I'm trying to create an Azure Logic App that uses a connector to ACI to run a container group. I was able to get it running correctly by creating a connector in the Logic App designer in the Azure Portal. However, the designer currently only supports connectors in the same resource group as the logic app. I would like to use a single connector for logic apps in multiple resource groups, so I need to use a connector from a different resource group. Logic Apps appear to support this just fine as long as you edit the code directly instead of using the visual designer. I am able to create the connector just fine, and the app is able to connect to it, however I am not able to authorize the connector properly. When I go to the connector and attempt to authorize it, the process works fine and it says that it is connected. However, when I then try to run the Logic App, I get the following error:
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/YYY/'. It must match the tenant 'https://sts.windows.net/XXX/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/XXX' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
XXX and YYY are two different tenant-ids. However, XXX is the tenant ID I get when I run az account show on my machine and in the Azure Cloud Shell. I only have one tenant ID and one subscription. I don't know where the other tenant ID is coming from, or how it is being used to authorize the connector when I am using the same login that is tenant ID XXX.
Is there any way I can successfully authorize the connector with my tenant ID?
Related
I’m trying to queue Azure DevOps pipeline from Azure Logic App. When I create workflow, the connection is configured correctly without any issue. However, the project dropdown list is unable to populate team project and same as build definition id dropdown list. The organization dropdown list is populated correctly. I do have team project administrator to the team project, and do have logic app contributor. I'm also able to get list of team project from this organization using REST-API. Here is an error I got:
Could not retrieve values. Error code: ‘Unauthorized’, Message: ‘TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource.
Azure DevOps ActivityId: 0ba5ef8c-4ac4-4810-bf92-7835ca5bf444
Details: TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource.
clientRequestId: eae306a3-f638-424b-96e5-579a70c9dcf7’. More diagnostic information: x-ms-client-request-id is ‘F6A975D5-74AA-41E3-9DCA-70A508139387’.
Error code: ‘Unauthorized’, Message: ‘TF400813: The user ‘573f1013-71ca-6a2f-ac35-ba1bef678b59’ is not authorized to access this resource. Azure DevOps ActivityId: 0ba5ef8c-4ac4-4810-bf92-7835ca5bf444
According to the error message, it may be that the account you logged in in the Queue a build action selected the wrong domain (AAD directory).
You can try the following steps to sign in the account again in the queue a build action.
Here are the steps:
Step1: Navigate to this user Profile URL: https://aex.dev.azure.com/me?mkt=zh-CN&campaign=o~msft~old~vsts~profile
Then you could select the correct AAD directory.
Step2: Sign in your account to Azure DevOps in Azure Logic App again.
You need to check if the domain is correct.
I'm deploying an ARM template within an Azure Devops release pipeline. Amongst others, the ARM template looks up the connection string of an existing AppConfiguration instance and outputs it for use in a next step where I set the configuration of a resource.
This has worked fine for the first couple of releases. Since this week however I'm getting the following error:
AuthorizationFailed: The client 'adb4-etc' with object id 'adb4-etc' does not have authorization to perform action 'Microsoft.AppConfiguration/configurationStores/listKeys/action' over scope '/subscriptions/{guid}/resourcegroups/{rgname}/providers/Microsoft.AppConfiguration/configurationStores/{appConfigname}' or the scope is invalid. If access was recently granted, please refresh your credentials.
Just to be sure the problem isn't with the ARM template, I deployed it in the Azure portal using 'Deploy a custom template' and it worked fine, outputting the connection string to the AppConfiguration. However there it used my personal user account for authentication, of course.
The pipeline uses a service connection that is connected to a principal that does not have the client ID starting with adb4, and there is no principal (user, app registration, enterprise application) in our Azure AD that even starts with adb4. So in that sense the error is correct, but why is Azure Devops authenticating with this unknown principal?
The service connection principal has the Contributor role on the applicable AppConfiguration instance. This access was granted weeks ago.
I have created an ARM template for my logic app which has azure function reference in it.
By the time when I was deploying the logic app in my old subscription, I was able to deploy the ARM template using power shell successfully,
The problem started when I needed to deploy the app in different subscription.
While I deployed my logic app on different subscription which was pointing to the azure functions which still existed in my old subscription, I got this error.
{
"code": "LinkedAuthorizationFailed",
"message": "The client has permission to perform action 'Microsoft.Web/sites/functions/listSecrets/action' on scope '/subscriptions/(newsubscription Id)/resourcegroups/(new resourcegroup under new subscription)/providers/Microsoft.Logic/workflows/my-logic-app-name', however the current tenant '(tenent id of new subscription)' is not authorized to access linked subscription '(old subscription id)'."
}
Can anyone suggest how can I deal with this issue?
What I suspect is the new subscription needs to get access over old subscription for accessing azure function lying in there. What can be done in this case?
I'm sitting in a project where I will move from TFS to VSTS so we do have a working release definition.
But when I try deploying a service fabric cluster i get the following error:
2018-08-28T09:02:59.8922249Z ##[error]An error occurred attempting to acquire an Azure Active Directory token. Ensure that your service endpoint is configured properly with valid credentials. Error message: Exception calling "AcquireToken" with "3" argument(s): "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '< service principle Id >'.
Trace ID: < guid1 is here >
Correlation ID: < guid2 is here >
Then I go to the azure portal -> AAD -> Sign In -> look up my specific sign in (based on correlation Id) and there it state that Sign-in status is Success
Considering this works for our TFS instance i assume the service principle is correctly set up. But since the build/deploy agents is now on a VM in azure instead of on prem for TFS, is there anything i need to change?
Traffic should be OK, i can navigate to the https-adress to the cluster from the VM with agents.
I've tried google it, but to no success so hopefully someone can point me to the right direction where to look.
And in portal, 'MFA is required' is no, so multi factor should not be neccesary.
Just try using certificate based authentication instead of using AAD Authentication in the service endpoint configuration.
Reference the same issue here: https://github.com/Microsoft/vsts-tasks/issues/7714
If that still not work, just try to create a new endpoint, then try it again.
I have this Worker Role which makes use of REST Management API (through https://github.com/Azure/azure-sdk-for-net), whose the most basic pre-requisite is the Subscription ID.
Is there a way to get the Subscription ID from a running (worker) role? E.g. say, through RoleEnvironment?
Sorry Gatis, there is no way to get this via any method provided by Azure*. You would need to pass this information into your role using something like the CSCFG configuration settings.
For a little more context - the subscription ID is only known at the RDFE layer. Once you are in the Fabric layer (ie. your running Worker Role) then there is no concept of a subscription ID. You can see http://blogs.msdn.com/b/kwill/archive/2011/05/05/windows-azure-role-architecture.aspx, process A and steps 1&2, for a little more info.
*If you are using AAD authentication for your Service Management API calls then you could get a list of all subscriptions for that AAD user using 'List Azure Subscriptions' - http://msdn.microsoft.com/en-us/library/azure/dn775050.aspx. With those subscriptions you could enumerate all cloud services and match the deployment ID to the deployment ID for your worker role.
Edit: Typo in first paragraph. Changed 'something like the Subscription ID' to 'something like the CSCFG configuration settings'.