We are using Azure Monitor Log Analytics workspace to check production issues with Azure B2C User Journeys.
Querying SigninLogs for failed user journeys shows "Invalid Username or Password..." error instead of the actual exception occured for one of the journey steps that calls an API.
App Insights show below error:
Why does SigninLogs only have generic "Invalid Username or Password" error? How are we going to monitor the exceptions (API connector calls etc.)? happened during user journey using Azure Monitor Log Analytics Workspace
According to the SignIn Log document of Azure AD here : -
“If a sign-in failed, you can get more information about the reason in the Basic infosection of the related log item. The error code and associated failure reason appear in the details. Because of the complexity of some Azure AD environments, we cannot document every possible error code and resolution. Some errors may requiresubmitting a support requestto resolve the issue. > From this link = https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins#sign-in-error-codes”
-But you can copy the error code and try to find insights on the error code by using this tool :-
https://login.microsoftonline.com/error
Copy your error code number and you get the required information about the error faced by your users or applications.
You can also refer AAD authorization error document here -https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes
Customer statement :- How are we going to monitor the exceptions (API connector calls etc.)? happened during user journey using Azure Monitor Log Analytics Workspace?
After you have enabled Azure log analytics Monitoring for your Azure AD B2C tenant using this document :- https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
You can make use of custom ARM templates from this Github repo and use it to get additional logs on Azure AD B2C user journeys:- https://github.com/azure-ad-b2c/siem
Example- Template = List of Abandon Journeys:
In the above example -You can enter the values of Azure Log Analytics workspace, Workbook Id and required values in the template and fetch logs from Azure AD B2C to Azure Log Analytics Workspace and get detailed Dashboard on your User SignUpSignIn journeys.
If you’re using Custom policies and want to get insights on User behaviour in your flow you can enable application insights by adding the instrumentation key from your Azure Application Insights to your custom policy xml file and get insights in your Azure Application insight resource.
Refer Here:- https://learn.microsoft.com/en-us/azure/active-directory-b2c/analytics-with-application-insights?pivots=b2c-custom-policy
You can also check Audit Logs directly from Azure AD b2c tenant to get information on resources in Azure B2C, Token Issuance, administrator access.
Related
I have an Azure AD B2C instance with only myself on it (testing).
My test account shows login activity from America despite myself being in the UK. The timestamps also don't match known activity.
Does anyone know what causes these? It is extremely unlikely that I have been'hacked' so I think this must be some kind of background Microsoft process but can't find any documentation about it.
Not sure what info is useful to debug so let me know and I can update the question.
Example event in Sign in logs below
Date 9/19/2020, 4:08:44 AM
Request ID 39a44f55-5afc-43c8-92b6-d2e515aa0d00
User (Me)
Application CPIM PowerShell Client
Status Success
IP address 17.57.26.66
Location Atlanta, Georgia, US
Conditional access Not Applied
As Dev Mentioned in the comments the activity is related to B2C custom policy user login.
The AAD sign in logs are not meant for B2C. The relevant logs are Audit Logs menu in B2C blade. Those look like AAD logs for the B2C tenant.
Read this article on what we offer for B2C tenants. You can see sign in info about a user into an app using this.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-audit-logs?tabs=applications
In Azure AD B2C, a user flow policy has been created with Twitter identity provider for sign in. On clicking the Twitter icon on sign in page for the application using the user flow policy, the following error is being shown:
I looked into the Azure portal's Audit logs but couldn't find the erroneous correlation Id listed there.
Is there any way I can find what's specifically causing that error so I can look for a solution in right direction?
Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, tokens issued, and administrator access. Audit log events are only retained for seven days.
Note: You can't see user sign-ins for individual Azure AD B2C applications under the Users section of the Azure Active Directory or Azure AD B2C pages in the Azure portal. The sign-in events there show user activity, but can't be correlated back to the B2C application that the user signed in to. You must use the audit logs for that
This example image from the Azure portal shows the data captured when a user signs in with an external identity provider, in this case, Facebook:
To view Audit logs:
Sign in to Azure portal
Switch to the directory that contains your Azure AD B2C tenant, and then browse to Azure AD B2C.
Under Activities in the left menu, select Audit logs.
A list of activity events logged over the last seven days is displayed.
To download the list of activity events in a comma-separated values (CSV) file, select Download.
I have encountered a problem in creating a custom policy for Azure AD B2C authentication and would like to look in the detail of the server error with a correlation ID.
But, even if I'm logging into the B2C tenant in Powershell via Connect-AzureAD -[hoge].onmicrosoft.com", when I hit Get-AzureRmLog, it requires me to login to my Azure account of [fuga]#outlook.com (not B2C tenant) and I cannot access the subscription in B2C.
So how can I investigate errors occurred in B2C tenant? Also if there's a way to get it done without Powershell it'd be much better.
EDIT:
The error seems occurred when I try signing-in via the custom policy of the tenant. Below is the header showing the error.
You can debug a custom policy by sending the log entries from Azure AD B2C to Azure Application Insights as described by Azure Active Directory B2C: Collecting Logs.
A log entry contains the correlation identifier.
Note that there is a short delay (less than five minutes) before the log entries are sent.
If you don't want to wait, then you can configure the custom policy with the following settings to send the log entries from Azure AD B2C via an ngrok endpoint to your local machine:
<TrustFrameworkPolicy
PolicySchemaVersion="0.3.0.0"
TenantId="***.onmicrosoft.com"
PolicyId="B2C_1A_***"
...
DeploymentMode="Development"
UserJourneyRecorderEndpoint="https://***.ngrok.io"
... />
UPDATE: 4 April 2019
Unfortunately, support for sending the log entries to a HTTP endpoint has been deprecated, so you must use Azure Application Insights.
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
I have created a video to show you exactly what's happening: http://sendvid.com/urqpzeg2
I'm simply trying to give my application privileges to read directory data, and it fails with the following error:
Failed to add application Windows Azure Active Directory's
permissions. Error detail: Unable to complete the request due to data
validation error.
I created the app via the Portal, and then added it to the Company Administrator role via Powershell. I couldn't assign permissions before or after giving the app the Company Administrator role.
I'm logged in as the Directory owner.
Anyone any ideas?
I also could reproduce this issue. Based on the video, it seems you want to grant the app-permission to the b2c application. As a workaround, we can register a new normal application for the b2c tenant on the old Azure portal like figure below:
Then we can use this app to call the Azure AD graph REST and you can also see the required mission already be set in the new portal like figure below:
And for the original issue, I am also trying to report it internally.