I am new to the Azure Static app and struggling to make Azure AD SSO work with Azure AD app registration. I went through the questions already available on stack overflow but the responses miss the routing config in staticwebapp.config.json file and I feel I am making some mistakes there.
Active Directory registration
staticwebapp.config
Azure Static web app configuration
Now when I try to login using the URL https://black-flower-007ce3a10.2.azurestaticapps.net/login, it gets redirected to https://login.microsoftonline.com//oauth2/v2.0/authorize?response_type=code+id_token&redirect_uri=https%3a%2f%2fblack-flower-007ce3a10.2.azurestaticapps.net%2f.auth%2flogin%2faad%2fcallback&client_id=&scope=openid+profile+email&response_mode=form_post&nonce=91a9c801d3dd4a85b274fecdeb713958_20221109234404&state=redir%3d%252F.auth%252Fcomplete&sso_nonce=&client-request-id=
Any help?
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the API permissions of the Azure AD Application are not consented by the Global Admin like below:
To resolve the error, sign-in with Global Admin account and grant the admin consent for the API permissions like below:
Alternatively, you can also sign-in with Global Admin credentials and Accept the consent on behalf of organization like below:
https://login.microsoftonline.com/TenantID/adminconsent?client_id=ClientID
After doing the above setting, when I hit the Authorize URL and signed in with user credentials, I am able to get the response successfully like below:
If you want to allow users to consent to the Application, try the below:
Go to Azure Portal -> Enterprise Application -> User Settings -> Go to Consent and permissions
Related
I want to add Azure AD auth for my custom SPA. I have registered the app in the app registration in the Azure portal.
When I call this "APP" using APIs I am able to get the login screen and MFA but after logging in to the Azure account I am getting Approval required screen and I want to get rid of this, what should I do?
To get rid of Approval required screen after signing in, user settings of your app have to be changed. Only the admin with Global Administrator role of the tenant can do that. So, make sure to have that role.
Note the client_id of your app that can be found in your Overview tab.
Create an adminconsent URL like this:
https://login.microsoftonline.com/common/adminconsent?client_id=your_client_id
Now, access this URL in the browser and it asks you to pick the azure account.
Select the account with Global Administrator role.
Now, a consent prompt will appear where you have to accept the permissions.
Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> User Settings -> Admin Consent Requests.
Set ‘Users can request admin consent to apps they are unable to consent to’ to “No”
By this, when the user tried to access the application using authorization API, they won’t get ‘Approval Required’ page anymore that disables all future admin consent operations.
For more information, go through below links.
References:
Disable approval required consent in Azure - Microsoft Q&A
Disable approval required consent in Azure - Stack Overflow
I have an already deployed application on azure app service which uses azure AD for authentication and authorization.
Unfortunately the developer who worked on it is no longer available
i got access to all Azure resources and source code but i cant figure out how can i add my azure account as one of the users to the app (i can login but its an empty view for me unlike what it used to be with the developer access).
Also i find the app registered on Azure AD and i am an owner there but still with no right access.
When i try to login localy from the frontend it say
Selected user account does not exist in tenant 'Default Directory' and
cannot access the application '[some numbers] in that tenant. The
account needs to be added as an external user in the tenant first. Please use a
different account.
Would appreciate any help and many thanks in advance.
I can login but it’s an empty view for me unlike what it used to be
with the developer access
This is because your backend application is enabled with Azure AD Authentication.
After you sign in to your front-end application, you still can't access the data from the back-end app, because the back-end app now requires Azure Active Directory sign-in from the front-end app
To access the application, follow the below steps:
Grant the front-end access to the back end
Configure App Service to return a usable token
Use the token in your code
You can refer Enable authentication and authorization for front-end app in Authenticate users E2E - Azure App Service | Microsoft Docs for the detailed steps
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
I have registered a sample multi-tenant app in azure portal app registration requiring certain permissions to access outlook mails. I also have a SAAS application which uses this app and requests for oauth token from users to read and send emails using outlook.
There is a tenant with a set of users who want to use my app for configuring emails in the SAAS application. But the users in the tenant do not have admin privileges to give consent to the application. Based on MS documentation, admin has to give consent to the application using the v2-permissions-and-consent
Admin has given consent to the application by using the following URL:
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
Admin consented permissions:
consented permissions
Even after admin gives consent to all the permissions that the app requests and adds the users to the configured enterprise application in Azure AD, the users are shown the approval prompt when they try to login to the application.
Approval prompt shown to the users :
approval prompt
Ideally, once the app is approved in Azure AD Enterprise Applications, all the other users in the tenant should be able to use the application without any consent requirement.
The oauth URL that users use to login is
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fc9713e1c5859.ngrok.io%2Fauth%2Foutlook%2Fcallback&response_type=code&scope=offline_access+https%3A%2F%2Foutlook.office.com%2FUser.Read+https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send&state=5bfc1a7683bfa19468e7d4d67fc6893e5a00f93efe31ca51
Could anyone help me understand what I am missing here?
It should be agreed by the target tenant administrator, and then use the target tenant to log in.
In below url, you should have used wrong {tenant ID}, it should be target tenant id. Not the tenant id where your app is located.
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
I have tested it, then reproduced your problem. If you need further help, please let me know.
I created an app in azure and authenticating using AAD ,but when users try to log in they keep getting message admin approval required But no matter how I configure the application in the Azure Portal, I'm always receiving the following message after I've logged in with a normal user but an admin can login without the app showing the error,:
My Enterprise applications | User settings
My API permissions
I need my users to just login normally like the admin, what am I doing wrong?
This question has been resolved by #juunas comment, post it as an answer to close the question.
If you are using /common or /organizations as the authority in the
app, the user will authenticate against their home tenant. It might be
what is happening here. Your tenant's settings will not apply there,
and they may be required to give admin consent.
The solution is to set the admin consent to: "Yes"