Is there a way to configure custom error messages or maybe even a custom error page in Azure Active Directory to display when something goes wrong during sign in instead of the "Sorry, but we’re having trouble signing you in." text and error details?
I was not able to find any documentation on this but after further digging I found that there is a errorUrl parameter in the application (app registered in the AAD and used for sign in) manifest. My initial thought was that in case of an error MS/AAD would redirect to this url with the error codes but as far as I have tested this errorUrl url does not seem to be used at all.
What is the errorUrl parameter meant for and is there realy no way to specify/configure custom error messages?
No, there is no way to specify custom error messages or error pages.
In certain flows, in certain cases, the error message is passed back to your application (instead of being displayed in the Azure AD sign-in page) where you can deal with it as you see fit. (I don't believe there is any standard guidance on which error cases result in an error returned back to the app.)
If you want to custom error page, you can use custom policy in Azure AD B2C. For more details, please refer to the article
Related
My requirement to show all the calendar events of my wishlisted user in my Canvas App. To access the graph API, I have done App registration in AAD with Calendar.Read and User.Read permission.
Using the Client and Secret received from the registered app, Power Apps Custom Connector is created. While Testing the Custom Connector, I am getting the below error.
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
On Analysis:
Scenario 1 : Calendar.Read - Delegated Permission Type
Api - https://graph.microsoft.com/v1.0/users/{UserID}/events
When Delegated permission is given , I am able to access and response from the calendar event API only when the UserID is mine.
But it is throwing the above mentioned error for other users (This is the actual requirement)
Scenario 2 : Calendar.Read - Application Permission Type
Api - https://graph.microsoft.com/v1.0/users/{UserID}/events
When Application permission is given , it is failing and throwing the same error.
First, Will I be able to get other user's calendar event?
What are the steps to be taken to access?
What permission type should be considered for my scenario?
Am I missing any basic settings?
Please advice. I have lost my time for this requirement.
Thanks in advance
If you where to use Delegates permission (which sounds wrong for the authentication flow you want to use) then to access another users calendar (that you have been delegated rights to either via Outlook or the Mailbox Permissions) you will need (Calendars.Read.Shared or Calendars.ReadWrite.Shared) see https://learn.microsoft.com/en-us/graph/outlook-get-shared-events-calendars
For the client credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow which it sounds like what you want to use ? then the Calendar.Read should be enough to access the calendar if your doing anything else in the Directory then User.Read will also need to be an application permission. You probably need to look at https://support.microsoft.com/en-us/topic/verifying-oauth-configuration-for-custom-connectors-d733fdb9-6108-4199-b4f5-06e99b02d10f to do some debugging to see what actually happening with your token generation process, you can the use something like jwt.io to check the correct scopes etc.
I've just been started integrating assistant to smarthome project that i'm working on. And I've initially experimenting the assistant by implementing account linking flow and sync intent. I tested the account linking by testing with the google developer tool for oauth flow and confirmed it worked. Whereas, in the smarthome app, upon account linking, as soon as it completes the account linking flow I keep receiving an error message stating "Couldn't update your settings, Check your connection". Didn't find much clue with the logs for troubleshoot. And also, the solutions they were on the other posts does not seem to be working out for me as well. Would appreciate if anyone could help resolve this.
Also, I'd like to know the place where I can find the fulfillment URL that needs to be entered when creating the smarthome action. I've been using firebase to deploy my cloud functions. Moreover, I suspect weather the fulfillment URL I entered that was provided by codelabs sample were invalid thus assisant unable reach the fulfillment.
Your fulfillment URLs are the functions that you've created. For Firebase, there's a specific pattern that you can follow. If you visit your Firebase console, in the functions section, you'll see the full URL which you can copy and paste into the Fulfillment URL input.
In my example, I have a cloud function named "about_info" with the pattern https://us-central1.PROJECT_ID.cloudfunctions.net/FUNCTION_NAME. So you can use a similar scheme to identify what your function names will be.
We are using OpenAM to authenticate with out Active Directory users. We are running into a very odd problem.
We login using the mail attribute which belongs to the user object class in Active Directory. Upon logging in a Not found error appears on the screen. Looking into the network tab we see that there was a request to openam/json/realms/root/users/<mail#domain.com>, but it returns a 404.
If we close the tab and reload the login url again, it immediately goes to the consent screen and displays the user's conical name. Accepting the agreement successfully sends us to the specified redirect uri.
Info:
There a module that looks into a Data Store that is hooked pulls a certain organization group (the data store appears to work fine)
There is a simple chain that uses that module
Any ideas?
I was able to determine the problem after digging into the OpenAM logs.
I turned on message level debugging and say that the Not found error was not a problem with find the user in AD, but a problem finding groups in AD.
By default the datastore we had created was searching for groups with some arbitrary attributes, but our AD does not have groups. We set all the group search fields to be blank and this resolved our problem.
We have a custom Azure AD B2C Sign-in/Sign-up policy in place (SAML-based, the default policy doesn't do what we need).
We're able to customize the page UI as expected, via a content definition like:
<ContentDefinition Id="api.localaccountsignin">
<LoadUri>https://example.com/SAMLSignIn.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:selfasserted:1.1.0</DataUri>
<Metadata>
<Item Key="DisplayName">Local account sign in page</Item>
</Metadata>
</ContentDefinition>
But attempting to customize the error page, via:
<ContentDefinition Id="api.error">
<LoadUri>https://example.com/SAMLErrorPage.html</LoadUri>
<RecoveryUri>~/common/default_page_error.html</RecoveryUri>
<DataUri>urn:com:microsoft:aad:b2c:elements:globalexception:1.1.0</DataUri>
<Metadata>
<Item Key="DisplayName">Error page</Item>
</Metadata>
</ContentDefinition>
changes nothing. The SAMLSignIn.html page is still used (albeit with the contents of whatever signin error occurred). This happens whether we test with invalid user names, bad passwords, whatever.
Even setting
<Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
in the associated <ValidationTechnicalProfile> doesn't force the error.
The user journey as seen in ApplicationInsights shows only a Web.TPEngine.Providers.BadArgumentRetryNeededException; no other errors or exceptions are logged.
How can we cause a custom error page to be used on login failure (for whatever reason)?
The documentation, such as it is, seems to imply we're doing the right thing (as does How to Create a Custom Error Page in Azure AD B2C | Custom Policies). I can't find any suggestion that we need to specify custom error handling in the UserJourney, nor any means by which we could do so if we wanted.
To summarize:
You are using local account sign-in with SAML issuer. This makes sign-in process happen on Azure AD B2C sign-in page. The error messages you see are just regular validation error messages. This all happens on the sign-in page, not the error page. Error content is only used by the engine when an unhandled exception breaks the execution of the user journey. Which is not the case with a regular sign-in.
Your option to customize validation errors are limited to using pure CSS on the sign-in page.
A really complex customization is demonstrated here
The document describing UI customization in general, is here
And UI customization using custom policy here
At your best effort you will come with some nice error messages like these:
We use the Microsoft Graph .NET SDK to authenticate users who use O365 and to work with the users' files and folders in OneDrive and SharePoint.
Today, some of our users started receiving this error message: "Unable to retrieve tenant service info". The error code is: "BadRequest", which doesn't seem to correspond to the message and thus might just be a catch-all error code. Except for the mentioned error code and message, no other information was provided in the error response from Graph.
After some debugging, I could verify that this problem was not related to OAuth or the users' access tokens, as the users are still able to authenticate and refresh their tokens via the API. The error is only thrown when our server attempts to access or modify the users' files/folders in either OneDrive or SharePoint.
We had been using the same code for a few months, and only started receiving this error today. I've tried looking up the error message in documentation, articles, blog posts, etc. but couldn't find anything.
Any help or suggestion would be greatly appreciated. Thank you in advance.
There was an incident/regression that caused failures when reading tenant service info between January 19 and January 21. This should no longer be happening.