I have several client apps registered in the Azure portal. Each app has different scopes that are enabled/disabled. I used to be able to modify the scopes and save the updates for each of the register apps. Now I get the following error from the Azure portal:
Failed to update {my app} application. Error detail: Property identifierUris is invalid. [mURNc]
I also get this same error even if all I try to do is rename the client app. If I create a brand new app there are no issues. This appears to be a bug in the azure portal, but I'm looking for a workaround as I don't want to redefine all the scopes again, there are quite a few!
I've tried to rename things, change the client app ID, etc, but nothing seems to fix the issue, I get the same error. Again, this all used to work fine and now suddenly with no changes I get this issue.
The error says the identifierUris is invalid, but it isn't descriptive at all on which URI it is referring to. Any suggestions on how to correct this?
As junnas said, click try out the new experience in the Authentication tab of App registration and try again.
Also, when you see the above error, we recommend the following:
1.Edit the attributes individually in the manifest editor instead of uploading a previously downloaded manifest. Use the manifest reference table to understand the syntax and semantics of old and new attributes so that you can successfully edit the attributes you're interested in.
2.If your workflow requires you to save the manifests in your source repository for use later, we suggest rebasing the saved manifests in your repository with the one you see in the App registrations experience.
Hope this helps.
Related
I am struggling to create and configure an Azure Enterprise Application.
I have been trying to accomplish this task via PowerShell. I attempted to create an enterprise application by making use of the tags an application registration can have by following this github post, which essentially boils down to adding this tag to the service principal:
$tags = #("WindowsAzureActiveDirectoryIntegratedApp")
From there, I seem to be having problems with adding an identifier uri to the application. Here is the error:
Values of identifierUris property must use a verified domain of the organization or its subdomain
This error does occur to me whether I try this using PowerShell or Terraform.
I think it might be possible to resolve this error by adding the url as a custom domain, but the weird thing is that this url is used by the enterprise application that is setup manually, so I'm a little confused by this error and think the problem might be more than just adding the url as a custom domain.
I would like to note that at this point if I remove the identifierUris the application registration and service principal are both created, but if I were to go to SAML section of the service principal, there does not seem to be a way to manually upload a SAML metadata file (via PowerShell only - it does work in Terraform, interestingly enough).
This brings me to the other issue that I face for configuration: SSO configuration, specifically via SAML. I would like to programmatically upload a SAML metadata file and then modify some of the fields in the SAML section of the service principal from the result of that upload. However, I have been unable to find a way to do this or find an equivalent workaround.
EDIT: Turns out you can upload a token certificate to the service principal via Terraform - for more info on the command see here. You will need to transform your data into an accepted value format (I would recommend .pem if you are coming from a .xml file). I am not 100% sure if this command works yet, as I am left with this message under the SAML Certificates section:
**Token signing certificate**
A certificate has been successfully created. Please reload the page to make it active.
And reload doesn't seem to be working yet...
Issues still left to address:
Identifier uri (previously mentioned)
How to edit the Attributes & Claims fields
EDIT 2:
So I was able to uncover this resource, which offers a step by step guide for automating away SAML-based single sign-on via MS Graph.
Still testing it - and there are some parts that can only be done on Windows (creating a custom certificate) - but this seems very helpful.
Based on my early testing, the only problem I have found with this method so far tis that might not edit the Attributes and Claims section of SAML SSO. However, I believe by creating your own application template this method solves the identifier issue I was running into.
So, the MsGraph tutorial largely covers most of what I needed for my usecase. A few things of difference that I would note:
I used a template application that suited my needs better*.
Attributes and claims are fixed by following the tutorials points on creating and assigning a claims mapping policy. You will not be able to see this through the GUI. Additionally, getting the updated service principal also does not display this configuration**.
If you have difficulty updating your logoutUrl I would see this github post - you can configure it via az rest, PATCH, and this endpoint: "https://graph.microsoft.com/v1.0/applications/$($app_id)".
Tying it all together is a little annoying via PowerShell as it seems that some of the commands take longer to process than others. As a result, I would recommend implementing some sort of retry into your script and even calling Start-Sleep so that future cmdlets recognize resources created by the ones that have already been called.
*Note the process of finding a template that works best for you can be a bit tricky if you do not already have one in mind. I ended up selecting the template that matched the enterprise application I was using when doing this process manually. I am unsure if every enterprise application available has a template that matches it.
**The only way to get a confirmation that a new claims mapping policy worked is to see this message (under the Edit section of Attributes & Claims, which is in the SSO section of the service principal): "This configuration was overwritten by a claims mapping policy created via Graph/PowerShell. Learn More.".
If I enter both an ApplicationID and key into the Advanced Settings of the dnn.azureadb2cprovider I get a generic error with no explanation. I've gone through the setup documentation (which seems to be outdated) numerous times. The error gives no clue as to what the issue is.
If I enter only the app id or only key by itself, there is no error. Obviously this wont allow Graph to work, but I am noting it anyway.
Went thought the setup process located at https://github.com/intelequia/dnn.azureadb2cprovider#requirements. I can get users to sign in successfully through B2C so it's partially working. Just the advanced features are having trouble.
You can check the log4net log files under /Portals/_default/Logs folder for more details on the issue. This is probably caused by the permissions of the App registration on the Graph API. Ensure that you have set permissions on these Application scopes and have given consent to them (the documentation will be updated soon):
Application.Read.All
Group.Read.All
GroupMember.Read.All
User.Read.All
PS: in the future please create this type of issues on the GitHub repository to concentrate all the help and documentation on the same location.
My purpose is to create bug in Azure DevOps directly from Azure Application Insight, I am doing to attach the work item (bug) feature available in Azure Application Insight but on clicking Authorize button it give me following error
Authorization token provided through OAuth does not have access to read/write work items for requested uri/project collection/project
for reference please find the below image.
Updates:
I didnt understand what you meant by private browser, and I have full admin access over Azure Portal.
basically I have the https://dev.azure.com/HealthTechnologies/ReportItNow link in which
https://dev.azure.com is the devop url
HealthTechnologies is the organization
ReportItNow is the Project
so in Azure insight workitem section, URL I am putting https://dev.azure.com/HealthTechnologies/ and in project I am putting ReportItNow, I dont know what i am doing wrong.
Still waiting for this glitch to solve.
Oky let me make it more simple, if I want to automatically create bug in Azure DevOps when ever any new exception came in to the Azure
Application Insight How I can get this into real practical.
I solve this when I took a detailed look at the error message url. It's saying that the missing authorization is for https://uri/Project Collection/Project. Based on that, I changed my url from https://dev.azure.com/organization to https://dev.azure.com/ and it worked,
The Azure AD B2C - App Registrations (both current and preview) will not save my non localhost address. i.e. if I add a redirect Uri as https://localhost:44734, and save it works fine. If I add a uri as https://mysite.azurewebsites.net it will not save. The details here is slightly different depending on the part of the portal you are in.
If you are using the "App Registrations (Preview)" version, you see a notification in the top right saying "Update application Authentication". This just stays there and never finishes.
if you are using the current Applications blade you get an error stating "Application Update Error" "Cannot update Application: One of the properties provided for the application 'XXXXX' has invalid value. Please read this article (https://go.microsoft.com/fwlink/?linkid=847767) for more details.". This seems to be the case for any URL except localhost.
Also manually editing the manifest is also giving the error.
You should be able to add both localhost, and any valid url in that screen. Which seems to work on a new Application, but not an existing one.
I can not reproduce your issue on my side. I think you can create a new application to resolve this issue.
Also, you can try to delete all the reply urls and then add it again.
I am trying to do some experimentation with MSAL JS and ADAL JS libraries. I was able to get MSAL JS working fine by doing configuration at Azure Active Directory => "App Registrations (preview)". However when I switched to ADAL JS I get an error about needing version 2.0, so I think I need to use the regular "App Registrations" screen.
However, when I click on the regular "App Registrations" button I get:
Access Denied
You do not have access
Looks like you don't have access
to this content. To get access, please contact the owner.
I think it's odd that I can access the "preview" app registrations screen but not the regular one.
I saw somewhere online somebody suggested making changes at "User Settings", but that screen gives me the same error message. Going to "Users" I see 0 users, and it won't let me add any (the plus is greyed out).
The account I am using is just a personal account, it is not tied to any organization so there is no admin. I assume I should have full permission or be able to give it to myself, but can't figure out how.
Getting a Trial Azure account fixed this problem, so it appears one is needed to use the "App Registrations" section.
It is still a little unclear why an account is not needed for the preview mode, however.
Also, it would be nice if Azure would show a proper message saying an account is needed instead of a error message, but that is a minor point.