I have followed this walkthrough to create a multi-tenant web application that can connect to Dynamics 365 CE Online. Walkthrough: Multi-tenant server-to-server authentication.
When I ran the app for the first time and tried to sign in to the Dynamics CRM, it asked me to provide a consent that I accepted. And then it returned the below error:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException HResult=0x80131500 Message=AADSTS65001: The user or administrator
has not consented to use the application with ID
'XXX' named 'MvcCrmStsWalkthrough'.
Send an interactive authorization request for this user and resource.
For subsequent tries, it didn't ask for consent. However, kept returning the aforementioned error.
What I have used for this POC
Dynamics CRM Online trial
Azure Active Directory service that was included by default with the CRM
trial and was enough to perform application registration on Azure AD
Visual Studio 2017 community edition
What I have tried so far
In Azure AD I already have granted permission using the 'Grant Permission' button on the registered app Settings > Required Permissions (Seems accepting user consent through my custom app does the same)
Setting oauth2AllowImplicitFlow to true in the Azure AD app manifest
I verified that the O365 account that I am using to log in through the app has Global Administrator directory role in the AD
Sample code
Exactly the same as mentioned in the walkthrough
Related
I want to access the outlook API with a Python application. I followed this guide but quickly ran into authentication issues. Tried it with my existing private Microsoft account and with a new created account, but ran into authentication issues quickly. Whenever I try to do anything in the portal, I get this message:
Already checked in with the general Microsoft support. They directed me towards Azure support, but I can't reach anybody there.
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Microsoft personal account is not added as an external/guest user to an Azure AD tenant.
To resolve the error, contact the Global admin to invite the account as a guest user like below:
Once the admin invites, you will get an email notification to accept the invitation like below:
After accepting the invite, the Personal Microsoft account will be added to the tenant successfully like below:
And now you will be able to access the Azure Portal without any issue and you can also create your own tenant to have admin access.
If still the issue persists, try the below:
Sign out from the active session and sign in incognito window or any different browser.
Clear browser cache and cookies and try.
Confirm whether the admin has set any External user settings that is restricting the access:
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
When looking into the Build Python apps with Microsoft Graph tutorial that you followed, one of the pre-requisites mentioned signing up for the Microsoft 365 Developer Program to get a free Microsoft 365 subscription. After you sign-up, you'll need to use the Microsoft 365 developer sandbox credentials in order to continue following the tutorial without having to leverage your own Azure AD tenant or subscription (pay-as-you-go).
Build Python apps with Microsoft Graph:
Join the Microsoft 365 Developer Program
Deploy the Developer Sandbox
Using the Microsoft 365 Developer subscription(s) info you'll be able to login to the Azure Portal or Azure Active Directory admin center.
Note: You can navigate to your developer tenant using - https://aad.portal.azure.com/<<SandboxTenantName>>.onmicrosoft.com, or when prompted to sign in use your sandboxes' admin account.
If you only signed up for a new personal Microsoft account (Outlook), you'll notice that once you sign into the Azure AD Admin Center, your Outlook.com user isn't associated with any Azure tenants, and you'll run into the authentication issue error message that you referenced, so you'll have to create your own Azure AD tenant by signing up for an Azure Free Trial or Pay-as-you-go.
I hope this helps!
Hi I'm trying to Embed a PowerBI report in Asp.Net application using the sample application downloaded from here . I'm using UsersOwnData flow.
The same portal has created the Azure AD app registration with the permissions shown in below image. Although none of the permissions need admin consent, I'm getting an error saying admin consent is needed as shown in below image when I hit the authorize endpoint. Am I missing something?
The app was registered as a multitenant application although it was not intended. Since Nov 9th 2020 Microsoft requires admin consent to be granted for multitenant apps and end users cannot grant the consent if the publisher is not verified by entering the MPN Id.
This was the issue in my case. It was solved by granting the admin consent. The small note displayed in the Authentication blade helped me to identify the issue.
I am having difficulty logging in to a Microsoft site using my Azure AD (Work) account.
After successfully authenticating, I get the error:
AADSTS700016: Application with identifier '3075c070-b4d6-4bba-88c3-bcc51c74a2f4' was
not found in the directory '{my-directory}'. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You may have sent your
authentication request to the wrong tenant.
I have gone into my Azure AD tenant and searched for an application with that Id so I can add it, but it returns no results.
I am able to authenticate if I use an account that has a Microsoft Account, however, when I get to the Microsoft page, I get an error saying I need to log in using the same email account that the account was registered under.
Unfortunately, the work account I need to use does not have an associated Microsoft Account.
I think a solution to this would be to add the Application into my tenant, but not sure how to find the application with ID only.
I am afraid that you can not add the application into your tenant manually. When you successfully login in to this application, this application will exist in your tenant under enterprise application.
But it seems that this application only allows Microsoft account to login.
We just moved to Azure Portal and i created a Xamarin Cross-Platform app that gets authenticated via MSAL.
When i was building the app. it was registered on https://apps.dev.microsoft.com/, and the user was getting authenticated without any problems.
After testing, i registered it on our Azure Portal under app registration, gave it the required permissions as before, and updated the app ID in the code.
Now, i cant even go past my email page. I keep getting the message:"It looks like you're trying to open this resource with an app that hasn't been approved by your IT dept", even though the admin granted the permissions to the app. Not sure where to go from here. Any help appreciated.
Thanks in advance
When i was building the app. it was registered on https://apps.dev.microsoft.com/, and the user was getting authenticated without any problems.
apps.dev.microsoft.com is used to register the application for Azure AD v2.0, and you could leverage MSAL for authenticating users by using AD account or personal Microsoft account.
For the application registered on Azure portal, you need to use the ADAL library. Detailed tutorial about integrating Azure AD (v1.0) with your xamarin apps, you could follow here.
UPDATE:
Based on your scenario, for using MS graph via ADAL, you could create an app under your tenant and add the required delegated permissions to the Microsoft Graph API. The AcquireTokenAsync method would look as follows:
var authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", clientId, returnUri, parent);
Moreover, for differences between app-only and delegated scopes permissions, you could follow here. Also, you could check differences between Microsoft Graph or Azure AD Graph.
We have an Azure resource app whose APIs we want to expose for access by a client app on Azure. The two apps are on different tenants. The users accessing the APIs (Office 365 account holders) are on different tenants.
The whole set up works when we manually provision a service principal on the tenant that is trying to authenticate from the client app against the resource app. By that I mean they are able to log in using their Office 365 account and are shown the consent screen.
If we do not provision a service principal on the AAD tenant of the user trying to authenticate, we get this error:
AADSTS65005 - The app needs access to a service <service> that your
organization org.onmicrosoft.com has not subscribed to or enabled. Contact
your IT Admin to review the configuration of your service subscriptions.
It is not feasible for us to provision a service principal on every tenant that is accessing our app (resource app). Is there something we are missing? Are we using the right flow?
You can find help for your scenario here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent. (Scroll down to Multiple tiers in multiple tenants)
In the case of an API built by an
organization other than Microsoft, the developer of the API needs to
provide a way for their customers to consent the application into
their customers' tenants.
The recommended design is for the 3rd party
developer to build the API such that it can also function as a web
client to implement sign-up:
Follow the earlier sections to ensure
the API implements the multi-tenant application registration/code
requirements
In addition to exposing the API's scopes/roles, ensure
the registration includes the "Sign in and read user profile" Azure AD
permission (provided by default)
Implement a sign-in/sign-up page in
the web client, following the admin consent guidance discussed earlier
Once the user consents to the application, the service principal and
consent delegation links are created in their tenant, and the native
application can get tokens for the API
Basically, all of the parts that your app needs must be present as service principals in the customer's tenant. This is a requirement of AAD.
The only way for that to happen is for an admin to go through consent for the API and app separately, since they are registered in different tenants.
If they were registered in the same tenant, you could use the knownClientApplications property in the manifest to allow consenting to both at the same time.
In my case, I am exposing my own API and trying to access this API from my other Application (Client Credentials mode), I removed the default permission on both of the app(consuming app and api app) - "Azure Active Directory Graph-> User. Read" since I thought I don't need that but that caused this problem "The app needs access to a service .... that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service+subscriptions.
I got the clue from the answer of #juunas - point 2. Thx Juunas