I've a code which sends resource health alerts to Microsoft Teams in from Azure using Logic app. Here I'm not able to authenticate Teams into logic app.
Please check your account info and/or permissions and try again. Details: Requested API is not supported. Please check the path. More diagnostic information: x-ms-client-request-id is '91A7CF58-4784-4107-8E48-FFE2DB45DC37'.
Below is the screenshot provided of the error I'mm facing.
Look like what you are using is a guest account.
I tried using a guest account and even enabling guest to send messages, I get the same error:
I don't think the connector manages to resolve the Team organisation when you use a guest account
Once I use an account from the same Teams domain
it works:
may be a better idea to try managed identity: https://learn.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity?tabs=consumption
or ask your sys admin to create a service account on the same Teams Azure AD
Related
I want to access the outlook API with a Python application. I followed this guide but quickly ran into authentication issues. Tried it with my existing private Microsoft account and with a new created account, but ran into authentication issues quickly. Whenever I try to do anything in the portal, I get this message:
Already checked in with the general Microsoft support. They directed me towards Azure support, but I can't reach anybody there.
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Microsoft personal account is not added as an external/guest user to an Azure AD tenant.
To resolve the error, contact the Global admin to invite the account as a guest user like below:
Once the admin invites, you will get an email notification to accept the invitation like below:
After accepting the invite, the Personal Microsoft account will be added to the tenant successfully like below:
And now you will be able to access the Azure Portal without any issue and you can also create your own tenant to have admin access.
If still the issue persists, try the below:
Sign out from the active session and sign in incognito window or any different browser.
Clear browser cache and cookies and try.
Confirm whether the admin has set any External user settings that is restricting the access:
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
When looking into the Build Python apps with Microsoft Graph tutorial that you followed, one of the pre-requisites mentioned signing up for the Microsoft 365 Developer Program to get a free Microsoft 365 subscription. After you sign-up, you'll need to use the Microsoft 365 developer sandbox credentials in order to continue following the tutorial without having to leverage your own Azure AD tenant or subscription (pay-as-you-go).
Build Python apps with Microsoft Graph:
Join the Microsoft 365 Developer Program
Deploy the Developer Sandbox
Using the Microsoft 365 Developer subscription(s) info you'll be able to login to the Azure Portal or Azure Active Directory admin center.
Note: You can navigate to your developer tenant using - https://aad.portal.azure.com/<<SandboxTenantName>>.onmicrosoft.com, or when prompted to sign in use your sandboxes' admin account.
If you only signed up for a new personal Microsoft account (Outlook), you'll notice that once you sign into the Azure AD Admin Center, your Outlook.com user isn't associated with any Azure tenants, and you'll run into the authentication issue error message that you referenced, so you'll have to create your own Azure AD tenant by signing up for an Azure Free Trial or Pay-as-you-go.
I hope this helps!
How do I create a service account, grant the necessary permissions, and use the Azure billing APIs (usage and rate card) from the server-side of a website?
I'm looking to show expected bill on 6/7/2018 is $123.45 on an internal dashboard, mirroring the data in the billing usage graph on the Azure portal.
https://github.com/Azure-Samples/billing-dotnet-usage-api and https://github.com/Azure-Samples/billing-dotnet-ratecard-api are the samples all posts reference. The setup for each references the legacy Azure portal, and the setup instructions make assumptions I don't understand. I've not found any more recent setup instructions for using the billing APIs. In all my experiments, I've received an OAuth token, but I receive 401 Unauthorized responses when calling the actual API. (Obviously I shouldn't include my guids in this question.)
The samples identify that when creating the app, I must choose a "native application", but Scott Allen notes that "native application" requires a live OAuthed user, but my users don't have permission to the Azure portal, so I must pre-authenticate with configured settings. He recommends "Web apps / API".
The samples are vague in the permissions required. They note I should "make sure the sample app will have permissions to access the Windows Azure Service Management APIs", but from the new portal, I don't find Windows Azure Service Management APIs nor any other permissions that sound like Billing management.
When crafting the AAD App in the portal, and when starting https://github.com/Azure-Samples/billing-dotnet-usage-api/blob/master/ConsoleApp-Billing-Usage/ConsoleProj/Program.cs, each references settings such as "Client ID" and "DirectoryId" that are named differently in different places. Though I feel confident in my mapping guesses, the sample doesn't work for me, so I'm confident I've done it wrong.
I've even tried making requests directly to the REST endpoint at https://management.azure.com/subscriptions/{subscription-Id}/providers/Microsoft.Commerce/UsageAggregates?api-version={api-version}&reportedStartTime={dateTimeOffset-value}&reportedEndTime={dateTimeOffset-value}&aggregationGranularity={granularity-value}&showDetails={showdetail-boolean-Value}&continuationToken={token-value} passing in the OAuth token without success.
What did I do wrong here? How do I configure an AAD app to use the Billing APIs using pre-configured auth and subscription settings to show Azure usage details on a web page?
According to the error log, it seems you don't give your app correct subscription role. You could check this link:Assign application to role.
Note: You could give your app Owner role.
You also check this link:Authentication flow for native application to API.
Also, you also could create a web app. But you need use different way to get the token, see different check this link.
We have an application (SPA frontend using ADAL.js and Backend with passport bearer) that authenticates using Azure AD.
Logging in with users from our own AD works fine, and we can get information regarding these accounts via MS Graph.
I am however not able to log in using Guest accounts.
Some guest accounts are just stuck at the login screen (the azure ad account selector screen).
And some external users belonging to other tennants give an error message that the app was not found in their subscription.
Is this a configuration error?
The app manifest says that the app is not for other tennants.
As guest users are at least entries in the AD, I was assuming I could somehow log in using these accounts for our own AD and get access that way.
Maybe a vague question
[edit]
The error message our external users see:
(I assume this is a config error and the app tries to authenticate using their tennant?)
Adding this here as an answer
Yes, I found the cause, I needed to pass the Tennant ID in the adal.js
configuration, that solved the issue
I was stuck in a similar issue where the users were stuck at the login screen.
I added the tenant id in adaljs configuration and that error got resolved.
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!
I am trying to create a multi-tenant openidconnect based application using instructions from azure-sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
AADSTS50000: There was an error issuing a token.
AADSTS65005: The application needs access to a service that your organization EXTERNALTENANT has not subscribed to.
Please contact your Administrator to review the configuration of your service subscriptions.
I am the admin, where should I update the configuration for this?
Is it possible to avoid this error with a consent prompt? Are there any other options?
The error message indicates that the the tenant which account you were trying login belongs to has no subscription for the resource/permission you have config on the Azure portal.
For example, if you register a application which request the Office 365 SharePoint Online like figure below. However others who trying to sign the application without the subscription to Office 365, then the users would get the error message above.
To fix this issue, please ensure the customers have the sufficent subscription for the permission you have granted to the application.