This question was migrated from Stack Overflow because it can be answered on Database Administrators Stack Exchange.
Migrated 15 days ago.
I am trying to add an Azure AD user to my Azure MySQL DB, so that he can authenticate using a token (instead of needing username / password). I am set as the Azure AD administrator of this DB.
I am signing in to MySql Workbench using my Azure AD user and a token generated in Azure CLI. Then, I am running the following command:
CREATE AADUSER 'useriwanttoadd#microsoft.com'
(following directions outlined here: https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-configure-sign-in-azure-ad-authentication#creating-azure-ad-users-in-azure-database-for-mysql).
I am getting the following cryptic error which I cannot seem to find any useful information about:
Error Code: 9127. User error occurred while accessing Azure AD endpoint, please check if the managed identity assigned to server has sufficient privileges
Related
I am using Azure Function V4, Efcore with SQL server. We are authenticating using Password based approach but need to add Azure AD so that no password is required on the connectionstring. I have already added an Admin in SQL Server and Assigned roles to specific users so that from the GUI we don't need password to access SQL server. That is working but I need to replicate the same behavior in the app.
Steps I followed to replicate -
Created user assigned identity resource.
Enabled identity and assigned the user identity resource to SQL Server.
Added user assigned identity resource to my Function app.
Modified connection string with Authentication=Active Directory Managed Identity and User Id = $usermanagedidentity.clientid
But I am getting errors when querying from the code => unable to fetch token.
Techstack:
Azure Function v4
.net 6
efcore 6
SQL Client 2.1.4
Is there anything that I missed or need to do? Help is very much appreciated.
Thanks, #ErikEJ for helping me out. The issue was in the version. Once I have upgraded the SQL Client and given the appropriate permission to the database it is flying.
I get the error Login failed for user ''. (Microsoft SQL Server, Error: 18456) from Azure SQL server when a user tries to login using Azure Active Directory - Universal with MFA.
My Azure AD login is within a group, other members of the group can login to the database, but I get the error '<token-identified principal>'. (Microsoft SQL Server, Error: 18456), however If the user is added to the database, then I can login and it works.
create user [myUserName#contoso.com] from external provider
GO
EXEC sp_addrolemember N'db_datareader', N'myUserName#contoso.com'
I was wondering if there is a reason for this.
The error you are getting is an identical issue its already been raised over Microsoft Q&A Plateform a year ago.
You need to add the users to your SQL DB as AAD Users first to accces the Specifiv SQLServer.
The error "Microsoft SQL Server, Error: 18456 <token-identified-principal>" means that the user used to login to
SQL Server Management Studio is invalid. It is usually related to an
AAD user which is not added on SQL DB that you are trying to connect
(User DB or Master DB) or that the AAD user is not the AAD Server
Admin.
You just need to add an AAD user in Azure SQL DB. You can follow the
steps mentioned here:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities
Note : Use User UPN(name#domain.com) to access the SQL DB not logged on as this user: "domain\name.surname" on my environment.
I have a local AD Forest that is replicated to an AAD Tenant via AADConnect. All seems OK there, the locals users get replicated up to the Azure AD instance without issue.
I have a Win10 Desktop joined to the local domain, that is running A C# test app using MSAL and calling
app.AcquireTokenByIntegratedWindowsAuth(scopes);
This throws the exception
Microsoft.Identity.Client.MsalClientException
HResult=0x80131500
Message=Integrated Windows Auth is not supported for managed users. See https://aka.ms/msal-net-iwa for details.
From Microsoft's docs here this exception is thrown under these conditions:
This method relies on a protocol exposed by Active Directory (AD). If
a user was created in Azure Active Directory without AD backing
("managed" user), this method will fail. Users created in AD and
backed by AAD ("federated" users) can benefit from this
non-interactive method of authentication. Mitigation: Use interactive
authentication.
But my user isn't a "managed user", it's a user in AAD backed by a user in AD - just as it says is required.
Why am I getting this error if I'm not using a managed user?
We have an application (SPA frontend using ADAL.js and Backend with passport bearer) that authenticates using Azure AD.
Logging in with users from our own AD works fine, and we can get information regarding these accounts via MS Graph.
I am however not able to log in using Guest accounts.
Some guest accounts are just stuck at the login screen (the azure ad account selector screen).
And some external users belonging to other tennants give an error message that the app was not found in their subscription.
Is this a configuration error?
The app manifest says that the app is not for other tennants.
As guest users are at least entries in the AD, I was assuming I could somehow log in using these accounts for our own AD and get access that way.
Maybe a vague question
[edit]
The error message our external users see:
(I assume this is a config error and the app tries to authenticate using their tennant?)
Adding this here as an answer
Yes, I found the cause, I needed to pass the Tennant ID in the adal.js
configuration, that solved the issue
I was stuck in a similar issue where the users were stuck at the login screen.
I added the tenant id in adaljs configuration and that error got resolved.
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!