I created an AD B2C Tenant in the legacy Azure portal. When I click the link that takes me to the new Azure portal to continue managing my new Tenant I get an "Access Denied" error on the blade, followed by the message:
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Does this have anything to do with the fact that my Microsoft account (that I used to manage Azure) is also tied to Office 360?
elabs - a few questions for you:
when you say your MSA used to manage Azure is tied to your O365 subscription, do you simply mean that you have both an MSA and a AAD account with the same name? what do you mean that your accounts are tied?
What OS are you seeing this issue on?
are you sure your signed in with an MSA or Work Account
How to Find out - from the old portal use CTRL+ALT+A and look at EMAIL Address; You'll see either (Org) or (MSA) at the end.
What is the exact error message and the URL where the error is received. Do you see a correlation ID or Request ID along with the message?
I've tried every avenue possible to reproduced this issue that I know and simply can't get the result you encountered.
Chris
Related
I have set up a B2C instance OK and managed to get a basic Blazor (server) app working with it a using the Microsoft Identity Platform (using AD groups for permissions - it was a hassle but works).
However, I'm trying to use an external Azure AD as a custom identity provider in the user flow, so that I am not just restricted to just email/id/social accounts, but can have guest accounts from other directories use the app without having to manage their sign-in's. To do that I performed a web app registration in the AD tenant that I wanted to use to authenticate those accounts against (as suggested in a couple of tutorials).
The application I registered in the external AD has a Redirect URI in the format "https://{My B2C Directory Name}.b2clogin.com/{My B2C Directory Name}.onmicrosoft.com/oauth2/authresp", which matches the name of my B2C instance, and I have added the client id and secret generated from that app registration and put the details into the custom identity provider I have created for the sign-in flow, as per the instructions here (including the mappings etc.):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
I also found a slightly older tutorial here, which is pretty similar (different mappings) that I've tried to follow (and adapt the bits that are out-of-date).
https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32
However when I run the user flow I get "AADSTS900971: No reply address provided." - this happens even when I run the flow directly from the User Flows tab in B2C with a 'Reply URL' explicitly set to "http://jwt.ms" (just to capture the token contents).
I'm confused about the reply URL being missing because they exist in both registered apps. Also, it's not saying they're mismatched, just that one isn't set at all (but appears to be).
It feels like I'm missing something simple - does anyone have any idea what that might be?
Ok so I did a couple of things to resolve this:
Re-registered the application in the AD I want to authenticate with (following this tutorial again: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow)
I was careful to ensure that the redirect URI in the format:
https://{B2C Instance Name}.b2clogin.com/{B2C Instance Name}.onmicrosoft.com/oauth2/authresp
was all lower case.
I also had to change from just a 'sign-in' user flow to the 'sign-up, sign-in' one, and then applied the custom identity provider to that flow. Apparently you need that even for users from another AD to be able to complete their invite process (otherwise you just end up with a user doesn't exist error - even if you've invited/added them to the B2C users list).
I also elected to 'Grant admin consent for Default directory' under the API Permissions tab for the application being registered in the external AD (to be used for the custom identity provider).
The flow seems to work now. The only thing that would be useful would be to have an invite only sign-up, sign-in flow so that you could invite specific people without breaking the invite process.
If anyone knows how to do that please do post something.
I have an issue with accessing user data with microsoft graph api.
Context : I have a web app with a calendar inside for my users. I would like to give the user the possibility to synchronise this calendar with their microsoft calendar. I did the same thing with google calendars and it works well.
Problem : I registered an app on azure and setup my code with the correct access to login and get a token from the graph api.
It kinda works but i can only log in with the address i used to create my app on azure.
So lets say my admin address on azure is test#azure.com , then i can log in and access the data i want . But if i try with another address like for example test#customer.com, then it fails and display this message :
I keep looking for a way but the Microsoft graph documentation doesn't seem to talk about this problem.
I tried to add the account as an external user, like the message says (and maybe i did it wrong i'm not really sure of this part) but then i can log in but the data i can access doesn't match the data on the account i tried with, as if adding the user as an external user created a "new" user in my organisation.
What I want : I would like to be able to access the data of any user that try to log in with a microsoft email (if they accept the permissions of course).
It's my first time using the graph api so maybe i'm missing something simple...
Thanks
Based on the So thread reference:
When a user authenticates against your tenant, you only have access to the data controlled by your tenant. In other words, if test1#outlook.com authenticates against yourtenant.onmicrosoft.com tenant, you don't gain access to their outlook.com email.
Reason you're able to see the outlook.com email from Graph Explorer is that Graph Explorer is authenticating against their outlook.com account.
In other way, Graph Explorer is authenticating test1#outlook.com against the outlook.com tenant, not yourtenant.onmicrosoft.com.
When a user authenticates against a given tenant, that token only provides access to data within that single tenant. Microsoft Graph does not allow you to cross tenant boundaries.
Thanks Hong for the comment, you may also set your app registration to "multitenant + personal accounts"
So Reference: MS Graph External User 401 Unathorized
When using the graph explorer I am able to get results from some of the API's. However not able to get when requesting for reports
For Example, this works perfectly fine;
https://graph.microsoft.com/v1.0/users
However, calling the below report related request results in an error "We do not recognize this tenant ID ... Please double-check the tenant ID and try again." I am facing this issue for any such call for reports.
https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90')
Is there some issue with App Registration which is causing this? The error message for checking the TenantID is totally misleading as the token is same in both the cases and I am not doing anything different between the two calls. Would appreciate any guidance.
Try checking these.
Try the request after giving some time like 48 hrs approximately as
it might take a little time for the tenant id to propagate across all
the instances and reflect in Microsoft graph api.
Check if you have given valid tenant ID
check tenant expiration (as admin account)
Else check if required permissions are set.
Reports.Read.All permission is needed to call this API.Refer Microsoft
Graph permissions
Please add the Delegated permisson /the Application permission and test it again. See Microsoft Graph v1.0 | Microsoft Docs
If that’s done already check if admin consent is provided .
( Reports.Read.All permission allows an app to read all service
usage reports without a signed-in user. Make sure to check if you
granted the permission(by clicking Grant Permissions from admin
account).
See reports-permissions
References:
Similar thread
concept-reporting-api
Update:
This error may occur when the usage report is not ready .Because if
the tenant is new , it might take sometime( upto 48 hours) for
the report service to pick it up and start generating reports.
You must be able to test it manually from O365 Admin
Portal.Portal.office.com -> Admin Tab -> Show all -> Reports ->
Usage
Other wise , you may contact support to raise a request.
Is there a way to get value of "objectIdentifier" claim for Microsoft account?
Case: I have an app with one form field, email (need's to be Microsoft account). When this email is entered, server (back end) need's to find out value of object identifier (user ID) in common tenant for all Microsoft accounts (section "tid").
Normally, if this was normal tenant in Azure Active Directory I would create Azure AD app and generated client secret for accessing Graph API, directory endpoint. Unfortunately, this is "special" tenant and I don't know is there any API I can call (as application) to get id of user (best option would be GetUserIdByEmail(email)).
I understand this is weird case but life is hard :)
Asking user to login and then retrieving value from token is not an option!
There is no API that I'm aware of where you could query for MS personal accounts' info without logging a user in.
If you think about it, it would be quite an easy source of building a user list for attacks :)
You will need to log them in to get their id, I don't think you can know it in advance.
How can I find out what admin permissions are blocking the user from signing in to an Azure AD app?
I am setting up an App Registration in the Azure AD portal to be used with my Service Fabric cluster. The app registration does basic auth and only has one Required Permission configured: Sign in and read user profile (which does NOT require admin permission).
My tenant has the "Users can consent to apps accessing company data on their behalf" setting to "Yes", so it's not that.
Also, the /authorize request doesn't have any resource parameter, so it's implicitly asking for the permission I configured: Azure AD's Sign in and read user profile.
However when an non-admin user attempts to sign it, I still get the error:
AADSTS90094: The grant requires admin permission
I reproduced the scenario and this is what I observed. Found a workaround, hope it helps.
First I created a Service Fabric (SF) cluster secured with AAD authentication using the steps described here, using an AAD tenant where I am not a global admin.
Then I tried to login to Service Fabric Explorer (SFX) and I got this error:
AADSTS50105: The signed in user is not assigned to a role for the
application 'f8c79129-deb7-4a21-a6e0-ec29e88298ef'
This is expected, because the user must be assigned to a role (Admin or ReadOnly) in the SF application that represents the cluster. So I went to AAD > Enterprise Applications > found my cluster app and under Users and Groups I added myself to the Admin role. Notice that the fact that a regular user can administer the roles of an application that the user owns is something new, it's available since a month or so -- before that, a regular user couldn't administer the roles of an application.
Then I tried to login again to SFX and I got a different error:
AADSTS65005: Invalid resource. The client has requested access to a
resource which is not listed in the requested permissions in the
client's application registration. Client app ID:
f8c79129-deb7-4a21-a6e0-ec29e88298ef. Resource value from request: .
Resource app ID: 00000002-0000-0000-c000-000000000000. List of valid
resources from app registration: .
00000002-0000-0000-c000-000000000000 is Windows Azure Active Directory. For some reason SetupApplications.ps1 doesn't assign the Sign in and Read User Profile permission to the SF cluster application. So I edited the application and I assigned that permission, just like you showed in your print screen. Notice that SetupApplications.ps1 has a parameter AddResourceAccess (not mentioned in the doc) that adds that permission, not sure why it doesn't add it by default. Perhaps it isn't needed when you run SetupApplications.ps1 as a global admin, and the scripts/doc assumes that you are a global admin.
Then I tried to login to SFX again and I got the same error that you observed:
AADSTS90094: The grant requires admin permission.
So I checked the SF application under AAD > Enterprise Applications > found the SF cluster app > Properties. User assignment required is configured "Yes". I changed it to "No" and tried to login to SFX. This time it worked OK, I could consent and access the SFX console. Then I changed User assignment required again to "Yes".
One can argue if the SF app really needs User assignment required > Yes because anyway if a user is not assigned to the Admin or ReadOnly role, SFX will try to fallback to client certificate authentication.
In either way, the AAD behavior is confusing. At least, the error should be more descriptive and point to the User assignment configuration. Perhaps the current behavior has to do with what I mentioned before, that regular users can now administer roles. Perhaps the behavior is being improved.