I have a release pipeline that deploy's a web application to an Azure App service. Everything was working, until I transferred the Azure subscription to another owner. It has been over 24 hours since the transfer has been completed and still getting the error.
I have granted myself Global Admin role.
Error(s):
Service connection creation operation failed
Failed to set Azure permission 'RoleAssignmentId: 380a3598-2863-4b12-b8e7-9e80d7d50125' for the service principal 'f0f249b2-2f4b-435b-b7d7-2d5a739b14a6' on subscription ID '834a2851-5d95-4e8e-9196-cb583f4fdb69': error code: Unauthorized, innner error code: InvalidAuthenticationTokenTenant, inner error message The access token is from the wrong issuer 'https://sts.windows.net/0fd08f18-29f8-479b-80d9-8d28b52bab6c/'. It must match the tenant 'https://sts.windows.net/b6ee8e7c-ae9f-4188-8654-65dbbbd2b302/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/b6ee8e7c-ae9f-4188-8654-65dbbbd2b302' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later. For troubleshooting refer to link.
Session Id: 0d012481-a910-4b74-981b-bffca782472d
I was able to resolve the issue by having my user removed from AD on the account that the subscription was transferred from.
Related
I am using Azure API to create blob storage account.
For my old subscription it works, but after I created a new subscription, and tried to use it, the API fails with error:
The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/write' over scope '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
When I try to create it from the UI with that subscription it does work.
How can I solve the issue, so I will be able to use the API also with the new subscription?
Both subscriptions need to be in the same Azure AD directory. If they are not then you are out of luck (but you can move subscriptions between directories).
Click on your new subscription and go to Access Control. Look for your app registration and grant it the appropriate permission against your subscription.
You can also do this at the storage account level if you want to scope the app's permissions to only that resource.
I have an application (AWX) with a script that is trying to perform an action in Azure (add tags to a vm). In AWX, I get the following error, apparently from Azure: msg: "Error retrieving resource group usw-sys-rg-001 - The client '9d...27' with object id '9d...27' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/83...4a/resourcegroups/usw-sys-rg-001' or the scope is invalid. If access was recently granted, please refresh your credentials."
Seems like straightforward message. The account/identity/principal being used is not authorized. The problem, is, the client id in the error message does not correlate with any credential object I have in AWX. And specifically it doesn't correlate with the Microsoft Azure Resource Manager credential I have in AWX. Not being the author of this AWX playbook, I'm a bit puzzled by all of this.
Since the error appears to come from Azure, and Azure doesn't seem to say that the client id doesn't exist, this makes me think that I should be able to find that identity in Azure (presumably it's a service principal) and inspect its permissions. However, when I filter through the app registrations, I can find no entry with a client id matching the one from the error message above.
How do I find the service principal in Azure Portal? Or is it something else?
I must be looking at this wrong. Does anyone have any pointers? Many thanks.
First, make sure you logged in to the correct Azure AD tenant in the portal.
Secondly, navigate to the Enterprise applications(not App registrations, because some service principals will not have corresponded App registration in your AAD tenant, e.g. Managed Identity, etc) in Azure Active Directory.
Then filter with All Applications like below, input the client id, then you will find it.
I am trying to call Azure Maps with OAuth access tokens but it is throwing me 403 Forbidden with the message "Permission, capacity, or authentication issues.". I have followed procedure mentioned here: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication
Created App Registration in AD, generated secret
Added API permission to Azure Maps
In Azure Maps > IAM > added the application as Map Data Reader
Got the Access token from https://login.microsoftonline.com//oauth2/token with resource=https://atlas.microsoft.com/
Calling https://atlas.microsoft.com/route/directions/json?api-version=1.0&query=52.50931,13.42936:52.50274,13.43872 with x-ms-client-id and Authorization=Bearer
Same procedure works correctly for my personal free subscription but not in my company's subscription. Don't know how to debug.
For reference on how Azure RBAC works.
Ensure you have no deny assignments possibly enforced from management groups on the particular role.
Make sure the role assignment is applied to the correct scope. Meaning on the scope of an Azure Maps Account or a parent of the account such as the resource group or subscription.
If you have security principals assigned to the correct scope but still receiving 403. It usually means you have assigned or authenticating with the wrong security principal.
Example:
"App only" token for an App Registration requires the service principal App to be assigned at the scope.
If you as user authenticate as a user to the App Registration that would mean the user security principal should be assigned to the scope; Not the app.
If you are using Azure AD groups it could mean that the security principal may not be part of the group which is assigned access.
I don't think it's common to add service principals to security groups though. But it is a possibility which should be confirmed. There is also a possibility of delay before the permissions are propagated but this usually shouldn't take more than a few minutes.
Just to be thorough but may not apply here. Certain REST APIs require S1 sku to be selected on the account. This will result in the same error response.
We raised the ticket with Microsoft and they told us it was caused by:
longer synchronization times regarding the RBAC configurations
worldwide
Moved azure subscription from active directory AD1 to active directory AD2. Now tasks start failing as previous ARM endpoint (via Auto SPN) got created with old endpoint details. Hence tasks are not able to generate right access token.
Error Message
The access token is from the wrong issuer 'https://sts.windows.net/***/'. It must match the tenant 'https://sts.windows.net/<TenantIdNew>/' associated with this subscription.
Please use the authority (URL) 'https://login.windows.net/<TenantIdNew>' to get the token.
Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later. (CODE: 401)
Additional Questions
How do I find which tenant my VSTS is backing? Where can I find it?
How do I find which tenant my subscription is backed? Where can I find it?
Is it possible to re-use service endpoints created earlier (with AD1) after the move to AD2?
Is it possible to update the tenant Id (via REST API) in existing service endpoints after the move to AD2?
Will MSI based service endpoints be broken or will they be available after move to AD2?
There are the following possible solutions:
Change your backed active directory by AzureDevOps account from AD1 to AD2
Build trust relationship b/w active directory AD1 and AD2.
First, create SPN via script and then create a manual endpoint with details provided by the script.
Answers to additional Questions
How do I find which tenant my VSTS is backing? Where can I find it?
Go AzureDevOps account > Organization > Azure Active Directory
How do I find which tenant my subscription is backed? Where can I find it?
Go to Azure portal > Subscriptions > select your subscription > overview
Is it possible to re-use service endpoints created earlier (with AD1) after the move to AD2?
Yes.
First Let's understand what a service endpoint does internally.
Creates an app in AD.
Assign permission to it over the subscription.
Now let's go through our case,
You created a service connection with AD1, means AD app app1 is being created in active directory AD1 and assigned permission on subscription S
You moved subscription S to another active directory AD2, but AD app app1 still resides in previous active directory AD1.
To re-use existing service endpoint you have to update SPN Id, SPN key and tenant Id in the service endpoint.
In case of manual service connection, it's easy to update via UI but in case of auto SPN flow, you have to update the above mentioned fields via REST API.
Is it possible to update the tenant Id (via REST API) in existing service endpoints after the move to AD2?
Yes.
Get all endpoints
REQUEST TYPE - GET
https://<accountName>.visualstudio.com/<ProjectName>/_apis/distributedtask/serviceendpoints?api-version=3.2-preview.1
Get a specific endpoint
REQUEST TYPE - GET
https://<accountName>.visualstudio.com/<ProjectID>/_apis/distributedtask/serviceendpoints/<SERVICE_ENDPOINT_ID>?api-version=3.2-preview.1
Now update tenant Id in response and use it as a body in update endpoint REST API.
Update endpoint
REQUEST TYPE - PUT
https://<accountName>.visualstudio.com/<ProjectID>/_apis/distributedtask/serviceendpoints/<SERVICE_ENDPOINT_ID>?api-version=3.2-preview.1
Will MSI based service endpoints be broken or will they be available after move to AD2?
Yes, you only need to update the tenant Id in service connection.
I am trying to create a multi-tenant openidconnect based application using instructions from azure-sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
AADSTS50000: There was an error issuing a token.
AADSTS65005: The application needs access to a service that your organization EXTERNALTENANT has not subscribed to.
Please contact your Administrator to review the configuration of your service subscriptions.
I am the admin, where should I update the configuration for this?
Is it possible to avoid this error with a consent prompt? Are there any other options?
The error message indicates that the the tenant which account you were trying login belongs to has no subscription for the resource/permission you have config on the Azure portal.
For example, if you register a application which request the Office 365 SharePoint Online like figure below. However others who trying to sign the application without the subscription to Office 365, then the users would get the error message above.
To fix this issue, please ensure the customers have the sufficent subscription for the permission you have granted to the application.