AzureMfaProtocolProvider - UserMessageIfBadReputation - azure-ad-b2c

As part of MFA in a custom policy we're using AzureMfaProtocolProvider to send one-time codes via SMS.
For some users we're seeing the following error:
{
"Key": "Exception",
"Value": {
"Kind": "Handled",
"HResult": "80131500",
"Message": "ErrorCodes: UserMessageIfBadReputation",
"Data": {
"IsPolicySpecificError": false
}
}
}
I can't seem to find any information regarding this error in the docs.
How can I figure out what triggers this and why it was triggered for that specific user?

PhoneReputation service is integrated with Azure MFA to provide a near-real time determination which tracks tracks the usage and reputation of phone numbers as they are used across various Microsoft services.
Any particular browser user agent having the issue, few days back i worked on a similar issue where latest version of firefox reported this kind of issue reference: https://learn.microsoft.com/en-us/answers/questions/1090554/azure-b2c-unblock-phone-number.html?childToView=1097185#comment-1097185
Also where are the users located who reported this error ? any specific region/country code users reported this issue.

Related

presetOverride when creating Azure Media Services v3 Job

When creating an Azure Media Services Job via the REST API, I cannot set a presetOverrides property on the JobOutputAsset as defined in the documentation: https://learn.microsoft.com/en-us/rest/api/media/jobs/create#joboutputasset
My request body is:
{
"properties": {
"input": {
"#odata.type": "#Microsoft.Media.JobInputAsset",
"assetName": "inputAsset"
},
"outputs": [
{
"#odata.type": "#Microsoft.Media.JobOutputAsset",
"assetName": "outputAsset",
"label": "en-US",
"presetOverride": {
"#odata.type": "#Microsoft.Media.AudioAnalyzerPreset",
"audioLanguage": "en-US",
"mode": "Basic"
}
}
],
"priority" : "Normal"
}
}
The error message thrown is:
{
"error": {
"code": "InvalidResource",
"message": "The property 'presetOverride' does not exist on type 'Microsoft.Media.JobOutputAsset'. Make sure to only use property names that are defined by the type."
}
}
When removing the presetOverride data, everything works as expected. The official documentation clearly states that the Microsoft.Media.JobOutputAsset does have a presetOverride property though. What am I doing wrong?
It is important to select the correct API version when communicating with the Azure Media Services REST API.
In this case, api version 2020-05-01 from the Azure Media Services Postman examples was used. But the presetOverride option is only available starting with version 2021-06-01.
Setting api-version=2021-06-01 as a GET parameter enables Preset Overrides.
couple of concerns here Rene. I would not recommend using the raw REST API directly for any Azure services. Reason being is that there are a lot of built-in retry scenarios and retry policies that are already rolled into the client SDKs. We've had many customers try to roll their own REST API library but run into massive issues in production because they failed to read up on how to handle and write their own custom retry policy code.
Unless you are really familiar with rolling your own retry policies and how Azure Resource Management gateway works, try to avoid it and just use the official client SDKs - see here - https://learn.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines
Now, to answer your specific question - try using my sample here in .NET and see if it answers your question.
https://github.com/Azure-Samples/media-services-v3-dotnet/blob/3ab85647cbadd2b868aadf175afdede67b40b2fd/AudioAnalytics/AudioAnalyzer/Program.cs#L129
I can also provide a working sample of this in Node.js/Typescript in this repo if you like. It is using the latest 10.0.0 release of our Javascript SDK.
I'm working on samples in this repo today - https://github.com/Azure-Samples/media-services-v3-node-tutorials
UPDATE: Added basic audio in Typescript sample.
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AudioAnalytics/index.ts
Shows how to use the preset override per job.

I'm trying to receive a webhook from an Autodesk Forge workflow.transition event but they aren't firing

I've been experimenting with the Fusion Lifecycle webhooks in Forge and have been successful using the item created/updated events but the workflow transition webhooks aren't firing.
The webhooks are created in Forge according to the Docs, as you can see below, but none of the transitions performed in the workspace will trigger the call.
They were created using a three-legged token associated with a Fusion Lifecycle user that has the proper workflow permissions on the workspace.
The following JSON excerpt is the workflow. transition webhook as returned from developer.api.autodesk.com/webhooks/v1/hooks endpoint on Forge showing it was indeed created.
​
{
"hookId": "909fd040-4e34-11ea-a842-651c9013b5e8",
"tenant": "TENANTNAMEREMOVED4SO",
"callbackUrl": "callbackurl removed for SO",
"createdBy": "46FGNL6DBN6D",
"event": "workflow.transition",
"createdDate": "2020-02-13T07:43:45.988+0000",
"system": "adsk.flc.production",
"creatorType": "O2User",
"status": "active",
"scope": {
"workflow.transition": "urn:adsk.plm:tenant.workspace.workflow.transition:TENANTNAMEREMOVED4SO.119.1.765"
},
"hookAttribute": {
"creator": "D3 Forge Playground",
"notification": {
"class": "alert-danger",
"system": "flc"
}
},
"urn": "urn:adsk.webhooks:events.hook:909fd040-4e34-11ea-a842-651c9013b5e8",
"__self__": "/systems/adsk.flc.production/events/workflow.transition/hooks/909fd040-4e34-11ea-a842-651c9013b5e8"
}
I've pushed the workflow through the transition events numerous times and no webhook is being fired and no failed requests on our webhook receiving server either. if I mimic the payload for the workflow. transition event and post it to our endpoint, it is received as expected.
I have yet to see a live example of the workflow. transition webhook being fired and can't find any sample code from Autodesk using them. Not sure the service is even working as expected at this point even though the item.created and item.updated webhook events seem to work fine.
Has anyone successfully received a workflow. transition webhook from Autodesk Forge? If yes, could you provide some guidance on how?
Seems to be working fine on my end in a Production tenant. This is the payload I used to create the webhook:
{
"callbackUrl": "https://webhook.site/SOME_ID",
"scope": {
"workflow.transition": "urn:adsk.plm:tenant.workspace.workflow.transition:TENANT.107.1.421"
}
}
Does it look like the payload you used when creating the hook?
Greg, any chance you can try to trigger it again, and send me the date/time stamp with tenant name via a private message? I just tried it again in my Production tenant, and it seems to be working just fine when I perform the operation from both a v3 API call, and the UI. Feel free to file a support case if you want, too, and let me know the case number. I'd like to help you out here in understanding what's going on, because overall it looks OK from your side.

Azure Search, listAdminKeys, ARM output error (does not support http method 'POST')

I am using this bit of code as an output object in my ARM template,
"[listAdminKeys(variables('searchServiceId'), '2015-08-19').PrimaryKey]"
Full text sample of the output section:
"outputs": {
"SearchServiceAdminKey": {
"type": "string",
"value": "[listAdminKeys(variables('searchServiceId'), '2015-08-19').PrimaryKey]"
},
"SearchServiceQueryKey": {
"type": "string",
"value": "[listQueryKeys(variables('searchServiceId'), '2015-08-19')[0]]"
}
I receive the following error during deployment (unfortunately, any error means the template deployment skips output section):
"The requested resource does not support http method 'POST'."
Checking the browser behavior seems to validate the error is related to the function (and, it using POST).
listAdminKeys using POST
How might I avoid this error and retrieve the AzureSearch admin key in the output?
Update: the goal of doing this is to gather all the relevant bits of information to plug into other scripts (.ps1) as parameters, since those resources are provisioned by this template. Would save someone from digging through the portal to copy/paste.
Thank you
You error comes from listQueryKeys, not admin keys.
https://learn.microsoft.com/en-us/rest/api/searchmanagement/adminkeys/get
https://learn.microsoft.com/en-us/rest/api/searchmanagement/querykeys/listbysearchservice
you wont be able to retrive those in the arm template, it can only "emulate" POST calls, not GET
With the latest API version, it's possible to get the query key using this:
"SearchServiceQueryKey": {
"type": "string",
"value": "[listQueryKeys(variables('searchServiceId'), '2020-06-30').value[0].key]"
}

AuthorizationError when confirming SNS subscription over HTTP

I'm writing a simple SNS client that is meant to subscribe itself to an SNS topic and then listen for notifications. I can successfully submit a sns.subscribe request, but when I pick up the SubscriptionConfirmation POST message from AWS and try and respond using sns.confirmSubscription I get an AuthorizationError returned:
[AuthorizationError: User: arn:aws:iam::xxx:user/mv-user is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-1:xxx:*]
If I use exactly the same Token and TopicArn in a GET query to the server the subscription confirmation works fine, with no authentication.
Any ideas why it's not working? My SNS topic is wide open with publish/subscribe permissions set to 'Everyone'.
For reference, my code is something like this:
var params = {
TopicArn: topicArn, // e.g. arn:aws:sns:us-east-1:xxx:yyy
Token: token // long token extracted from POST body
};
sns.confirmSubscription(params, function (err, data) {
if (err) {
// BOOOM - keep getting here with AuthorizationError
} else {
// Yay. Worked, but never seem to get here :(
}
});
However, if I navigate to the URL similar to this in a browser (i.e. completely unauthenticated), it works perfectly:
http://sns.us-east-1.amazonaws.com/?Action=ConfirmSubscription&Token=<token>&TopicArn=arn%3Aaws%3Asns%3Aus-east-1%3Axxx%3Ayyy&Version=2010-03-31
The only differences seem to be the inclusion of 'Authorization' and 'Signature' headers in the programmatic version (checked using Wireshark).
Any ideas? Thanks in advance!
Update
In my code, if I just programatically do a simple GET request to the SubscribeURL in the SubscriptionConfirmation message this works fine. Just seems odd that the confirmSubscription API call doesn't work. Will probably stick to this workaround for now.
Update 2
Also get the same error when calling sns.unsubscribe although, again, calling the UnsubscribeURL in each notification works. Seems other people have run into that issue too but can't find any solutions.
I faced a similar issue while developing my application.
The way I ended up solving it is the following:
go to IAM and click on your user
go to the permissions tab and click on "Attach Policy"
use the filter to filter for "AmazonSNSFullAccess"
Attach the above policy to your user.
The above should take care of it.
If you wanna be fancy you can create a custom policy that is based on "AmazonSNSFullAccess" and apply it to you user instead.
The custom policy would be something similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription"
],
"Effect": "Allow",
"Resource": "YOUR_RESOURCE_ARN_SHOULD_BE_HERE"
}
]
}
The error says it all:
[AuthorizationError: User: arn:aws:iam::xxx:user/mv-user is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-1:xxx:*]
is basically telling you that the IAM user you're using to call ConfirmSubscription doesn't have the proper permissions to do so. Best bet is to update the permissions for that IAM user, specifically adding ConfirmSubscription permissions.
(Based on your comments, even though the documentation says otherwise, the error is pretty specific... might be worth following up directly with AWS about this issue, since either the error message or documentation is incorrect).

Api version change but docs not updated?

I've been trying to do various things through your Mail REST API today and not having much success... My project (using the api) has been running for at least a month now, but requests to your api are failing.
For example:
GET https://outlook.office365.com/EWS/OData/Me/messages (works)
GET https://outlook.office365.com/EWS/OData/Me/inbox (doesn't work)
Looking at the documentation, still says its available.
Trying to send an email using:
POST https://outlook.office365.com/EWS/OData/Me/Messages?MessageDisposition=SendAndSaveCopy also just returns 400 (Bad Request)
Any info about this?
Also, the http status codes returned are not useful at all; almost all errors return as 400's. In one instance, I didn't provide auth creds, and a 400 was returned instead of the appropriate 401. The accompanying status code detail could also be more helpful.
Thanks for the feedback and sorry for the inconvenience. We are currently deploying some non-backwards compatible changes described here, and this is causing your issues. The current set of changes including versioning support, and deploying non-backwards compatible changes won't cause issues for your app in the future. For the queries, that don't work, please use the following:
Accessing Inbox: https://outlook.office365.com/ews/odata/me/folders/inbox
Send email (new action called SendMail):
POST https://outlook.office365.com/ews/odata/me/sendmail
{
"Message":
{
"Subject": "Test message",
"Body":
{
"Content": "This is test message!"
},
"ToRecipients":
[
{ "EmailAddress": { "Address": "John#contoso.com", "Name": "John Doe" }},
{ "EmailAddress": { "Address": "Jane#fabrikam.com", "Name": "Jane Smith" }}
]
},
"SaveToSentItems": true
}
Hope this helps. We are updating the documentation to reflect the changes, and it should be available shortly. Thanks for the feedback on the HTTP status codes, we will review the status codes returned currently and make any fixes required.
Conversation support is in our roadmap but we don't yet have a timeline to share. Currently, you can search using https://outlook.office365.com/ews/odata/Folders/FolderId/Messages?$filter=ConversationId%20eq%20%%27ConversationID%27 but this will only return messages within the specified folder belonging to that conversation.
Let me know if you have any questions or need more info.
Thanks,
Venkat

Resources