I'm trying to update an existing Azure app but unable to save and the website throws an error 'Failed to update manifest: ObjectConflict'
I'm updating the field called 'identifierUris'. It's a list and there is one element already and I'm trying to add another there.
Can't seem to find what this error is about. Has anyone encountered this before?
It is very likely you are trying to add a value to identifierUris which is already present in another app. Each value in identifierUris must be unique to a single Application object in Azure AD.
To check if it's already present on an app in your tenant, you can use Azure AD PowerShell to do a simple search to see if that's the case:
Get-AzureADApplication -Filter "identifierUris/any(c:c eq 'http:/example.com/id-uri')"
You could also do the query using the Azure AD Graph Explorer (and signing in with your Azure AD account):
https://graph.windows.net/myorganization/applications?$filter=identifierUris/any(c:c eq 'http:/example.com/id-uri')
I also ran into this when writing some samples. The other answer is correct that there is another app that has already defined those identifierURI's under your AAD tenant. But it only needs to be defined under one app. You can create another app / client ID in AAD under the tenant that doesn't have the identifierURI's the docs say you need and it will work to get the right token / Store ID.
I did this with my sample where another client had already defined them and hit this error. I just went ahead anyways with the rest of the setup docs and got it working requesting the right authorization / bearer tokens. Just know that for the commerce ones, I had to re-publish my app to the store before I started to see results otherwise I was just seeing blank results.
Related
Currently, I am trying to run a trigger on a Logic App on Microsoft Azure, but every time I try, I receive an InvalidAuthorizationTokenTenant error. Let me explain.
So I have a Virtual Machine on Microsoft Azure called StaticReportingVM that runs a service automatically when it is turned on. I am trying to automate the process of turning the machine on and off using a Logic App called startVM. The logic design is below: it has a recurrence task that checks the time of year it is (the task should run at the beginning of every month), it tells the machine to turn on, and notifies me through my personal email whether or not the task has succeeded.
startVM design
startVM parameters
The parameters are correct for my machine and my subscription. However, every time I run the trigger, I get the following error:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant 'https://sts.windows.net/yyyyy-yyyyy-yyyyyy/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/yyyyy-yyyyy-yyyyyy' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
Note that xxxxx-xxxxx-xxxxx is different from yyyyy-yyyyy-yyyyy and the two yyyyy-yyyyy-yyyyys are the same. (Not sure if this helps answer my question but I just want to cover more bases!)
Below is a (poorly edited) image of the connections I have set for the Logic App to work, where the email above is the email registered with my Azure account and the Office 365 email is my personal email to notify me of whether or not the trigger has worked.
startVM connections
I have a few questions about this: why am I getting an InvalidAuthenticationTokenTenant error even though I only am using the one subscription? Is it possible I have multiple tenants under this account and if so how can I delete those tenants? How can I bypass the error and get the logic app working?
P.S. This is my first stackoverflow question so I'm sorry if I am missing any critical details! Any and all feedback is appreciated.
• The way you are trying to trigger a logic app on Microsoft Azure VM for starting a recurrence task and notify you through the personal email address is incorrect. You should create a managed identity for the logic app through which the trigger is configured. Once configured, then assign a new role to the logic app’s managed identity through the VM’s IAM (Identity and Access Management) blade. Once done, then update the ‘Start the Virtual Machine’ task in the logic app to connect using the managed identity created for the logic app.
In this way, your issue should get resolved and you should not receive any error regarding the ‘Tenant token authentication’. Also, you are getting this error because, when you are configuring the ‘StartVM parameters’, the tenant ID is not asked in it, rather only ‘subscription ID’ is asked and the ‘resourceGroup’ is asked. Thus, due to which, if you have atleast ‘Contributor’ role access in more than one tenant linked to each other, then the default tenant ID and the tenant in which your VM us deployed will be different and hence the conflicting error faced regarding it.
• Please find the below snapshot of the configuration for including the managed identity in your logic app design: -
Thus, once you give managed identity of a VM as the connection in the logic app ‘Start VM’ action, the logic app ‘Start VM’ trigger will use the managed identity’s assigned role to the VM as authorization to start the VM and hence the tenant token issue will get resolved.
For more information and clarification on this, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/azure-functions/start-stop-vms/deploy#enable-multiple-subscriptions
I want to access the endpoints that exists within my app that was uploaded to an App Service by calling them using a Logic App. I've enabled Authorization/Authentication but i cannot see to figure out how to correctly to create a valid autheticated request. I guess I'm missing something here, please look at the pictures below.
Im getting this error message: Http request failed as there is an error getting AD OAuth token: 'AADSTS500011: The resource principal named '' was not found in the tenant named ''. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Im sure the tenant id is correct and I've consented like a billion times i think :D. I provide all of the pictures that i can think of that could help finding out the issue here.
I also tried with another audience the api://...
Still no success:
Here's my app service Auth section setup:
All I can think of is that i check the Allow unauthenticated access but that will leave me to code more in my app right? and I then need to restrict each individual endpoint. Instead id like to maybe have either a endpoint without the authorization or be able to send a authorized request through like a Logic App, Postman, doesnt matter in this case.
Any suggestions?
There are two possible reason as per the error message, either the AD app is not present in the tenant or the AD tenant itself is not correct.
In either of the case you just need to check in AAD-->App registration-->Search with clientID (which you used above)
If not found then you either AAD is incorrect or you have not created AD app in this AAD.
Also check for application permissions .
Check following post for more insight
https://www.tech-findings.com/2020/01/calling-active-directory-secured-functionapp-from-logicapps.html
Thanks,
Maheshkumar S Tiwari
I actually manage to find out what the issue is here. So i actually have 2 complains (maybe I'm not understanding whats actually wrong "behind the scenes") but the Audience was wrong. Thats it!
The third picture from my post on the audience attempt was correct but i had to remove /.default part in order for it to work. (ive had this default thingy alot when i've worked with MS Graph but seem to not be the case here)
Result:
Works like a charm now :D
Research:
So i will also share how i figured out how to understand the error message and what was wrong.
So my first complaint is the error message is missleading IMO, that the message said:
... getting AD OAuth token: 'AADSTS500011: The resource principal named '' was not ...
When I Google resource principal i only get alot of answers how to view Service principals which i thought could be something else. But it seem that thats the thing i should be searching for within my app registration. And the first Audience example i was trying out, is obviously not the correct value to match the principal with. The correct value, in this case, can be seen atleast in 3 locations that i found worked for me.
The app registration Application ID URI
MS Graph Explorer, list your service principals and perhaps filter by your name of the app registration to narrow down your search results
Powershell, same as option 2, might be another "endpoint" but should do the same work still.
First option:
https://portal.azure.com -> Azure Active Directory -> App registrations -> choose your app and click on it -> check the Application ID URI column on this Overview page
Second option:
https://developer.microsoft.com/en-us/graph/graph-explorer, sign in to your account (same as on Azure) and check the Sample queries section to the left and pick inside Applications -> search and count Service Principals with "teams" in the displayName. You will get a sample query, also add serviceprincipalnames to your params and also change the search in the displayName from teams to -> {parts of app reg name or entire app reg name} //prolly a contains
Third option:
Make sure you have both Install-Module MSOnline and
Install-Module AzureAD installed to your powershell tool. I used Windows PowerShell ISE in order for it to work (the x86 didnt work for me). ->
Import the Module for AzureAD -> Then connect with the same acc as Azure-> Run this command: Get-MsolServicePrincipal
I also added the -All parameter to get all principals. You could also narrow it down
im guessing here, but not important in my case :).
So these where the solutions ive found.
But i also have that other complaint why isnt the error message something like: The Audience does not exist on Tenant X. Please check the name of the Service principal matches with Audience parameter and that the principal exists within the given tenant. //Something like this idk
That would make it so much easier to understand what the error actually is.
Any Azure gurus can definiently give me a lesson of why im wrong if so, im happy to learn the core/fundamentals :)
I am trying to implement functionality where I can get list of documents from share-point.I have tried this demo code from Azure directory implementation and login to account and also got details about sites and user data from graph API.
https://github.com/Azure-Samples/ms-identity-android-kotlin
I am able to get site data from graph API :
But when I am trying to get list then getting error or no value
I have also passed this authorization token to REST API but that too doesn't work.
You can try with scope Sites.ReadWrite.All instead of User.read, as I tested it using Graph Explorer and I got access denied as the scope permission was not consented. After I consent the permission, it worked .
Example 1:
Before Consent:
After Constent:
I have created a test list on the Communication Site.
After that when I query for lists , I successfully get the above one I created.
Example 2 :
I also tested it using a Application registered to Azure AD. It didn't return me any error or any value as well when I queried for lists using that app's credential's from Powershell.
After I add Sites.ReadWrite.All to the App's API permission's .
I can successfully get the Values of the lists.
To summarize it , it could be resolved in 2 ways :
Changing the Scope shown on the screenshot given by you to Sites.ReadWrite.All instead of User.Read.
Adding API permissions to the APP registration in the Azure AD for Microsoft Graph as shown in the example 2 second image.
I have several client apps registered in the Azure portal. Each app has different scopes that are enabled/disabled. I used to be able to modify the scopes and save the updates for each of the register apps. Now I get the following error from the Azure portal:
Failed to update {my app} application. Error detail: Property identifierUris is invalid. [mURNc]
I also get this same error even if all I try to do is rename the client app. If I create a brand new app there are no issues. This appears to be a bug in the azure portal, but I'm looking for a workaround as I don't want to redefine all the scopes again, there are quite a few!
I've tried to rename things, change the client app ID, etc, but nothing seems to fix the issue, I get the same error. Again, this all used to work fine and now suddenly with no changes I get this issue.
The error says the identifierUris is invalid, but it isn't descriptive at all on which URI it is referring to. Any suggestions on how to correct this?
As junnas said, click try out the new experience in the Authentication tab of App registration and try again.
Also, when you see the above error, we recommend the following:
1.Edit the attributes individually in the manifest editor instead of uploading a previously downloaded manifest. Use the manifest reference table to understand the syntax and semantics of old and new attributes so that you can successfully edit the attributes you're interested in.
2.If your workflow requires you to save the manifests in your source repository for use later, we suggest rebasing the saved manifests in your repository with the one you see in the App registrations experience.
Hope this helps.
I am not sure if I am on the right path, but I am attempting to retrieve my contacts within an Azure Function. I don't need to present a login as this is only for my account. I just want to be able to retrieve my Contacts from the Graph without having to explicitly authenticate. Is this possible? My attempts have failed and I ultimately get stuck trying to add permission...
When I click to add Permission, I get this error:
I am trying to use AAD to authenticate. I tried creating the function within the Portal and also from VS. Any suggestions? Thanks!!
You could follow the steps below to fix the issue.
1.Navigate to the Authentication / Authorization of your function app, click the red frame part like the screenshot.
Go to Manage Permissions -> Add -> select the Windows Azure Active Directory API and Sign in and read user profile permission
Then refresh the portal, it will work fine.