When I try to add an access policy without an "authorized application" (see the following photo) :
And then i press add i'm sent back to the access policy page but there is no new access policy to save. If i select an authorized application, it works.
Is this a bug with azure possibly or am i misunderstanding something?
Thank You! :]
Turns out you must specify the authorized application unless the principal is the application itself.
Related
What I am testing
In order to force MFA, I created a very simple Azure conditional access policy:
User and group: all users
Grant: requires MFA
What I get
But this rule never applied.
What I did
I tester from WhatIf tool and from running Connect-AzAccount either.
When testing I discovered that if I apply:
Cloud apps or action: Office 365 (or whatever)
This time whatIf is triggered.
My question
Could anybody explain me this behavior? What I should do this?
Thanks
after watching your question, I started testing MFA in my tenant. I followed this document and it worked finally, and hope it would help you.
I created a test tenant for this scenario, and in azure ad, I need to disable Security default first, this doc show the operation.
And according to your description, it seems that your configuration didn't work, I assume that you may miss some steps. When adding Conditional Access policy, you need to add policy name, then choose affect scope(users and groups), select Cloud apps or actions(e.g. choose Microsoft Azure Management so the policy applies to sign-in events to the Azure portal), and you need to check the box for Require multi-factor authentication under Access controls->Grant.
Here's my configuration. And when I signed in azure portal with test user, it asked me to use phone to prove myself.
What I'm doing:
My machine learning developer is trying to manually provision a ML Workspace in Azure.
Error:
{"message":"The client 'name#company.com' with object id 'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.' does not have authorization to perform action 'Microsoft.MachineLearningServices/register/action' over scope '/subscriptions/'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.'' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)"}
What I've tried:
I see two existing discussions on this error from azure here and here. In both cases the users are using a service account with an API, and the gist of the solutions offered are to grant the service account the proper role assignments in access control. In my case, however, the user is trying to create the resource manually via the portal, and the user already has 'owner' role over the resource group. What more could I grant them? How does she refresh her credentials? Any pointers? THANKS!
Definitely looks like a permission issue. spitball ideas, maybe you also have to add the account to the subscription??
edit:
definitely seems like a bug!
https://github.com/MicrosoftDocs/azure-docs/issues/61114#issuecomment-677703149
I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.
I have registered one web api (TestAPI) in Azure AD B2C by setting Include web app/api and Allow implicit flow to 'YES', provided APP ID URI and added two new scopes for read and write.(By default user_impersonation scope got added)
Then in my existing Web Application while clicking for API ACCESS, I am not able to find out TEST API which I recently registered, in the Select API dropdown.
Please guide. Did I miss any steps in between.
Thanks in Advance!
To make the answer visible to others, I'm summarizing the answer shared in comment:
Change Directory to any other directory from top right corner
Comeback again to B2C
Check now API is visible or not
I am trying out the sample code on GitHub called active-directory-b2c-dotnet-webapp-and-webapi and when I run it against the AD B2C directory in the sample it works fine but I'm having an issue trying it out against my own AD B2C directory. I get the following error:
The application with ID 'xxx' cannot get an ID token either because the openid scope was not requested or the application is not authorized for it
Isn't the openid scope included automatically? I setup a Web App and a Web API app as per the instructions provided. When I look at the scopes that the Web App has access to, the openid scope is not listed there. Is this something I need to add manually?
When we change the API permission for an app, the openid permission gets overwritten. We can re-enable it if this happens. The option will be available at API Permissions blade under https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.
Open the API Permissions at the above link, Add a Permission, Select Microsoft Graph --> Select Openid and save. There you are! :)
In addition to the openID step outlined above, also do the below:
Go to the API access under the Application in B2C for the app in question and add a permission against this same app saying "access this app on behalf of the signed in user".
No other steps needed.
I found the issue was with app registrations > API Permissions. When adding permissions in the Request API permissions screen, make sure you select "Delegated permissions: Your application needs to access the API as the signed-in user."
If you selected the other option, then recreate your configuration and try again.
openid scope is not included automatically. It should be present by default in the sample, but if it was removed, then the request will fail.