I am using Azure Active Directory B2C in an application. When I try to call the azure login page (which is a sign-in policy), I am prompted with the following error:
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 9e8de233-669b-4495-8678-236216359c58
Timestamp: 2017-02-21 13:51:35Z
AADB2C90068: The provided application with ID 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' is not valid against this service. Please use an application created via the B2C portal and try again.
Any suggestions on how to fix this and allow user to authenticate into the application?
I believe the problem is that you have registered under the tab Applications in the non-B2C portal. Under the "Getting Started" or "Configure" tab you will find a link called "Manage B2C settings". Clicking this will take you to the new Azure portal but logged into the B2C directory instead. Go to "Applications" and register your application there.
Image
Related
I'm trying to setup authentication against Azure DevOps using MSAL. I've followed Microsoft's sample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:
This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.
In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
What am I doing wrong or missing?
When configuring the application to use your app registration, you need also find the key ado:OrganizationUrl and replace the existing value to the URL of your Azure DevOps organization. Please note: This must use HTTPS. As it mentioned in Configure the application to use your app registration.
If you already replaced the ado:OrganizationUrl, you may have a try to change the Supported account types back to "Accounts in this organizational directory only" to see if it works for troubleshooting.
I spent a little bit time to get the samples working and the key steps required to accomplish this are:
the Microsoft personal account need to be added to an Azure active directory tenant. As MSAL uses Azure AD as a fundamental infrastructure.
https://learn.microsoft.com/en-us/answers/questions/228067/invite-or-add-personal-ms-account-to-azure-ad.html
Link the Azure Ad tenant (with the Microsoft personal account) to the Azure DevOps service Instance.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
To complete the sample, I used my MS personal account to sign up a free Azure account (so that I can test the Azure AD stuff), and used the same account to request a free Azure devops service account.
Thanks
In your question you mention:
"I'm trying to setup authentication against Azure DevOps using MSAL. "
So, the goal is to let Microsoft Account users logon to some part of Azure DevOps using MSAL? I'm curious what the exact use case is, but let's assume I understand you correctly.
The first thing that comes in mind is, are those users already invited to the AzDo organization? Please read here how to do this.
Doing this will add them to the Active Directory as a guest like this:
Alternatively if you just want to invite these users to Azure, please use the invite from: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
This site suggests this error occurs when the user doesn't have multi-factor authentication setup. You may need to have your Microsoft account setup with MFA.
I'm trying to plug Azure AD Authentication to my MVC project.
and each time I try to connect the service these errors appear to me.
I checked the previous authentication into "packages.config" -"Web.config" and everything is clear.
also, I checked the client id, clientSecret, Redirect URL, Azure Domain and everything was right!!
what's is the problem here so I can't move forward with it?
Actually this kind of service linking Azure AD with needs permissions more that User.Read ,
because maybe it will change something in the Azure AD App.
so I change the project to authorize directly to Azure AD without that Service by edit the code manually.
I noticed that were adding Read directory data permission to the application. So you must have checked the permission when configure Azure AD Authentication.
Try to login Azure portal with the account which you used to configure Azure AD Authentication in Visual Studio. Find your application and check if you can add Directory.Read.All permission successfully.
If you can add it successfully, try to create a new Azure AD application when configure Azure AD Authentication.
I have access to my Azure AD Portal. I also have an external ASP.NET application which is accessing the Microsoft Graph API. For this purpose I add an App Registration which give me an Application ID and Key to be able to configure my ASP.NET application to authenticate itself against the Graph API.
I need the my ASP.NET application to read groups out of Azure AD. I can authenticate successfully but I get an error saying that I have not enough privileges. Then I go back to the Azure Ad Portal and add permissions to the App Registration I added. This works ok so in the end I have the Graph API response on my ASP.NET application.
Now it comes the issue. I selected too many permissions so I want to use the smallest set of permissions that are necessary for my ASP. So I go the Azure Portal AD again and remove some of the permissions. When I test my app again, I still receive the groups even if I have no permissions selected.
I think this is an issue. Or there's some kind of delay? I don't think so because when the API is working and has the proper permissions I can add a group in Azure AD Portal and instantly see it in my ASP.NET application.
This issue is specially annoying because you can't really test the permissions your app needs.
Thanks.
I have created a custom OData feed using ASP.NET Web API. This service is configured using Azure Active Directory for Authentication. The issue I currently have is when I try and connect Power BI or Power Query up to the OData feed. Once I have entered my credentials I get the following error:
Invalid_resource: AADSTS50001: The application named https://localhost:44320 was not found in the tenant named XXX.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
I'm pretty sure that I have configured AAD correctly as I can connect up through the web browser with no issues. I'm not sure if it's even possible to connect up with Power Query as I have seen conflicting posts in various forums!
Any help would be greatly appreciated.
I also experienced this error when trying to use PowerQuery to get API data into an Excel spreadsheet, and had a hard time getting past it mainly as the documentation around all this is somewhat slim.
Problem - How to import data from an API in Azure into an Excel spreadsheet?
I had a ASP.NET API running in Azure and exposed on my own domain at a URL e.g. https://api.myapp.net (rather than a built-in azure URL). This API was hooking into Azure AD via the OWIN middleware: UseWindowsAzureActiveDirectoryBearerAuthentication, i.e. the App Service in Azure had AAD authentication turned OFF. The application was registered in AAD as multi-tenant, in a different tenant to the where the app service resource was hosted.
Issue 1 - Credentials
So first off in Excel do Data > From Web > https://api.myapp.net/Products and select "Organisational Account" and click "Sign-in", giving this error:
There are two different fixes for this:
1. Return WWW-Authenticate response header on all 401s
If you have enabled AAD on your API in code using the owin middleware, then you need to ensure the service returns the correct WWW-Authenticate header in the 401 response to the client, specifically we must specify the AAD sign-in end-point as the authorization uri, e.g.:
WWW-Authenticate: Bearer realm="",
authorization_uri="https://login.microsoftonline.com/<<tenant id of your users>>"
See: this TechNet question which suggested this solution
2. Turn on AAD authentication for the API app service in the Azure portal
Alternatively in the Azure Portal for the tenant where the App Services themselves are hosted
Go to App Services and locate the API app service
In Authentication / Authorization turn App Service Authentication ON
For "Action to take when unauthenticated" select "Log in with Azure Active Directory"
Under "Authentication Providers" click "Azure Active Directory" and select "Advanced" settings
Under "Client id" enter the application id for the API app registration
Under "Issuer Url" enter the sign-in end-point for the tenant the users of the API originate from
Under "Allowed Token Audiences" ensure you have added the actual url of your API e.g. https://api.myapp.net
Save the changes
Essentially this config is described here
Issue 2 - App Registration
Now back in Excel when you click sign-in on the query a pop-up will open and take you to the Microsoft sign-in page for the tenant you configured. When you enter credentials and sign-in you may then get this error (the one in the question):
To fix this issue you need to ensure the the application is registered correctly with AAD.
Here is how...
In the Azure Portal for the tenant where your applications are registered
Go to Azure Active Directory > App Registrations and locate the registration for the API service
Edit the Manifest and ensure the actual deployed API URL is configured in the list of identifierUris e.g. https://api.myapp.net (there will be an Azure built-in URL already configured)
{
"identifierUris": [
"https://api.myapp.net",
"https://<mytenant>.onmicrosoft.com/<myappregname>"
]
}
If the application is multi-tenant you will need to ensure the domain used in this URL is verified with Azure
You must also ensure the user_impersonation scope is available for the application:
{
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access myapp on behalf of the signed-in user.",
"adminConsentDisplayName": "Access myapp",
"id": "xxxxx-xxx-xxx-xxx-xxxxxxx",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allow the application to access my on your behalf.",
"userConsentDisplayName": "Access my app",
"value": "user_impersonation"
}
]
}
Save changes.
Issue 3 - Allowed token audience
Now back in Excel, you should be able to get past the sign-in but when clicking on "Connect" you may get this error:
Now looking in fiddler you will see the AAD login works and returns a token but when this is sent to the API you get a 401.
This is only an issue if you have enabled AAD via code rather than through the Azure portal (see Issue 1 above!). To fix it you need to ensure the TokenValidationParameters class passed to the owin middleware has ValidAudience set to the actual url of your deployed API.
Run the query
With all that set-up everything should now work, back in Excel ...
Click sign-in a pop-up will open and take you to the Microsoft sign-in page for the tenant you configured, sign-in with you credentials
Click Connect
PowerQuery editor will then open and display the retrieved data from the API
Click Home > Advanced Editor you will be able to view the raw query - this is in M-query syntax the query language used by PowerQuery, in my case the data was a flat array so this sufficed:
let
Source = Json.Document(Web.Contents("https://api.myapp.net/Products")),
#"Converted to Table" = Table.FromRecords(Source)
in
#"Converted to Table"
Click Close & Load to return the data to the Excel worksheet
How this works
In case you care (and are still reading this!), the way this works seems to be:
PowerQuery requests access to your API under the "Microsoft PowerQuery For Excel" built-in application (client id a672d62c-fc7b-4e81-a576-e60dc46e951d)
When you sign-in AAD grants the dynamic scope user_impersonation on your API (identified by the resource URL https://api.myapp.net) to the "Microsoft PowerQuery For Excel" app
You can see this in the portal by going to Enterprise Applications, checking Microsoft Applications and searching for Microsoft PowerQuery For Excel
Sorry for the long post but hopefully this helps somebody do something seemingly quite trivial - pull data from an API in Azure into Excel!
I have managed to get past this issue by publishing my WebAPI to an Azure Web App. Interestingly, when its hosted on Azure it prompted to allow "Power Query for Excel" access. The issue could be limited to the fact I was running it on IIS Express on my Dev box.
I'm trying to use Microsoft AD Azure to log into my web app. I'm using OWIN and have managed to get to the login page - type in the credentials (including an Azure admin credentials) and I get this lovely message:
AADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I'm not sure what else I can do as it's a very specific error but I've already given it full admin.
Edit - Solved! Although it might be a bit different than for others as it's a bit of a rare case. I was pointing at the wrong version of AD where only the CEO of the business had global admin permissions. Once I had pointed it to a different version of AD (the dev AD - not the corporate AD) everything worked.
Your application requires Admin consent. Try the Grant Permissions button in Azure new portal. Wait a few minutes for it to take effect.
picture
Based on the error message, your app have assigned the application permission to the app which requires the Azure Active Directory admin to give the consent.
You can check the permission like figure below and remove all unnecessary permissions if your app doesn't use.
You can also refer the code sample here to integrate Azure AD with web app.
In addition, if we are developing a single tenant app and register the app from Azure classic portal or new portal, there is no need to grant the permission from the web app. The permission already be granted when we register the app.
Please let me know if it helps.