Yesterday I was triggering Identity Risk Events so I could test the downloading the Audit Log entries using Microsoft's GraphServiceClient API through a dev Azure Active Directory account. Using Tor Browser I was able to complete that task however today when attempted to login to my Azure Dev Account it said I was locked out. I am still able to pull the logs however I can't login to unlock my own dev account. The risky behavior test was executed over 16 hours ago yet my account is still locked out and since I can't get in the dev account appears to be permanently locked and therefor totally useless. I can't even create a support ticket because I can't login. If I try to create a support ticket using my prod Azure account I can't because the dev account is not linked with my prod account. Any idea how I can login so I can use my dev account again?
If your Azure AD tenant has smart lockout policies configured, your account will remain locked out for the duration specified in those policies and even the administrator must wait for the duration to expire. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout
However, you should be able to unlock yourself by using self-service password reset (SSPR) from a trusted device or location if you have your account set up for SSPR.
If you have already waited for the duration, the account is still blocked, and you are the only admin on the tenant, you can reach out to the Azure Data Protection team to get help. Their number is 866-807-5850.
Related
Background: I am trying to setup my azure infrastructure to deploy my new web app. I am working with an external contractor cloud engineer and I only want her to be able to setup my cloud infrastructure.
Steps: I have 1 Subscription and 1 Resource Group. I have created a User in my organisation (so not a guest) in Azure AD - I will share these details with her.
I have put this new User inside a User Group and I have permissioned the User Group (as a Contributor) against my Resource Group. I have shared the username and password with her.
Problem: When she logs on to portal.azure.com she gets the message "Your sign-in was successful, but you don't have permission to access this resource."
Clearly I am missing something? I thought this was straightforward... alas
TIA.
Sometimes this may happen due to the internal policy, make sure to recheck them once again.
After this if you create a personal login detail separately then it will work out.
Here is the reference of Your sign-in was successful but you don't have permission to access this resource for the same above.
If the user is a guest user incase, then administrator of guest tenant will delete your account from their tenant.
Here is the Reference given by #Amanpreet Singh.
Common steps to be followed as below,
After login to the Azure portal as a Admin.
Go to Azure Active Directory
Select the All services, then Azure AD Conditional Access.
Here you can select the restriction policy and / or make sure to recheck the Assignments from the Users & Groups of various permissions for your given user.
VPN....
I switched off my VPN and it then worked just fine. No idea why but it works and I can now log straight in to the portal
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
When using Azure AD B2C, with local accounts and email address as the username, is there any mechanism to:
Identify that an account is locked via API or the Azure portal
Manually unlock that account ahead of the lock expiry time, e.g. via portal/API
Identify the time at which a lock will expire, again via API or portal. For example, you may wish to advise a customer to retry after a certain time
Thanks in advance
I don't believe you can access this lockout information using either the Azure Portal or the Azure AD Graph API.
Currently, as far as I know, a local account is locked from any new sign-ins for one minute after ten failed password sign-ins. The local account lockout is extended, after each subsequent failed password sign-in, for one minute initially and then longer subsequently.
A directory administrator can't unlock the a local account. They must wait for the lockout duration to expire.
Using old azure portal, I am able to navigate to Azure Active Directory. But with the new portal 'Portal.Azure.com', I am seeing 'Access Denied' error message.
This is the below exact message I am seeing in the portal.
"Access denied.
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner."
If you use the external account to access Azure AD, such as MSA account(e.g. outlook.com, hotmail.com), and the account from other Azure AD tenant. You may experience the error message as below.
There are two methods to resolve this issue.
Method 1
Log in to new Azure Portal by using the account with Global Administrator permission for Azure AD. Navigate to the Azure Active Directory extension, from the User settings tab, toggle the setting Guest users permissions are limited to No.
Method 2
Log in to new Azure Portal by using the account with Global Administrator permission for Azure AD. Navigate to the Azure Active Directory extension, from the Users and Groups tab, search for the external account, and change the Directory Role to Global Administrator.
In my case the solution was different.
The clock on my machine got de-synchronized (lagging 13 hours behind) and when my browser was encrypting a security token to request a sensitive page at Azure Portal, this token was rejected by server and I received "Access denied" error page.
It seams like "time.windows.com" was providing a wrong world time to my computer (yes, it is insane) - I changed it to "time.nist.gov" via Control Panel / Date and Time / Internet Time / Change Settings. It immediately updated my computer with correct time.
Then I signed-out and singed-in to Azure Portal and it started working just fine.
As for me, is was to activate a subscription (adding a card bank).
Then I could access the services on my new Azure account
I have Azure AD and Microsoft identity configured successfully on in my APIM instance.
When I try to directly sign in with either identity provider to the Developer Portal (https://myapim.portal.azure-api.net/) of my APIM with the administrator account (which owns the Azure Subscription where APIM resides), the sign up screen is displayed and when I hit "sign up" I get:
User already registered
It seems a user with this email is already registered in the system. If you forgot your password, please try to restore it or contact our support team.
I currently have not found a way to get around the sign up step, even when I hit sign in again I get re-routed to sign up.
Signing in to Azure Portal first and then navigating across to Developer Portal just works fine - no sign up flow is invoked.
one remark: my MSA owning the Subscription is also linked into my AAD, therefore I could sign in with either way
In the end I used a functional/group account as APIM administrator - one we never would use to actually log on - then I was able to regularly login with my own account again.