In following this tutorial...
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started?tabs=app-reg-preview#test-the-custom-policy
I've reached the part where you can test your user flow. When I try the flow to signin I gives the following error after clicking the signin button...
"The application with identifier 'ProxyIdentityExperienceFramework' was not found."
The application is definitely registered in Azure under my tenent. I've also started over and followed this tutorial multiple times to make sure I was doing it correctly. Still no luck.
Has anybody had a similar experience or knows what the problem is?
Thanks!
You didn't add application IDs to the custom policy.
Notice the step 3:
Replace both instances of ProxyIdentityExperienceFrameworkAppId with
the application ID of the ProxyIdentityExperienceFramework application
that you created earlier.
You can get the application ID of the ProxyIdentityExperienceFramework application from Register the ProxyIdentityExperienceFramework application.
Related
I'm using Azure B2C. I have a custom claim I want include on profile edit. This is the built in user flow for Profile Edit (B2C_1_ProfileEdit).
I go to Application claims, select my claim, and click Save I get an error message
"Unexpected error, please try again later"
No details were given in the error message.
What could this be? I'm not sure where to look to debug it? Any ideas?
I was about to create a support ticket with Microsoft today. Before I did that, I tried to update it again and it worked this time. Must have been an Azure problem !
I want to access the endpoints that exists within my app that was uploaded to an App Service by calling them using a Logic App. I've enabled Authorization/Authentication but i cannot see to figure out how to correctly to create a valid autheticated request. I guess I'm missing something here, please look at the pictures below.
Im getting this error message: Http request failed as there is an error getting AD OAuth token: 'AADSTS500011: The resource principal named '' was not found in the tenant named ''. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Im sure the tenant id is correct and I've consented like a billion times i think :D. I provide all of the pictures that i can think of that could help finding out the issue here.
I also tried with another audience the api://...
Still no success:
Here's my app service Auth section setup:
All I can think of is that i check the Allow unauthenticated access but that will leave me to code more in my app right? and I then need to restrict each individual endpoint. Instead id like to maybe have either a endpoint without the authorization or be able to send a authorized request through like a Logic App, Postman, doesnt matter in this case.
Any suggestions?
There are two possible reason as per the error message, either the AD app is not present in the tenant or the AD tenant itself is not correct.
In either of the case you just need to check in AAD-->App registration-->Search with clientID (which you used above)
If not found then you either AAD is incorrect or you have not created AD app in this AAD.
Also check for application permissions .
Check following post for more insight
https://www.tech-findings.com/2020/01/calling-active-directory-secured-functionapp-from-logicapps.html
Thanks,
Maheshkumar S Tiwari
I actually manage to find out what the issue is here. So i actually have 2 complains (maybe I'm not understanding whats actually wrong "behind the scenes") but the Audience was wrong. Thats it!
The third picture from my post on the audience attempt was correct but i had to remove /.default part in order for it to work. (ive had this default thingy alot when i've worked with MS Graph but seem to not be the case here)
Result:
Works like a charm now :D
Research:
So i will also share how i figured out how to understand the error message and what was wrong.
So my first complaint is the error message is missleading IMO, that the message said:
... getting AD OAuth token: 'AADSTS500011: The resource principal named '' was not ...
When I Google resource principal i only get alot of answers how to view Service principals which i thought could be something else. But it seem that thats the thing i should be searching for within my app registration. And the first Audience example i was trying out, is obviously not the correct value to match the principal with. The correct value, in this case, can be seen atleast in 3 locations that i found worked for me.
The app registration Application ID URI
MS Graph Explorer, list your service principals and perhaps filter by your name of the app registration to narrow down your search results
Powershell, same as option 2, might be another "endpoint" but should do the same work still.
First option:
https://portal.azure.com -> Azure Active Directory -> App registrations -> choose your app and click on it -> check the Application ID URI column on this Overview page
Second option:
https://developer.microsoft.com/en-us/graph/graph-explorer, sign in to your account (same as on Azure) and check the Sample queries section to the left and pick inside Applications -> search and count Service Principals with "teams" in the displayName. You will get a sample query, also add serviceprincipalnames to your params and also change the search in the displayName from teams to -> {parts of app reg name or entire app reg name} //prolly a contains
Third option:
Make sure you have both Install-Module MSOnline and
Install-Module AzureAD installed to your powershell tool. I used Windows PowerShell ISE in order for it to work (the x86 didnt work for me). ->
Import the Module for AzureAD -> Then connect with the same acc as Azure-> Run this command: Get-MsolServicePrincipal
I also added the -All parameter to get all principals. You could also narrow it down
im guessing here, but not important in my case :).
So these where the solutions ive found.
But i also have that other complaint why isnt the error message something like: The Audience does not exist on Tenant X. Please check the name of the Service principal matches with Audience parameter and that the principal exists within the given tenant. //Something like this idk
That would make it so much easier to understand what the error actually is.
Any Azure gurus can definiently give me a lesson of why im wrong if so, im happy to learn the core/fundamentals :)
I was simply following this guide:
Get started with custom policies in Azure Active Directory B2C
Following all the previous instructiones without a problem. I got to "Test the custom policy" where I got stuck. When I open any of my custom policies it is a same story. Application select and select reply url is greyed out.
Any idea what might cause it?
Sreenshot of my problem:
Image
Please create a B2C application registration.And you can refer to this doc.
I am struggling at the Sign-In functionality of an existing user in Azure Active Directory B2C. I had followed this link for implementing the custom claims in JWT token using custom policies. After modifying the TrustFrameworkBase.xml, TrustFrameworkExtensions.xml & SignUpOrSignin.xml file as per my need by following the same link, I uploaded those files on azure and was trying to run user flow from the azure. Now the issue I am facing currently is that Sign-In functionality is not working. It is giving me the error Unable to validate the information provided. (See the screenshot attached)
Don't know where I am doing wrong.
Any help in this regard would be really helpful.
Update: After adding the Application Insights in my SignUpOrSignIn.xml file, Now I am able to get the exact error i.e The claim type "objectId", designated as the identifier claim type, could not be found in the claims collection for the claims principal in tenant id "B2C_1A_signup_signin".
But don't know at which step I am missing it or how to modify the policy to run it successfully.
After struggling to find the solution of the problem mentioned from 3 days, finally I was able to solve the problem.
I removed the tag
<ValidationTechnicalProfile ReferenceId="AAD-UserWriteProfileUsingObjectId" /> mentioned under Technical Profile tag with Id SelfAsserted-LocalAccountSignin-Email in TrustFrameworkBase.xml file. Now I am able to subsequently sign in using ADB2C.
I'm trying to update an existing Azure app but unable to save and the website throws an error 'Failed to update manifest: ObjectConflict'
I'm updating the field called 'identifierUris'. It's a list and there is one element already and I'm trying to add another there.
Can't seem to find what this error is about. Has anyone encountered this before?
It is very likely you are trying to add a value to identifierUris which is already present in another app. Each value in identifierUris must be unique to a single Application object in Azure AD.
To check if it's already present on an app in your tenant, you can use Azure AD PowerShell to do a simple search to see if that's the case:
Get-AzureADApplication -Filter "identifierUris/any(c:c eq 'http:/example.com/id-uri')"
You could also do the query using the Azure AD Graph Explorer (and signing in with your Azure AD account):
https://graph.windows.net/myorganization/applications?$filter=identifierUris/any(c:c eq 'http:/example.com/id-uri')
I also ran into this when writing some samples. The other answer is correct that there is another app that has already defined those identifierURI's under your AAD tenant. But it only needs to be defined under one app. You can create another app / client ID in AAD under the tenant that doesn't have the identifierURI's the docs say you need and it will work to get the right token / Store ID.
I did this with my sample where another client had already defined them and hit this error. I just went ahead anyways with the rest of the setup docs and got it working requesting the right authorization / bearer tokens. Just know that for the commerce ones, I had to re-publish my app to the store before I started to see results otherwise I was just seeing blank results.