My Azure AD web app fails validation in AppSource with the following errors:
7.9 Your add-in’s packages must be correctly formatted and conform to the current manifest schema. For Office Add-ins, this is manifest
schema version 1.1.
For detailed manifest schema information, see Schema reference for
Office Add-ins manifests (v1.1) and Schema reference for manifests of
SharePoint Add-ins. Also see What are some common errors to avoid when
submitting my add-in to AppSource? in AppSource submission FAQ.
10.3 The version number you specify for your add-in on the Seller Dashboard submission form must exactly match the version number in the
add-in manifest.
How should I resolve this? The app is indeed registered as an Azure AD web app. The errors are however referring to the schema for Office- and SharePoint Add-ins which does not apply to my case. The schema for Azure AD applications does not specify a field for version number.
When you submit an Azure Web app to AppSource using the Seller Dashboard, you are prompted to complete the 'Version' field in the first page of the listing.
The version number for Web Apps using Azure AD should follow the below structure:
n.n
n.n.n
Related
We have a Teams App which is created using Teams Toolkit - SSO Enabled Tab option.
This App is single tenant by default and we want to convert it to Multi Tenant.
We are following the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to do the same.
Here when I update the aad.template.json file and change the value of signInAudience to AzureADMultipleOrgs, and then run provisioning using teams toolkit. I get an error - "Failed to update application in Azure Active Directory. Please make sure 'templates/appPackage/aad.template.json' is valid: Request failed with status code 400 Detailed error: Request failed with status code 400. Reason: Values of identifierUris property must use a verified domain of the organization "
On changing the value back to AzureADMyOrg, provisioning is successful.
Anyone faced similar issue
It sounds like it's failing because you don't have a verified domain registered with Azure. It's only required for multi-tenant apps, but that's exactly what you're building. Essentially, you need to have a regular external domain registered with Azure, something like a .com, .io, .net, .whatever public domain.
On the page you linked, it actually says as much:
Since Azure AD app requires an "tenant verified domain" for Application ID URI, you can use your own Custom Domain or Create a new Custom Domain on Azure.
But this looks useful too: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail
This error is because you are not using a verified domain in Application Id Uri of your multi-tenant Azure AD app. Teams Toolkit will by default use Storage to host your Tab app, however Storage endpoint is not a tenant verified domain, and thus you will fail with this error if only update your AAD manifest.
You can follow step 2-4 in Update your Tab applications to create your CDN or use your own tenant verified domain and setup the endpoint in your project.
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
I followed this article to implment OAuth flow with the following authority url
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d8e21783-5956-4bef-80ae-fdd636006223&prompt=login&response_type=code&response_mode=query&redirect_uri=xxxxx&scope=offline_access+user.read+files.readwrite.all&state=xxxxx
The page provides two sign-in ways:
With email address.
Without entering the email address.
You can see this screenshot, green line is the first option and orange line is the second.
Both of the two login ways supports 「Windows Hello Face」 and 「Security Key」 (Passwordless)
However, the authorization will fail if I choose the second sign-in way.
AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'.
Does this mean Microsoft OAuth flow not supporting the second sign-in way?
PS: The ancient authority URL (ref) supports the second sign-in
way.
GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
This approach is no longer recommended.
Use your personal Microsoft account to get access to Azure and all
consumer-oriented Microsoft products and cloud services, such as
Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft
365. Sign up your organization - Azure Active Directory - Microsoft Entra | Microsoft Docs
Note: Usually approach using the Azure AD v2.0 endpoint is recommended. However, some enterprise scenarios may require using the original Azure AD endpoint.
Please check this Microsoft Docs on Error AADSTS50020 to check for relatable cause to troubleshoot.
References:
Get OneDrive data in UWP using Microsoft (Live) Accounts and Azure
AD - DEV Community
Authorization and sign-in for OneDrive in Microsoft Graph
You can raise a support request.
When adding your Website to a new SSO (AD, Ping on this case), AD will normally ask for one thing: "Please share the Metadata URL for your site."
My application uses WS-Federation and its hosted on IIS. Its an application built in 2013 and minimal code changes are preferred.
Currently the (old) application is already enrolled in one AD that is going to be decommissioned, and the old Metadata used in 2013 is nowhere to be found. And so I need a new Metadata to provide to the new AD.
Back in 2020, I've already accomplished this, the WindowsIdentityFoundation SDK 4.0 was available on the microsoft site, and so following this: How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0 Was possible to create one FederationMetadata file completely valid and accepted by AD for an existing site to be enrolled to a new AD.
At the time I saved all the links/urls that I used, but with the SDK going out of business in late 2020, and some of the example sites, I had saved, are now Not Found. I am stuck.
Now, 2 years later, we do not have WIF SDK anymore, and here I am trying to do the same. For another address/website. To try to understand better a new approach, I tried to create a new application in Visual Studio to see what FederationMetadata.xml is generated by using the VS's Authorization and publishing. But no matter what I do, a FederationMetadata.xml is nowhere to be found, build/release folders, IIS, anywhere.
So, my question:
How to create a new application with a new FederationMetadata file?
Or even better, how to create a FederationMetadata for an already existing Website?
Thank you.
• Firstly, please ensure that ADFS is installed with correct settings in your environment and the ADFS service is reachable from the extranet through public DNS records configured. Once this is achieved, then please check whether your website has the correct website name configured according to the DNS of the IIS server on which it is hosted and joined to the domain.
Once the above things are working fine and are accessible from the intranet as well as extranet by adding the required DNS records in internal as well as public DNS, please ensure that system authentication and security classes regarding Windows Identity Federation framework that provide basic programming model for claims-based authentication is included in the ASP .NET MVC app or not.
• Since, as you said, the WIF SDK is out of business and no longer available, Microsoft has included the WIF classes in .NET Framework 4.5 hence forth and that should be used for claims-based identity and authentication in ASP .NET applications. So, to do this and include the required claims identity principals and assembly packages, please refer to the documentation link below for more information. It will help you in including the classes and namespaces required for security token-based authentication in your application.
https://learn.microsoft.com/en-us/dotnet/api/system.security.claims?view=netframework-4.5.2
Once the above is done, then you can create an ADFS Federation metadata URL by going to the Endpoints section in ADFS workspace. In that, go to ‘Metadata’ section and copy the link given there which states type as ‘Federation metadata’ and add your ADFS service FQDN in the link’s prefix to form the ADFS federation metadata URL, i.e., ‘https:adfsservicename.domainname.com/FederationMetadata/2007-06/FederationMetadata.xml’
• When the federation metadata URL is generated through the ADFS, then open your ASP. NET MVC application in Visual studio and change its authentication to on-premises, then configure the on-premises authority with the federation metadata URL and leave the App ID URI blank to detect the application URI name from the web.config file. Once, that is done, check the ‘System.IdentityModel’ and other classes added in the project directory. Then, configure the application as a ‘Relying Party’ in your ADFS Server and configure the SSO accordingly.
Please refer to the below link for more information on above stated steps of creating an ADFS URL for ASP .NET MVC application: -
https://www.dotnetcurry.com/windows-azure/1158/using-adfs-azure-single-signon-aspnet-mvc
I created and App registrations with "Personal Microsoft accounts only" options
But this application is not showing under Enterprise Applications. Is that expected?
Since this is not showing under Enterprise Applications, i am not able to add this to Entitlemment management Catalog
As you can see i create a App registration with Personal Microsoft accounts only
I dont see managed application in local directory option in overview tab
You can have an Enterprise Application in one tenant while the original App Registration is in a different tenant, but not the other way around. If you have the app registration in your tenant you should always see a corresponding enterprise application in that same tenant. Please try searching for the application under "All Applications" and remove any of the automatically applied filters.
Try copying the application ID from the App Registration and searching for it in the Enterprise Applications blade (without any filters applied):
If you post a screenshot of what you see and in each spot while searching for the Application ID and it's still not there, I will raise a bug.