I've tried to give access to an Active Directory external user (with Guest type). ADLS2 enables to use of such users for RBAC or ACL tables.
But when I tried to access ADLS2 as a guest user from the Power BI service I've got an error:
"The credentials provided for the AzureDataLakeStorage source are invalid.":
Failed to update data source credentials: The credentials provided for the AzureDataLakeStorage source are invalid. (Source at https://hasodl2westeurope.dfs.core.windows.net/mycontainer/samplefolder.)
Hide details
Activity ID: 269cbc1b-c50a-4078-a408-6f64246d0a19
Request ID: caabe243-c75a-5507-1610-88cc41b19ae6
Status code: 400
Time: Thu Jan 09 2020 12:27:37 GMT+0200 (Eastern European Standard Time)
Service version: 13.0.11747.315
Client version: 1912.2.031
Cluster URI: https://wabi-west-europe-b-primary-redirect.analysis.windows.net/
Is this behavior a bug or a feature?
Is a way to access ALDS2 as a Guest user?
ADLS only supports AD users from the same tenant, not guest users - source.
Related
Trying to create a new client secret using powershell script. while executing New-AzureADApplicationPasswordCredential from powershell ISE, getting below error:
New-AzureADApplicationPasswordCredential : Error occurred while executing SetApplication
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: 1234567-abcd-1234-7890-1234567890
DateTimeStamp: Mon, 12 Dec 2022 05:21:54 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Attached image has the API permissions given for the SP used to authenticate to AD. The SP has read/write access on AD graph and MS Graph and has Admin consent on org as well.
I tried in my environment and got below results:
Initially I tried the same command and got same error.
Console:
Make sure the User or service principal with whom you are trying to login into azure has at least contributor role or owner role at subscription level.
Go to portal -> Subscription -> Access control(IAM) -> Add role assignments ->Add Contributor or Owner to your user or SP.
Also, make sure User or SP has Azure AD role of at least Application Administrator.
Go to portal -> Azure-Active-Directory -> Roles and Administrators ->Application Administrator -> Add the role to your User or SP.
After Assigning both roles in my environment, I got the Client-Secret successfully.
Console:
I am connecting to a linked service to SharePoint Online using Azure Data Factory. I have admin access to everything on my site and in the Active Directory.
I have granted Site.FullControl() permission to my site in "App registration" and also granted in SharePoint site but still it is showing me I don't know what else to do.
This is the error I get:
Failed to get metadata of OData service, please check if service URL and credential is correct and your application has permission to the resource. Expected status code: 200, actual status code: Unauthorized, response is : {"error":"invalid_request","error_description":"Token type is not allowed."}.
Activity ID: 4cc5411a-2932-40c9-baaa-c77a22f9270a.
I have a nodejs application using the express framework. The user must sign in via Oauth2 protocol against their MS Azure Active Directory credentials. This is done using the passport-azure-ad-oauth2 npm package
I have successfully got the application working so that I can upload files in blob form to an azure storage container. The container access level is set to private. I have assigned user roles for the container so that certain users within the AD have 'reader and data access'. So my understanding is that when these users are authenticated via Oauth2, they should be able to access the files when retrieving the file's URL. However, after authentication, I am not able to access the files. I get the following error.
ResourceNotFound
The specified resource does not exist. RequestId:6341ef80-f01e-0011-6442-08f7c2000000 Time:2021-02-21T11:14:26.3475641Z
I have also followed the steps to grant the application permissions to azure storage here
What do I need to do so that authenticated users can go to the specific url for each blob and get access? Do I need to pass a token in the request? If so, how do you do this?
Any help would be much appreciated.
The 404 error(The specified resource does not exist) is always related to your request URL, but not the access token.
For example to get blob, you need to use GET Method, and some of the Request Headers are required.
GET https://myaccount.blob.core.windows.net/mycontainer/myblob
headers:
Authorization: Bear <access-token>
x-ms-version: 2020-04-08
x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT
Get access token by application permission without user:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id={client_id}
&client_secret={client_secret}
&scope=http://storage.azure.com/.default // change to http://storage.azure.com/ for resource
&grant_type=client_credentials
Get access token by delegated permission with a signed-in user:
GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=token
&redirect_uri=https://localhost:44300/
&scope=https://storage.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Note: Navigate to your storage account -> Access Control (IAM) -> Add role assignment -> select Storage Blob Data XXX role and your login account. I add Storage Blob Data Contributor in my side, it might take up to 5 minutes to propagate the RBAC rule.
I have Azure Subscription with Default Directory with my company's account (myname#mycompany.com) as a guest.
I login to azure portal with this my company's account.
In the SQL Server, I have set Active Directory admin to an AAD group and I'm member of the group.
When I click Export (database) in Azure Portal, I select Active Directory authentication and type my username/password:
However I'm getting:
Failed to export the database: MyDatabase. ErrorCode: 400
ErrorMessage: There was an error that occurred during this operation :
'Error
encountered during the service operation. ; Exception
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unable to
authenticate request; Inner exception
System.Data.SqlClient.SqlException:Failed to authenticate the user
username#mycompany.com in Active Directory
(Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003;
state 10; MSIS7068: Access denied.; '
Failed to authenticate the user username#mycompany.com in Active Directory (Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003; state 10; MSIS7068: Access denied
According to the error information that it indicates that the user password is not correct.
Based on my test, it works correctly if you set the Active Directory admin to an AAD group and if you are a member of the group.
I am trying to get Azure AD Authentication working against my Azure SQL Database.
I created a PaaS database and it's associated PaaS Sql Server.
I assigned MY Azure AD account as "Active Directory admin" of the "PaaS Sql Server".
Next, I logged in to SSMS using MY domain account to create the user:
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
GO
sp_addrolemember db_datareader, [xxx#yyy.com];
GO
sp_addrolemember
db_datawriter, [xxx#yyy.com];
GO
When I attempt to login with the xxxxx#yyy.com account , I get back:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (.Net SqlClient Data Provider)
Server Name: zzzzz.database.windows.net
Error Number: 18456
Severity: 14
State: 1
Line Number: 65536
What am I missing ?
Weird observation, if I intentionally use the wrong password I get back this error:
AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password, that tells the AD is somehow working, but something is broken in the overall process.
Another weird observation:
If I add a valid AD account, it succeeds
CREATE USER [xxx#yyy.com] FROM EXTERNAL PROVIDER;
If I generate a bad AD account
CREATE USER [xxxABC#yyy.com] FROM EXTERNAL PROVIDER;
I get back:
Principal 'xxxABC#yyy.com' could not be found or this principal type is not supported.
From a "simialr post"
The Anonymous Logon error occurs when you haven't specified the database you want to connect to. Simply select "options" on the SSMS login screen and type in the database name you want to connect to. This is because your user is a contained user on the database it was created in. It does not exist on Master. – Greg Grater Mar 7 '17 at 1:23
This fixed my issue -- hours wasted!!!
Note: for ODBC conenctions the user must also be created in master