Using adal.js v1.0.17 and Web API via JavaScript.
Running a custom tab within Microsoft Teams and getting this error when trying to authenticate.
Looked at the app registration within Azure portal and not seen anything there that could help. Tried to edit the manifest file and change the value of oauth2AllowImplicitFlow to true but still getting error.
Found the solution.
Need to access the Azure portal using Chrome.
Go to Azure Active Directory and choose App Registrations (Preview).
Open up the app registration and choose Authentication on the left.
Under Advanced Settings, Implicit grant check the box "ID tokens".
That will add the property oauth2AllowIdTokenImplicitFlow to the manifest file with the value set to "true".
you can try by enabling the 'ID Token'
Related
We have a Teams App which is created using Teams Toolkit - SSO Enabled Tab option.
This App is single tenant by default and we want to convert it to Multi Tenant.
We are following the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to do the same.
Here when I update the aad.template.json file and change the value of signInAudience to AzureADMultipleOrgs, and then run provisioning using teams toolkit. I get an error - "Failed to update application in Azure Active Directory. Please make sure 'templates/appPackage/aad.template.json' is valid: Request failed with status code 400 Detailed error: Request failed with status code 400. Reason: Values of identifierUris property must use a verified domain of the organization "
On changing the value back to AzureADMyOrg, provisioning is successful.
Anyone faced similar issue
It sounds like it's failing because you don't have a verified domain registered with Azure. It's only required for multi-tenant apps, but that's exactly what you're building. Essentially, you need to have a regular external domain registered with Azure, something like a .com, .io, .net, .whatever public domain.
On the page you linked, it actually says as much:
Since Azure AD app requires an "tenant verified domain" for Application ID URI, you can use your own Custom Domain or Create a new Custom Domain on Azure.
But this looks useful too: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail
This error is because you are not using a verified domain in Application Id Uri of your multi-tenant Azure AD app. Teams Toolkit will by default use Storage to host your Tab app, however Storage endpoint is not a tenant verified domain, and thus you will fail with this error if only update your AAD manifest.
You can follow step 2-4 in Update your Tab applications to create your CDN or use your own tenant verified domain and setup the endpoint in your project.
I have recently Registered a Keycloak Application on my Azure AD B2C tenant, one of my colleagues accidentally deleted the registration, so i have restored the application on the Azure portal, Later i tried changing the Redirection URI, but the Azure portal doesn't allow me to do so and shows the below error
"Failed to update KeyCloak application. Error detail: Encountered an internal server error."
I have tried to change the same in the Manifest and tried to upload file, even it shows the same error.
Did my application restore made any difference here, if it was so please suggest me some check points to solve this.
Note : The other applications in this tenant allow me to do same changes, I have issue only with this application registration.
A bug has been filed and the product team is working on it. In the mean time for the work around Please re-create another app if possible.
You could also try to change "SignInAudience" to "AzureADMultipleOrgs" (if it works) - than you'll be able to modify reply urls and switch "SignInAudience" back.
I have code working in development that authorizes against Azure AD in a multi-tenant setup using the MSAL library (with the Microsoft Angular wrapper for MSAL).
This code all works as expected when I am running it against localhost:5001.
My configuration contains a redirectUri for https://localhost:5001 and my application in Azure AD has its "Redirect URI" value set to the same.
However, when I move this to production, it is continuing to try to redirect me to localhost:5001 on a successful AD authentication, even though I have changed my redirectUri in my configuration, as well as the Azure B2C application "Redirect URI", to now be the production site at:
https://[mysite].azurewebsites.net
Where is it still getting localhost:5001 from? I searched my code/configuration and this value does not exist. It is not currently in Azure AD for the Application. I have stopped and restarted my App Service to no avail.
The redirection it is trying to make is to:
https://localhost:5001/#id_token=eyJ0eXAiOiJKV1Qi ...
I was able to work around this issue by deleting the Azure AD App Registration and creating a new one from scratch with the proper endpoints.
For some reason, it was not "holding" the change when the endpoint URLs were edited and saved. It showed the correct endpoints in the Azure AD control panel for the App Registration, but it was still redirecting to localhost.
When I deleted and re-created, it properly forwarded the replies to the production site.
I am unsure at this time if this is an issue on Microsoft's side or not, but this conclusively resolved the issue.
Registering a new application solved this issue.
No need to delete and register a new application. Simply update the replyUrlsWithType attribute on the Azure Active Directory app manifest file to point to the new domain, url or location:
"replyUrlsWithType": [
{
"url": "https://localhost:4400/services/office365/redirectTarget.html",
"type": "InstalledClient"
}
],
See this link for more information: https://learn.microsoft.com/en-gb/azure/active-directory/develop/reference-app-manifest?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps
I have been trying to integrate ADAL into my AngularJS SPA app by leveraging the AAD application configuration info from the .NET sample app and cannot get it to authenticate. I get a 404 every time.
The sample app instructions are as follows:
Step 2: Register the sample with your Azure Active Directory tenant
Sign in to the Azure management portal.
Click on Active Directory in the left hand nav.
Click the directory tenant where you wish to register the sample application.
Click the Applications tab.
In the drawer, click Add.
Click "Add an application my organization is developing".
Enter a friendly name for the application, for example "SinglePageApp-DotNet", select "Web Application and/or Web API", and click next.
For the sign-on URL, enter the base URL for the sample, which is by default https://localhost:44326/.
For the App ID URI, enter https://<your_tenant_name>/SinglePageApp-DotNet, replacing <your_tenant_name> with the name of your Azure AD tenant.
All done! Before moving on to the next step, you need to find the Client ID of your application.
While still in the Azure portal, click the Configure tab of your application.
Find the Client ID value and copy it to the clipboard.
Step 3: Enable the OAuth2 implicit grant for your application
By default, applications provisioned in Azure AD are not enabled to use the OAuth2 implicit grant. In order to run this sample, you need to explicitly opt in.
From the former steps, your browser should still be on the Azure management portal - and specifically, displaying the Configure tab of your application's entry.
Using the Manage Manifest button in the drawer, download the manifest file for the application and save it to disk.
Open the manifest file with a text editor. Search for the oauth2AllowImplicitFlow property. You will find that it is set to false; change it to true and save the file.
Using the Manage Manifest button, upload the updated manifest file. Save the configuration of the app.
Step 4: Configure the sample to use your Azure Active Directory tenant
Open the solution in Visual Studio 2013.
Open the web.config file.
Find the app key ida:Tenant and replace the value with your AAD tenant name.
Find the app key ida:Audience and replace the value with the Client ID from the Azure portal.
Open the file App/Scripts/App.js and locate the line adalAuthenticationServiceProvider.init(.
Replace the value of tenant with your AAD tenant name.
Replace the value of clientId with the Client ID from the Azure portal.
When I configure my app it looks like this:
adalProvider.init(
{
instance: 'https://login.microsoftonline.com/',
tenant: 'http://mytenantname.onmicrosoft.com',
clientId: '000000000-583f-4218-b410-28c2acf00000',
extraQueryParameter: '12345',
},
$httpProvider
);
However, when I try to authenticate I always get a 404 response that my app is not recognized. Any idea what is wrong here?
The problems are in the tenant value:
The tenant property needs to be a URN, not a URL, so it should not include the 'http://'.
You have to include the application name at the end of the URN to uniquely identify the application within the directory.
Try that and see if it works.
We are using Azure AD as identity provider for our SAML SSO enabled application. If we add a new application to azure directory from gallery option, it doesn't show me 'Manage manifest' option. While we add a new app by selecting 'Add an appplication my organization is developing' it shows that option in the bottom.
As a result, we unable to set logout url for application and when we perform a logout for that application, it doesn't redirect back to out service provider application.
Thanks,
Mitesh J.
At this point in time, applications added by selecting 'Add an application my organization is developing' and applications added by selecting 'Add an application from the gallery' have several differences including the ability to edit the manifest, which is only present in the former.
However, you can still set up redirect URIs for both. As you noted, in 'application my organization is developing', you can do that by editing the manifest or via the Configure page.
For 'application from the gallery', you can set up a redirect URI by:
Select the application in the Azure AD page of the classic Azure Management portal.
Click on Configure single sign-on
Select Microsoft Azure AD Single Sign-On
In the Configure App Settings, check the Show advanced settings (optional) checkbox.
Set the Reply URL (optional)