I am trying to use ADALJS(https://github.com/AzureAD/azure-activedirectory-library-for-js) to access Azure Active Directory. I am successfully able to perform the login however when I try to make a webapi call I get the following error
Error description:AADSTS65001: No permission to access user information is configured for 'clientid' application, or it is expired or revoked.
You can follow this sample to verify your application configuration : https://github.com/AzureADSamples/SinglePageApp-WebAPI-AngularJS-DotNet
You may be missing to enable Oauth2 implicit flow in the manifest.
Related
Overnight some of our unattended SMTP mailboxes (used for sending email from code) have stopped working with error:
Authentication requirement Single-factor authentication
Status Failure
Continuous access evaluation No
Sign-in error code 53003
Failure reason Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
I am trying to simply remove these accounts from the MFA requirement (which I dont actually recall switching on for all users) but every screen I click on I receive an error stating that I need a Premium subscription to configure conditional access. What am I missing? Surely an access policy that we are not licenced to configure should not be getting applied?
Check if security defaults are disabled under
o365 Admin Center > Settings > Org Settings > Modern Authentication
I tried to execute the CALL at D365 CRM Online API. I am using Postman.But when I tried to Get new Access Token, I have the following error:
"AADSTS500011: The resource principal named XXXX.api.crm4.dynamics.com was not found in the tenant named XXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant."
Here the steps that I followed:
Create new App registration on Azure Active Directory
Configure Environment on PostMan
Configure Authorization
Click On "Get New Access Token"
I have this error
How can I solve the issue?
Thanks
Alessandro
I am trying to request the Directory.Read.All scope using Microsoft's MSAL library & retrieve a valid access/refresh token pair with the acquire_token_by_authorization_code function.
I ask an organization's admin to consent to the above application permission with the /adminconsent endpoint (and have confirmed that permissions have been granted - see screenshot below). However, when trying to retrieve an access token with the Directory.Read.All scope, I get the following error:
{'error': 'invalid_grant', 'error_description': "AADSTS65001: The user or administrator has not consented to use the application with ID 'XXX' named 'XXX'. Send an interactive authorization request for this user and resource [...]'suberror': 'consent_required'}
Not exactly sure how this can be the case - as the permission is clearly granted. I have tried resetting the token cache by removing all MSAL accounts, but doubt this is the root of the issue, as the actual step that fails is converting an authorization code to access token.
Thanks for any help!
I can reproduce your error:
If you use the auth code flow to obtain an access token, you should grant delegated permissions, because this is a authorization flow with user interaction, so try to grant Directory.Read.All delegated permissions, and then grant admin consent for the permissions.
I am using a daemon auth API and I am able to get /groups but if try and use /groups/GROUPID/planner/plans I get a UnknownError and the message says
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials
that you supplied.
I have Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All permissions as per the documentation. And I am using the https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0 (Get access without a user
) steps to get my token. I have got my administrator to click the Grant access (they are all "Granted").
Only planner stuff seem to be the issue (I can get, create, delete groups, and everything else) I am using v1.0 of the API and I tried beta both didn't work.
I checked my access token on jwt and it has
"roles": [
"Group.Read.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"Directory.Read.All"
],
Which I assume means they are all there.
You are using client credentials flow which uses application permission. But GET /groups/{group-id}/planner/plans api doesn't support application permission. It needs delegated permissions. See the difference here.
I have SAML service provider(SP) and I want to use salesforce as a Identity provider(IdP) with my SP.
I have setup domain, Created new Connected App with saml enabled with all required details. Then downloaded metadata and used this to register on SP.
Salesforce gives me IdP initiated Login Page URL. When i visit that, it works perfectly. It redirects to saleforce login, after that sends SAML response to SP. But when I visit SP and initiate login from there which redirects to salesforce page which gives following error.
Insufficient Privileges
You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary.
I had the same issue and got fixed. Here are helpful tips.
You can check on the logs under 'Manage Users -> Identity Provider Event Log'. This could give reason for your error. I got a 'Error: User does not have access to this service provider' error
For this, the user was not given permission. Even if the user is System Administrator, the access to Connected App is not given by default. To give permission, go to 'Manager Users -> Users' and click edit on the user you are testing.Click profile name link .e.g System Administrator. This takes to profile page. You can scroll below to 'Connected App Access' and you would see that the access is not given. Give the access by clicking edit profile in the top of page.