" value from "requiredResourceAccess" which is corresponds to "approle_id" given above)
After running the query, I am getting error 404.
"code": "Request_ResourceNotFound"
for the "resource_id"/"id" field.
Adding screenshots for better understandings:
App Creation:
service principal creation:
Grant an appRoleAssignment for a service principal:
I am confused about which IDs to use where and didn't get a clear idea from the documentations. Can any one please resolve my query? Thanks in advance.
It looks like you're using the appId instead of the id value.
In an app role assignment, resourceId is the id of the servicePrincipal for the resource app (in your case, the API). In an application object's requiredResourceAccess, you use appId, which is a different value.
To find the id of a service principal for which you know the appId:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '{app-id}'
The response will contain the id property of the servicePrincipal object, and you can use that when creating the app role assignment.
The document description is not very clear.
In simple terms:
principalId: Usually your service principal id.
resourceId: Usually your service principal id.
appRoleId: For appRoleId you can find it by requesting GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}.
Grant an appRoleAssignment for a service principal:
I'm trying to get an embed token for power bi embedded.
I'm using 'App owns data' embed scenario.
I first get the access token of Azure AD and use it as Bearer token when calling embed token
Here is my Postman request details:
https://api.powerbi.com/v1.0/myorg/groups/{groyupid}/dashboards/{dashboardid}/GenerateToken
Request body
{accessLevel:"View"}
In authorization section I added the access token.
I received a 403 Forbidden response.
Here how I get the access token
I noticed that there is also another url to get token : https://login.microsoftonline.com/common/oauth2/token
What is the difference between the one with tenant id in the url
Then permissions for the AAD PowerBI application
Update
Thanks for the help I get another 404 not found error now
{
"error": {
"code": "PowerBIEntityNotFound",
"pbi.error": {
"code": "PowerBIEntityNotFound",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}
For information I have added permission in PBI admin portal to pbireportingGroup an Azure security group that I created. ( as mentionned in docs )
Then I added to this group the AAD as member
Is that what should I do ?
403 means that your access token doesn't have the required permissions.
And you need to add the master account and service principal as the owner of the group / workspace (it may take 15 minutes to take effect).
UPDATE:
Now that you are using client credential flow, you should set application permissions:
And the resource in the request body should be https://analysis.windows.net/powerbi/api/.
Besides, you need to add the service principal as the admin of this workspace in Azure AD. (enter the name of your Azure AD app, and it will recognize its client id)
Context: I've a console app which wants to use Graph API to talk to AAD to check if a particular userId exists in the tenant or not.
I've been following the guidelines here: https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
I'm able to generate a token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=x
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=x
&grant_type=client_credentials
But when I call the graph API I get this ERROR:
https://graph.microsoft.com/v1.0/users/12345678-73a6-4952-a53a-e9916737ff7f
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "x",
"date": "x"
}
}
}
My AAD App has all the permissions from:
1. Microsoft Graph
2. Windows Azure Active Directory
I tried changing the scope to
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
But this is the error I get while generating token:
The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/user.read is not valid.
I've tried combinations of "User.Read", "User.Basic.Read", etc. but nothing works.
The most likely reason why this is not working is because the permission which you have configured your app registration to require have not actually been granted by an administrator of your organization.
In your code, your app is authenticating as an application only. There is no signed-in user involved, and it requires your app to use and keep confidential a key used to authenticate (the client_secret parameter).
In this scenario, requesting the scope https://graph.microsoft.com/.default is the correct approach. What you're saying to Azure AD is: "please provide an access token for all the application permissions this app has been granted". Requesting the scope https://graph.microsoft.com/User.Read is not the correct approach because there is no application permission with that name.
Does the app you created have delegated permissions or application permissions to that scope?
Most likely the former. Delegated permissions don’t apply to client credentials flow.