I created a resource owner policy, downloaded it, and modified it. Now, I want to upload it as a custom policy. Is this possible? The error message I am getting makes me suspect not:
"Policy 'B2C_1A_B2C_1_SessionCleanup_Auth' in tenant
'ABCABCAB-CABC-ABCA-ABCA-ABCABCABC543' is blocked from inheriting
policies from 'b6291105-4814-4453-831c-7aba93c480b2' as the basic
policy constraint handler 'B2CBasicPoliciesOnly' cannot match the
policy id to a prefix or registered policy id."
Unfortunately, this isn't possible, you must create a custom policy to implement this.
A sample policy for the resource owner password credential flow can be found at the active-directory-b2c-advanced-policies repository.
Related
I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1
I attempt to create an AKS cluster in a fresh new subscription. When a cluster is created via the web interface, eventually a CreateRoleAssignmentError error is produced with the following message:
RoleAssignmentReconciler retry timed out: autorest/azure: Service
returned an error. Status=403 Code="AuthorizationFailed" Message="The
client 'foo' with object id 'foo' does not have authorization to
perform action 'Microsoft.Authorization/roleAssignments/write' over
scope
'/subscriptions/bar/resourceGroups/MC_MyResourceGroup_mycluster_region/providers/Microsoft.Authorization/roleAssignments/az
Note that cluster is created with a manually created service principal, as per the documentation. This service principal has an "Owner" role on all Resource Groups within a subscription.
Note also that the reason I had to create a service principal manually is that the cluster could not be created otherwise in the first place. When attempted to create a cluster without explicitly specifying a service principal (that is, requesting a new one to be created automatically), another error was produced:
The credentials in ServicePrincipalProfile were invalid. Please see
https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh
request failed. Status Code = '400'. Response body:
{"error":"unauthorized_client","error_description":"AADSTS700016:
Application with identifier 'foo' was
not found in the directory 'bar'.
This can happen if the application has not been installed by the
administrator of the tenant or consented to by any user in the tenant.
You may have sent your authentication request to the wrong
tenant.\r\nTrace ID:
9ec6ed81-892d-4592-b7b5-61842f5c1200\r\nCorrelation ID:
bffbb112-7348-4403-a36f-3010bf34e594\r\nTimestamp: 2019-07-13
15:48:02Z","error_codes":[700016],"timestamp":"2019-07-13
15:48:02Z","trace_id":"9ec6ed81-892d-4592-b7b5-61842f5c1200","correlation_id":"bffbb112-7348-4403-a36f-3010bf34e594","error_uri":"https://login.microsoftonline.com/error?code=700016"})
I am doing these operations on a fresh new account and a subscription using an "initial" admin user, so I would suppose all permissions should be in place all right. What can explain the errors above?
as the OP asks, here's the answer. In order to create resources in Azure (doesn't matter which resources) you need permissions of type: provider/resource/write. Same goes for edits. This basic principle applies to all the resources out there. Now lets compare owner and contributor:
I have an AKS template that needs contributor role to work + this custom role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Assign AKS permissions to the vnet"
$role.Description = "Assign AKS permissions to the vnet for the inflation process"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Authorization/roleAssignments/write")
AKS clusters created by code using this role + contributor are fully functional.
User Access Administrator is a built-in role that you are being granted when you are the tenant admit and you grant yourself access to everything under your tenant: https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin. So it will obviously work if you grant yourself this role, but you can get away with a lot less permissions.
In my case I solved it by doing again "az login" and moving to the correct subscription,and then i tried to run the command again. It worked.
Also the reason may be you don't have the rights to create a cluster on that resource group. I had this kind of problem before,for that you should contact the person who administers you subscription to give you rights.
When I try to execute our PasswordReset(custom policy) policy from the Azure Portal, I'm getting
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
but our signInSignUp Policy is working fine.
How to find out what went wrong with PasswordReset Policy?
I added an outputclaim for returning identityProvider in the IdToken and the policy is not able to figure out the value of that. I assigned a defaultValue to that claim and now it is working
I have configured Azure AD B2C with custom policies but I am unable to authenticate with a new user created in the Azure portal. The user has a temporary password. Azure AD B2C returns the error text Invalid username or password, even though the username and password is correct.
I have confirmed that it is possible to login with the new user and temporary password in Azure AD B2C using non custom policies. After logging in, the user gets prompted to change their password.
The problem can be reproduced using the custom policies described in this guide:
Get started with custom policies.
Additional information:
I have configured the b2crecorder https://b2crecorder.azurewebsites.net/stream?id=<guid> in the UserJourneyRecorderEndpoint. Which gives access to more information through https://b2crecorder.azurewebsites.net/trace_102.html?id=<guid>
The problem result in the following logging:
SelfAssertedMessageValidationHandler
The message was received from null
Validation via SelfAssertedAttributeProvider
Additional validation is required...
OperativeTechnicalProfile is login-NonInteractive
Mapping 'username' partner claim type to 'signInName' policy claim type
Mapping default value 'undefined' to policy 'grant_type'
Mapping default value 'undefined' to policy 'scope'
Mapping default value 'undefined' to policy 'nca'
Mapping default value 'undefined' to policy 'client_id'
Mapping default value 'undefined' to policy 'resource_id'
Using validation endpoint at: https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
Orchestration Step: 1
RA: 0
Protocol selected by the caller: OAUTH2
Communications with the caller handled by: OAuth2ProtocolProvider
IC: True
OAuth2 Message: MSG(d56987e9-be2e-46fc-a7a4-23e317f8f174) Message Detail
ValidationRequest:
ValidationResponse:
Exception:
Exception of type 'Web.TPEngine.Providers.BadArgumentRetryNeededException' was thrown.
The most common reason for this that Grant Permissions has not been executed.
On the "ProxyIdentityExperienceFramework application" -> after selecting the checkbox for Access IdentityExperienceFramework -> clicking on Select and hitting Done, you must also complete the next step:
Select Grant Permissions, and then confirm by selecting Yes.
Edit:
Sorry, after reading your situation carefully, both a "sign-up or sign-in policy" or "custom policy" do not support the Azure Active Directory forceChangePasswordNextLogin flag. (forceChangePasswordNextLogin will only work with a "sign-up policy") There is a feature request tracking this here.
Since this is the first SO article that pops up on this question, I'll add that another possibility to check when hitting this problem is, make sure the Proxy app type is Native, not Web.
I'm trying to create a Custom Role in azure (RBAC). But when I execute the powershell command New-AzureRmRoleDefinition here is the message I get saying that I'm not authorized to create it.
> New-AzureRmRoleDefinition .\developer_access_rbac.json
New-AzureRmRoleDefinition : AuthorizationFailed: The client 'admin#company.com' with object id
'{guid}' does not have authorization to perform action
'Microsoft.Authorization/roleDefinitions/write' over scope
'/providers/Microsoft.Authorization/roleDefinitions/{guid}'.
At line:1 char:1
+ New-AzureRmRoleDefinition .\developer_access_rbac.json
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleDefinition], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleDefinitionCommand
I asked from one of our administrators in our organization and he says the account admin#company.com is already a Global Administrator. And in the active directory admin#company.com is displayed as a Service Administrator.
I'm a little confused by these permission levels in azure. Can anyone explain to me how to acquire the needed permission to the account admin#company.com for solving the issue.
Taken from https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/#custom-roles-access-control:
Who can create a custom role? Owners (and User Access Administrators) of subscriptions, resource groups, and resources can create custom roles for use in those scopes. The user creating the role needs to be able to perform Microsoft.Authorization/roleDefinition/write operation on all the AssignableScopes of the role.
Who can modify a custom role? Owners (and User Access Administrators) of subscriptions, resource groups, and resources can modify custom roles in those scopes. Users need to be able to perform the Microsoft.Authorization/roleDefinition/write operation on all the AssignableScopes of a custom role.
Who can view custom roles? All built-in roles in Azure RBAC allow viewing of roles that are available for assignment. Users who can perform the Microsoft.Authorization/roleDefinition/read operation at a scope can view the RBAC roles that are available for assignment at that scope.
I actually came across this same issue and found the error to be misleading.
I had to clear the assignable scopes and then add one back.
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/12345678912345789123456789")
I encountered the same kind of issue. The problem was with the AssignableScopes section in the json file. Just needed to add: /subscriptions/