We have a multitenant application that heavily relies on the Graph API. We access both mailboxes through Messages API and Sharepoint sites through Files API. Most clients use a very permissive access model to get more features available in our application. A few has strict demands on access and for those we are only allowed to access a specific sharepoint site. For this site we've registered another AppId to use Sites.Select permission where the clients Global Admin allow access to our application using PowerShell
This has worked fine until this morning, where all requests to the Files API are returning "403 Forbidden" and the C# SDK is returning "Access denied".
I've requested the clients to execute PowerShell command to verify if we still has access to their Sharepoint site:
Get-PnPAzureADAppSitePermission -AppId 'xxxxxxxxxxxx'
but they all get the same error message:
Get-PnPAzureADAppSitePermission: Operation Failed
The Pnp.PowerShell cmdlet used is 1.10
Anyone know why this happened to MS Graph or if the PS error is related to the Graph error?
Did Microsoft change something?
This has been acknowledged by MS as an unexpected service issue and can be tracked as SP381039
Title: Users may see 'Access Denied' errors when using Graph APIs for SharePoint Online
User Impact: Users may see 'Access Denied' errors when using Graph APIs for SharePoint Online.
Current status: We've identified that components of the authentication feature are unexpectedly not present in some users' environments thus resulting in the Graph API access requests to fail. We're redeploying the affected feature within impacted environments to remediate impact. In parallel, we're investigating recent feature changes to identity why the components are unexpectedly not present.
Next update by: Tuesday, May 17, 2022, at 5:00 PM UTC
Latest update from MS, received 17 May 16:45:
Current status: We've confirmed that a recent feature deployment misconfiguration has prevented components associated with the authentication feature from being available in a group of customer environments, which is producing 'Access Denied' errors when using Graph APIs for SharePoint Online. We've confirmed that our redeployment of the authentication feature to some impacted environments has resolved the impact. We're now redeploying the feature to all affected remaining environments, which is expected to remediate impact.
Scope of impact: This issue may potentially affect any of your users attempting to utilize Graph APIs for SharePoint Online.
Root cause: A recent feature deployment misconfiguration has prevented an authentication feature from being available in a group of customer environments, resulting in impact.
Next update by: Tuesday, May 17, 2022, at 9:30 PM UTC
Exactly the same issue Tuesday AM New Zealand time. Using C# code / Postman and PowerShell directly.
I've logged a ticket with Microsoft as my guess (no evenidence) is it is a code regression on PNP. I'll update here if I hear anything.
We have 2 apps (test and prod), both began failing Tuesday morning with 403 / access denied messages.
When I tried to check permissions and reset permissions using
get-PnPAzureADAppSitePermission
or
grant-PnPAzureADAppSitePermission
Powershell says : "Operation not supported"
Full text
Grant-PnPAzureADAppSitePermission : {"error":{"code":"notSupported","message":"Operation not supported","innerError":{"
date":"2022-05-16T23:39:16","request-id":"xxxx-azureappid-yyyy","client-request-id":"xxxx-azureappid-yyyy"}}}
At line:8 char:1
Grant-PnPAzureADAppSitePermission -AppId $appId -DisplayName 'TenantName...
+ CategoryInfo : NotSpecified: (:) [Grant-PnPAzureADAppSitePermission], HttpRequestException
+ FullyQualifiedErrorId : System.Net.Http.HttpRequestException,PnP.PowerShell.Commands.Apps.GrantPnPAzureADAppSite
Permission
This morning when I tested this, everything is back to the way it was on Friday New Zealand time.
I've heard from Microsoft via the ticket I logged, that the "PG team had reinstated an update from the backend". It didn't work last night, but this morning we're back up and running.
I hope your tenancies come back too. If not log a Microsoft ticket if you can. I do this via the https://admin.microsoft.com/Adminportal/Home?source=applauncher#/support/requests page using the "New service request" menu item. We have this feature due to our contract with Microsoft.
Related
I am building an app for a client using the Microsoft Grap API and when I log in with a particular account I get this error:
Request Id: d300b62e-e0a5-4f62-9957-1cc10fd42800
Correlation Id: e1912683-45cb-459e-b631-9706f6cd2479
Timestamp: 2020-04-20T07:51:51Z
Message: AADSTS90033: A transient error has occurred. Please try again.
I have tried 2 other accounts and they work without an error.
Does anyone know how I can resolve this issue or how I can start to work out what the issue might be?
EDIT:
Example of the URL being used to authorise the user
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<clientid>&response_type=code&redirect_uri=<local_uri>&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=12345
Thanks,
Scott.
For those that come here in the future, the best place to check whether or not the issue is isolated to just you, or is part of a wider issue is the official Microsoft 365 Status Twitter account.
You can also check the Microsoft 365 Service health status page (but this only works if the Microsoft login services are working.) Documentation around how to check the service status is available as part of the official docs.
For Azure-related issues you can check the official Azure Support Twitter account or the Azure status page.
If the issue is localised - then you should raise a support ticket in Azure or Office 365, otherwise wait for a resolution from Microsoft.
I'm trying to use the AadHttpClient library that comes with SPFx to connect to a custom API secured by an app registration in Azure AD.
However when I run the web part in the workbench, SharePoint Online (in the tenant _layouts) I get an error in the console saying that the feature is experimental.
Error: The requested operation is part of an experimental feature that is not supported in the current environment.
As far as I can make out from this article, it should be in general release.
When connecting to Azure AD-secured APIs, we recommend that you use the MSGraphClient and AadHttpClient classes, which are now generally available. For more information about the recommended models, see Connect to Azure AD-secured APIs in SharePoint Framework solutions and Use the MSGraphClient to connect to Microsoft Graph.
When I go to the API management page in SP Admin site I get a popup stating
***Access to Azure Active Directory resources using the SharePoint Framework will be available soon.
So I'm a bit confused.
I also get an error on the API management page saying..
A null value was found with the expected type 'Edm.String[Nullable=False]'. The expected type 'Edm.String[Nullable=False]' does not allow null values.
I also get the same error when I try in PowerShell running
Get-SPOTenantServicePrincipalPermissionRequests
I'm not 100% sure I understand the relevance of the API management page - does an admin need to approve just once for the web part then all users are good to go?
I was having the same issue. The github thread can be found here. What fixed it for me was adding the account I was using as a site collection admin.
Connect-SPOService
Set-SPOUser -Site https://TENANT-admin.sharepoint.com -IsSiteCollectionAdmin $True -LoginName yourLoginName
I have a web app in Azure. The access to that web app is controlled by Azure Active Directory. The app is up and running since September of last year. I didn't make any changes to the app for a while and have 33 users in that app.
So, a week ago I tried to add a user, using the same methods and paths I used before.
The new user can log in to microsoft (portal.office.com). After the initial log in and changing of the password the user goes to the web app in Azure and get the following error: You do not have permission to view this directory or page.
Error tracing gives me this:
HTTP Error 401.73 - Unauthorized You do not have permission to view
this directory or page.
Most likely causes: The authenticated user does not have access to a
resource needed to process the request.
Things you can try: Create a tracing rule to track failed requests for
this HTTP status code. For more information about creating a tracing
rule for failed requests, click here.
Detailed Error Information: Module EasyAuthModule_32bit
Notification BeginRequest Handler
ExtensionlessUrlHandler-Integrated-4.0 Error Code 0x80004005
Requested URL https://*******:80/.auth/login/aad/callback Physical
Path D:\home\site\wwwroot.auth\login\aad\callback Logon Method
Not yet determined Logon User Not yet determined
More Information: This is the generic Access Denied error returned by
IIS. Typically, there is a substatus code associated with this error
that describes why the server denied the request. Check the IIS Log
file to determine whether a substatus code is associated with this
failure. View more information ยป
Microsoft Knowledge Base Articles:
Another observed behavior: usually when new users are logging in the web app asks for permissions for the AD to access their account information. Ever since this problem came up this is not the case any more.
Other users do not have any problems logging in. This problem only happens with new users who never logged in before.
EDIT: When I go to Active Directory and look at sign ins, I see failures to log into the web app with sign-in error code 90092. Failure Reason: Other.
Microsoft help desk could not give me details on that error code.
Checkout the related question and answer here. All new users have to first consent the application (agree and give your application permissions to access their profile / or you indicated as required permissions).
In short, you have to design "sign-up" button for your application, which uses the "login_url" and appends "&prompt=consent" to the query string.
Read all related resources here to better understand the consent framework.
And please read the documentation about Azure App Service Authentication/Authorization here, as well as the Azure AD specific documentation here.
OMG, I just found an answer. I created a test app and set it up to mirror the settings of my live app.
In Required Permissions the new app had nothing for Microsoft Graph, the live app had 5 permissions. I deleted Microsoft Graph and it works now!
I wish Microsoft communicated better about discontinued API's. I did get an alert, but it was mostly talking about MS Office 365.
Since this morning (Central European Time) my Azure integration in Visual Studio 2013 (Premium) has been broken.
When "Managing subscriptions", I now get the following error:
Unable to retrieve Web Apps from some subscriptions:
Subscription Microsoft Azure Enterprise: The remote server returned an
error: (403) Forbidden. The HTTP request was forbidden with client
authentication scheme 'Anonymous'.
And when I log in now, I get this error:
An error ocurred during the sign in process:
multiple_matching_tokens_detected: The cache contains multiple tokens
satisfying the requirements. Call AcquireToken again providing more
requirements (e.g. UserId)
Bonus info:
The email address for my Microsoft Account for my MSDN Subscription is the same as the email address for my O365-account, and when I now try to log into Azure thru Visual Studio, I am asked to federate against my company's O365 thing.
It has worked perfectly before - and latest last night.
Anyone know what has happened?
I've had the same error (the first one) today. I just switched from trial period to paid subscription. That might be the reason.
I've got rid of this error after signing off from Visual Studio and signing in again.
Although I haven't had the second one, it does say something about 'Cache containing multiple tokens'. Sounds like you've got multiple subscriptions too. Maybe clearing the cache somehow works?
I am trying to set up a FTP access to a website which is hosted on Azure:
From what I understand, there are two options: You can choose Username and Password in the management console when resetting your deployment credentials. Or you download the publishing profile and use the credentials which are shown in the FTP section of the XML.
However, none of the two seem to work for me. I keep getting the response:
530 User cannot log in.
The ftp server seems to be in place, just the credentials are wrong, obviously. I am 100% sure that I have no typos going on.
What am I missing here? Is there anything I need to configure prior to using FTP with the credentials provided by Azure?
It's probably that:
And more here:
MSDN Thread
Here is the link to the Windows Azure Service Dashboard:
http://www.windowsazure.com/en-us/support/service-dashboard/
30 Oct 2013
We are aware of an issue being reported regarding Windows Azure Web Sites FTP data access. We are responding to this issue with the highest level of priority. Further updates will be published to keep you apprised of the impact. We apologize for any inconvenience this causes our customers.
Last update: 31 Oct 2013 6:46 AM UTCWe are narrowing in on the issue with full engineering engagement. Web Site customers are advised to publish content using Web Deploy or Git which are fully functional. For details on using these methods, visit Azure.com and search for "Websites with Webmatrix" or "Publishing with Git". We apologize for any inconvenience this causes our customers and will provide an update at 2pm UTC.
answered Oct 31 '13 at 11:02
Cas Bloem
613
We apologize for any inconvenience this causes customers using FTP to publish content to Web Sites. Web Site customers are advised to use Web Deploy or Git which are fully functional. For details visit Azure.com and search for "Websites with Webmatrix" or "Publishing with Git". Engineering is fully focused on mitigation options. We will provide an update by 8pm UTC.
This is because userId and password you are using is not to be used while connecting.
There is a Get publish profile option in overview.Download it.Open it with notepad or visual studio.There is another userId and Password given.Use that.
For more info refer this official guide