A few days ago, before implementing user management with the Azure Active Directory Graph API (not Microsoft Graph) in our web app for Azure AD B2C users, I was able to log into the Azure Portal, find the Azure Active Directory B2C resource, click on it, and successfully authenticate into it in order to edit policies, view the list of users, etc.
(Clicking the tenant in the screenshot used to work!)
Now when I click on it, the screen flashes about 10 times, attempting to log my user into the tenant. But afterward, the following error is returned:
Furthermore, when I attempt to log into the web app with that same user, I get the following error message:
ERROR: Your account has been locked. Contact your support person to unlock it, then try again.
How do I unlock the account if I can't even get into the Azure AD B2C tenant? Did I corrupt the tenant by using the AAD Graph Client?
UPDATE
I'm adding more information about how I'm using the Azure AD Graph Client, in case it is important to diagnose why I, nor any other admin on my team, can log into the AAD B2C tenant.
I think the most relevant piece of how I'm using the Azure AD Graph Client is the following to update a user's "Organization" extension/custom attribute:
The x's represent the AAD B2C generated identifier associated with the extension and the y's represent a user GUID.
HTTP PATCH to https://graph.windows.net/genlogin.onmicrosoft.com/users/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy?api-version=1.6
Body: {
"extension_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_Organization":"Microsoft"
}
Is this incorrect use of the graph client? How do I get the AAD B2C tenant back to a state where I can log into it?
UPDATE
Furthermore, I also found the following link which talks about existing issues in AAD B2C management: https://blogs.msdn.microsoft.com/azureadb2c/2016/09/09/known-issue-b2c-app-mgmt/
Does this link apply at all? (My guess is no because it is the tenant itself that seems to be in a weird state, not the application associated with the tenant)
Due to the screen flashes about 10 times .It seems that you tried to login the Azure too many times within a short time. Azure login server has its own policy to prevent this kind of uncommon login event.
Try to use another admin account to login the b2c Tenant and reset your account password. If you don't have , call other admins to help you.
Otherwise, you need to wait and try to login later.
Additional, your client broswer may come across some issue which causes this event. You'd better check the evironment for your work.
Related
We have a Drupal site setup to login with Azure AD via a third party OpenID connect module.
This is linked to an Azure AD app registration in single tenant mode.
When a user visits the site whilst logged-in to an account that isn't in our tenant, they see an error message similar to this:
Message:AADSTS50020: User account 'XXXXX#example.com' from identity provider 'https://sts.windows.net/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/' does not exist in tenant 'TENANT NAME' and cannot access the application 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(SITE NAME) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This message is completely incomprehensible to most of our users. I'd like to change it to something more meaningful such as
Please login with an INSTITUTION NAME account to access this site e.g.: username#ourdomain.com
Is this something that can be configured within the Azure AD app registration? Or elsewhere in our tenancy configuration?
In case of azure ad B2C you can create a custom error page using a technical profile based on localization or a custom policy error page. But in case of regular Azure AD (B2B), there is no way to specify custom error messages or error pages.
If there is any case where the error message is passed back to your application. there may be a possibility to deal with it as you can configure through code as required but there isn't any guidance regarding error passed to backend .
I'd like to use Microsoft Graph Explorer to work with my Azure AD B2C Tenant.
Initially, all I want to do is retrieve a Custom Attribute that I've assigned to an application registration. The custom attribute will store the UserAppPermission value, a 'role' replacement for B2C since it doesn't natively support them.
Can I get a second set of eyes on my process? I'd like to make sure I'm reading this properly.
First goal: Get a list of applications registered to my B2C Tenant. Reasoning is... if the app registration doesn't appear then future queries are unlikely to be successful.
Resource#1 "Manage Azure AD B2C with Microsoft Graph" (Note B2C in the title)
(1) I registered an application in my B2C tenant with permissions in excess of the minimum, checked this process twice: Register a Microsoft Graph application (Note B2C in the opening paragraph, and throughout the document).
(1a) Uncertain if the Azure portal was being buggy, I also registered this application with the 'Global Administrator Role' ... absolute overkill & insecure ..
(1b) I am certain that I assigned the appropriate Microsoft Graph API permissions in the app registration tab
(1c) As described in the doc, I also granted the application the user administrator role, although that is contained within the global administrator role.
(1d) Per the doc, "Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API."
When I run "https://graph.microsoft.com/beta/applications" to get a list of registered applications, all I see is the single App Registration our 'root' Azure account has for our Azure Functions App. Since this was an article on managing azure ad B2C with Microsoft Graph, I was expecting to see the applications registered to my B2C Tenant.
? Does anyone read (1d) to mean that I should not be able to use https://developer.microsoft.com/en-us/graph/graph-explorer, logged in as the B2C global administrator, and granting all permissions the endpoint requires, to make Microsoft Graph API queries?
Next goal: Get a list of users registered to my B2C Tenant
Resource#2 "List Users" - the link to this resource was provided by Resource #1, link provided above.
(1) There only mention of B2C in this article is: "The $count and $search parameters are currently not available in Azure AD B2C tenants."
(2) The request to get all users is GET "https://graph.microsoft.com/v1.0/users"
(2a) The request returns a list of users for the MyOrg's root AD tenant, not the application's B2C tenant. Not surprising since there's nothing in the request to specify the B2C tenant.
(3) Another resource provides this request format: https://graph.microsoft.com/beta/.onmicrosoft.com/users, which specifies the b2c tenant.
(3a) This executes without error in Graph-Explorer but does not return any of the users that registered for the application using the sign-up/sign-in policy (Consumer B2C Users). It still returns a list of users for the 'root' Azure account.
Update re:specifying tenant in graph-explorer:
While logged in to Graph Explorer us my work MS email which is registered as a global admin for our Azure account and owner of the B2C tenant I specified:
This returns a list of applications for the root Azure account, not app registrations for the B2C Tenant I specified. Perhaps I misunderstood the intent of this Graph API call.
I optimistically ran 'https://graph.microsoft.com/beta/identity/b2cUserFlows' with the tenant specified in the URL (as in screenshot). Result:
"error": {
"code": "AADB2C",
"message": "'4fba2ea8-XXXX-XXXX-964e-99f48b79d925' is not an Azure AD B2C directory...
I'm still not certain what the UUID returned in the message represents. The UUID has no correlation, that I can find, with the tenant I specified in the URL.
The reason is that you are using an Azure account which is from your root AAD tenant.
You have two options to resolve it.
Specify the tenant in the Graph Explorer URL:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant={Your b2c tenant}.onmicrosoft.com. Still use that Azure account from root
AAD tenant to sign in and you can get a list of applications and
users of your B2C Tenant now.
Another method is creating a new user in your B2C tenant and assign
Global admin role to it. And then sign into
https://developer.microsoft.com/en-us/graph/graph-explorer with
this new user. Now you can list applications and users of your B2C
Tenant as well.
Update:
Don't use a Consumer account (local account) for the second suggestion. You should create an AAD user (work account, format: mytenantname.onmicrosoft.com ) in Azure portal in B2C tenant and assign it global admin role.
Overview of user accounts in Azure Active Directory B2C for your reference.
#AllenWu's second solution was, in effect, correct but not explicit enough for me.
The New user interface in the B2C Tenant offers three options for creating users: Create user, Invite user and Create Azure AD B2C user. Most of my work has revolved around B2C users so I did that and gave the user Global Admin rights and my Graph Explorer results were unchanged.
Another user provided this suggestion and made it clear that I needed to create a user w/an email address of #my-tenant-name.onmicrosoft.com. I created such a user, assigned it Global Admin rights, and I was able to use Graph Explorer as I expected.
Note that users with an email of "SomeTestUser_gmail.com**#EXT#**#my-tenant-name.onmicrosoft.com do not behave in the same way.
Thanks for the suggestions & feedback & I hope this helps if you ended up here with the same question.
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
We have a Web App secured with Azure AD B2C using custom Identity Experience Framework policies to allow users to register and sign in with social identities (Microsoft, Google, Facebook), or with an identity from another federated Azure AD instance, or with 'local' Email / Password accounts.
All the social accounts and the Federated AD work correctly. Sign up and sign in with Email/Password was working correctly, but we are now experiencing an error. We haven't knowingly made any changes to our Email/Password configuration since this was last known to be working, so we're not sure how this has happened.
The issue is: Sign Up with a new Email Address works correctly, and after the process completes, the user is correctly logged-in, and their account appears in the directory. If the user signs out, however, then any attempt to sign back in again fails:
(Email address shown is not the actual one. Error has been repeated by multiple users with new and old email/password combinations.)
Digging into the portal, the underlying error is revealed as:
70001 The application named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
This error appears sometimes to be related to a failure to grant permissions to an application in the portal. We have tried removing and reinstating all permissions, and re-granting permissions. This has not solved the issue.
Does anyone know what could be causing this issue, and in particular why sign up / sign in works correctly, but returning sign in does not?
UPDATE:
Just to confirm that we have the IEF and Proxy IEF apps configured in the AD directory:
And we have the login-NonInteractive technical profile configured in TrustFrameworkExtensions.xml:
Having wired up Application Insights (following these instructions https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom), we're able to get to this more detailed error:
AADSTS70001: Application with identifier
'ProxyIdentityExperienceFrameworkAppID' was not found in the directory
weapageengine.onmicrosoft.com
The only place 'ProxyIdentityExperienceFrameworkAppID' appears in any of our custom policies is shown in the XML snipped above, but this seems correct as per the documentation here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 - unless we are meant to update those 'DefaultValue' attributes as well?
Resolution:
As per the answer below, it is necessary to update both the Metadata and the default values with the relevant app ids. Worth noting that in the GitHub sample https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 the boilerplate values are differently cased, leading to our missing one in a replace-all:
The local account sign-in authenticates the end user against the Azure AD B2C directory and then reads the user object from it.
The local account sign-up and the social account sign-in do not authenticate the end user against the Azure AD B2C directory. The local account sign-up writes the user object to it. The social account sign-in delegates authentication to the social identity provider and then either writes the user object to the Azure AD B2C directory if the user object does not exist or reads the user object from the Azure AD B2C directory if the user object does exist.
To enable authentication of the end user by the local account sign-in against the Azure AD B2C directory, you must add the Identity Experience Framework applications to the Azure AD B2C directory and then configure these IEF applications with the login-NonInteractive technical profile.
The local account sign-up and the social account sign-in do not require these applications.
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!