I'm trying to include Terms of Service and/or Privacy Statement links to Azure AD web application consent screen according to documentation.
I can see and test the consent screen just fine when appending &prompt=consent on login URL https://login.microsoftonline.com/TENANT_ID/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=CLIENT_ID&scope=openid+profile+email&response_mode=form_post&nonce=NONCE&state=redir%3D%252F&sso_reload=true&prompt=consent but for some reason ToS/PS links are not shown where they should be (please see documentation link above).
Here's how I have defined them on app manifest:
Is there something else in addition to defining the URLs that is required for the links to be shown on consent screen?
I can reproduce your issue. After changing the application to multi-tenant. It works.
This is my test result.
Then I check the document again.
The terms of service and privacy statement are especially critical for
user-facing multi-tenant apps--apps that are used by multiple
directories or are available to any Microsoft account.
Hope it helps.
Related
I have delegated access to Azure resources in a third-party tenant using Lighthouse, and this works fine via the portal; users receive the roles expected (typically Contributor).
However, they are unable to access Kudu (at webappname.scm.azurewebsites.net), receiving an error;
Selected user account does not exist in tenant 'Tenant Name' and
cannot access the application 'abfa0a7c-a6b6-4736-8310-5855508787cd'
in that tenant. The account needs to be added as an external user in
the tenant first. Please use a different account.
If the same user account is added as a guest to the third-party tenant and given the same role, they can access Kudu as expected.
It's clear that Kudu is expecting/demanding an account in the same tenant as the application, but Azure Lighthouse delegated permissions is all about not having to do that.
Is there something I'm missing, or another role that needs granting?
#PhilD, Thanks for the detailed description of the scenario. I have also posted this on your Q&A thread.
Currently, Kudu is not compatible with Lighthouse-delegated permissions.
Our product engineering team is working on it; however, we do not have an exact ETA to share.
We’re expecting it to be available in a few months. Please note that this timeline is just an estimate and is subject to change, depending on a myriad of factors.
I have relayed the feedback internally to our product engineering team and it’s being tracked.
-On a side note, as mentioned in this Kudu wiki :
“Only those with Contributor / Owner access (to be exact, with microsoft.web/sites/publish/action or, for slot, microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).”
Much appreciate your valuable feedback on this. Thanks for your patience!
I've created an Azure account and added an application to it.
On company level I changed the branding (added a background and banner to the login page).
This is working great.
But I would like to create a branding on application level.
Let's say I have two applications: app1 and app2.
When pressing the login button on both applications it will redirect me to the login.microsoftonline.com/....
After filling in my email, I'm able to see the on company level defined background and banner.
But I would like to add different background/banner (or text) for both applications.
So the login.microsoft... of app1 needs to show the banner that belongs to app1 and app2 needs to show the banner that belongs to app2.
Is this possible?
I noted that there is also a branding item on application level where I can add a logo.
However, when I add one there it will only be shown in the azure environment itself.
At present, app registered in azure ad may not able to have its own customized login page UI like in azure ad B2C .It may due to some functionality issue in branding option. You may See this thread
You may give try Set-AzureADApplicationLogo (AzureAD) by checking guidelines of size and dimensions and by selecting an absolute path for file path.
Set-AzureADApplicationLogo [-ObjectId <String>]
-FilePath <String>
Otherwise You can provide any feedback or idea or suggestion here > https://feedback.azure.com/forums
I have several days trying to customize the email verification of my project but it's been impossible to change anything.
I followed many times:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-get-started
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-sendgrid
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-email-mailjet
I uploaded the new custom policies B2C_1A_TrustFrameworkBase and B2C_1A_TrustFrameworkExtensions with all the changes described in the manual, but I still don't know why I can't even generate an application error and the default Microsoft email verification keeps working normally, is there any way to track what I might be missing?
You can refer to the troubleshoot documentation about turning the B2C engine into developer mode and tracking the B2C engine itself.
There is a separate documentation and technical profiles explaining how to use application insights to track user behavior during user journeys. You can discover more about this here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/analytics-with-application-insights
We have an application that we want to host only once but allow 2 different domains to direct to the one instance then we change the branding based on the incoming host. For instance https://app.abc.com points the same instance as https://app.def.com.
So they are not subdomains but rather independent domains. This would mean they also share the same Azure registered application but different return url's https://app.abc.com/auth/openid/return and https://app.def.com/auth/openid/return.
The Azure portal, however, gives the error
"You may not use more than 1 external domain(s)"
.
Is there any way around this without having to host 2 instances of the same application, each with the own Azure application/client id?
As Wayne mentioned, it is not currently possible to reply to multiple domains.
However, one workaround is to build a proxy in one of the websites. You always redirect to this proxy, which then redirects to the proper site. You could use the state parameter to store which "site" the user clicked "sign in" from, and then based on that redirect properly. You would have to be careful in making sure the token is passed through securely.
Unfortunately, you cannot achieve this.
Reply URLs must all belong to the same domain. And Redirect URIs must all belong to the same domain .This is a limitation for AAD B2C application Registration.
You can also see this note in Azure portal:
Is there any way around this without having to host 2 instances of the
same application, each with the own Azure application/client id?
For Web API or Web App, as I known, there is no way to achieve this for now.
I suggest you can upvote this idea in this Uservoice Page, AAD B2C Team will review it.
Hope this helps!
In case anyone stumbles across this issue as I did today, I found a workaround for this.
Caution: This method is not officially supported by MS according to a warning from MS in the Azure portal (see the second screenshot)
1) In your B2C tenant, navigate "All services --> search for "App registrations" --> click "App Registrations"
All services --> App registrations screenshot
2) Find your application in the application list and click on it. Note the warning from MS (see screenshot)
App registration list screenshot
3) Click on "Authentication" and add your Redirect URIs to the list. This is the same UI as non-B2C tenants.
Redirect URI list screenshot
It allowed me to enter redirect URIs with different domains. It doesn't appear to have the limitation as the "Azure AD B2C" blade. I had to wait a minute for the change to propagate, but it worked for me. I'm not going live with this anytime soon, so I'm ok with doing this for now. When I do decide to go live I'll probably find some other way of doing what I want if MS still hasn't green-lit this method.
Again, MS warns against using this at the moment, but hopefully they'll officially support it soon.
I'm getting the following error when non-global admin users are trying to access graph explorer 2 within our tenant:
Additional technical information:
Correlation ID: 2346b0f5-bb5f-4138-8f9d-07fa96dcf02f
Timestamp: 2015-05-29 17:18:48Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.
From within Azure we have "users may give applications permission to access their data" set to use. We also have "users may add integrated applications" to yes.
Just wanted to check which URL you are going to. We have 2 "graph explorers" - one is for exploring Azure AD Graph API, while the other (called API explorer) is for exploring the Office 365 unified API.
If you are going to https://graphexplorer2.cloudapp.net - this is (AAD) graph explorer, and should not require admin permissions. Please let us know if this is what you are using and if this is causing issues.
If on the other hand you are going to https://graphexplorer2.azurewebsites.net - this is the API explorer, and due to the number of APIs it requires access to, it currently requires admin consent. We'll look into a way to reduce the number of scopes that this requires access to, to get to a place where users can consent (but that's not the case currently).
Hope this helps,
I ran into this issue today and here what I did:
Login to your AD application in classic portal
(https://manage.windowsazure.com/)
Under "Configure" section, there
is "permissions to other applications", look at the "delegated
permissions" for "Window Azure Active Directory".
Make sure you pick
the correct permissions for your app. Normally, "Sign in and read
user profile" is enough for user to login.
For more information you
can take a look at this link
https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
I worked for Skype for business online use case (WEB API). I faced this issue for users not global admins. The users who added by global admin.
I managed to resolve the issue by passing extra parameter prompt=admin_consent.
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href+'&prompt=admin_consent';
For more details visit link https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/