I'm trying to set a phone number for a user for MFA:
This gives me the error:
"Partial failure in authentication methods update Unable to update
phone methods for user"
Why is that? The phone number is still stored. Am I correct the number in the field is stored into strongAuthenticationPhoneNumber property which cannot be read?
It appears that there is something wrong with this feature in Azure Portal currently and it also exists in Azure AD (Not just in B2C).
If you are using admin account which is a guest user, the backend will give an error: 401 Unauthorized. But the update will be successful.
If a normal admin account is used, the update will be successful without any errors.
Related
I've implemented Azure AD authentication with no problem, however we also need to always show the account picker whenever the user has more than one account (basically show even if there's only one account available)
What we need is exactly what this post has described (Force google account chooser) but with Azure AD.
You guys know if there's possible? Couldn't fine anything related to that in the Azure Doc
You didn't specify which SDK (if any) you're using, but at a low level, you include &prompt=select_account as a query parameter in the request to the authorization endpoint. This is documented here: https://learn.microsoft.com/en-au/azure/active-directory/develop/v1-protocols-oauth-code
prompt
Indicate the type of user interaction that is required. Valid values are:
login: The user should be prompted to reauthenticate.
select_account: The user is prompted to select an account, interrupting single sign on. The user may select an existing signed-in account, enter their credentials for a remembered account, or choose to use a different account altogether.
consent: User consent has been granted, but needs to be updated. The user should be prompted to consent.
admin_consent: An administrator should be prompted to consent on behalf of all users in their organization
I'm trying to build an O365 service status portal for users in my company. Only admins can see the admin portal status page, but we want to provide that info to our users/display on a dashboard.
I've registered the app in Azure, and given it the correct permissions according to the documentation. I can request an auth code and I'm able to use it to retrieve a JWT, but when the token is returned to me, I'm only seeing User.Read in the scope, meaning I'm unable to use it for any of the functions in the ServiceComms API.
Here's the snip of code being used to retrieve the token:
url = 'https://login.microsoftonline.com/<tenantid>/oauth2/token'
r = requests.post(url, dict(resource='<appid>',
client_id='<clientid>',
redirect_uri='http://x.x.x.x/365/auth/index.htm',
client_secret='<itsasecret>',
grant_type='authorization_code',
code=auth_code))
Here's the first part of what's returned:
{"token_type":"Bearer","scope":"User.Read","expires_in":"3600","ext_expires_in":"0","expires_on":"1525266602","not_before":"1525262702",
The account being used to retrieve the auth code initially is a global admin on the tenant, so would expect that this would be fine, but I'm new to this, so probably wrong.
Does anyone have any ideas?
Thanks.
I'm assuming that you've set the appropriate permissions on your app registration in the Azure portal, and your question is why they don't show up in the token.
I've seen this behavior before with the Azure v1 endpoint if the user you login with had previously consented to the User.Read permission, then you updated the required permissions in the portal. While it's logical to assume that Azure would detect this change and re-prompt, it doesn't. It keeps returning tokens based on the previously recorded consent and doesn't pick up the new ones.
To handle this, your app must include the prompt=consent query parameter on the URL during the authorization phase. That should force consent when the user logs in and pick up the new permissions.
A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
I'm trying to use the Graph API to change the user of the currently logged in user on a B2C tenant.
The request is being posted to:
https://graph.windows.net/me/changePassword?api-version=1.6
The JSON being provided is in the following format:
{"currentPassword":"[currentpassword]","newPassword":"[newpassword]"}
Unfortunately I keep on getting the following error and I don't know why (or rather I don't know why it would have problems using the 'me' alias). I have also tried including the tenant name with regards to where I'm posting the request but this makes no difference.
Resource not found for the segment 'me'.
I have managed to change the password by resetting it. The issue with that however is that the password can be changed without providing the current password. Ideally I would like to get the user to have to enter this as part of the process of updating the password. It turns out that the missing 'me' issue is probably down to missing permissions.
I've tried adding the 'Access directory as the signed in user' permission as a delegated permission to the app. I get to this page:
Note that I also has to set the sign-in url to http://localhost/testapp/ and the app ID URI set to https://patrickscorp.onmicrosoft.com/testapp as the classic portal refuses to save changes if these two settings are not set.
Under 'permissions to other applications' I clicked on 'Add application' and then selected 'Windows Azure Active Directory'. I then made sure that the 'Access directory as signed in user' was selected.
However saving just results in the following error appearing:
Clicking 'details' doesn't help - it just says if the problems persist to contact
support
If I have to go down the reset route then is there a way of taking a password provided by the user and validating it?
Calls to the Azure AD Graph requires the tenantName in the path, like so:
https://graph.windows.net/mytenant.onmicrosoft.com/me/changePassword?api-version=1.6
This is in contrast with the Microsoft Graph which doesn't require it as it infers it from the user token and is called like so:
https://graph.microsoft.com/v1.0/me/changePassword
However it is important to note that at this time the Azure AD Graph is recommended for Azure AD B2C.
EDIT:
As per the Azure AD Graph Reference for Change Password:
Call the changePassword action for the signed-in user to change their own password.
Note: This action can only be called on the signed-in user.
If you want to change some other user's password, you'll need to use the Reset Password:
https://graph.windows.net/mytenant.onmicrosoft.com/users/{user_id}?api-version=1.6
I would like to pre-register a limited number of users which can use my application.
This are the requirements:
Users should be able to reset their password on their own
No other users than the preregistered users can sign up
Ideally, the user can choose the login email address by himself (no #app.onmicrosoft.com login).
Now I'm having trouble to have all requirements fullfilled together.
I was able to preregister #app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on #app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.
Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?
I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.
Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.
Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.
Any advice? What do I miss?
You can implement the activation/invitation scenario that is described here and implemented here.
This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.
This redemption link directs the new user to the Password Reset policy.
Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.
We hope to add this capability as soon as we can to Microsoft Graph.
Hope this helps,