I have created a new web api and deployed it on azure. The api works with azure AD authentication. This api we need to consume from PowerBI-Desktop application.
If i test the api on browser which is deployed on azure it works fine. However, if I try to consume it in PowerBI it gives the following error.
invalid_resource: AADSTS50001: The application named was not found in the tenant named . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Why I am getting this error ?
Any help on this appreciated !
You can log in as an admin and make a GET request like so:
https://login.microsoftonline.com/common/adminconsent?client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]
And then you'll authorize the application and you'll be able to authenticate =)
Related
I have deployed Node JS App on Google App Engine successfully however after deployment and login this url https://mydomain-473829.uc.r.appspot.com works fine and logins in, but when use I custom subdomain like https://api.mydomain.com?
It gives me this error on login
AADSTS700016: Application with identifier 'guid' was not found in the directory 'directory-id'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Digging Deeper:
Is this the error of GCP or Microsoft side?
Why does one URL work fine and other not reach the right tenant, they are the same endpoint right from going through this setup: https://cloud.google.com/appengine/docs/legacy/standard/python/mapping-custom-domains
Does another tenant need provision and allow access to my multi-tenant app? Right now its only single tenant app?
Is there any code changes needed, if so I can update this question if it is needed?
Thanks for reading
I tried to reproduce the same in my environment and got the same error as below:
AADSTS700016: Application with identifier 'guid' was not found in the directory 'directory-id'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
The error usually occurs if you are passing wrong client_id in the authorization/authentication request.
Make sure to pass the client_id of the Azure AD Application in the request.
Also make sure that you are passing correct Tenant_ID of the Azure AD Application.
Check whether the required permissions are granted for the Application.
For sample, I used the below authorize endpoint by passing the correct client_id like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The user signed in successfully like below:
The error is in the Microsoft Azure Side. Make sure to pass the correct values.
Note that: If you want your application to be accessed by other tenant users, then configure the Azure AD Application as Multi-Tenant like below:
If you configure the Application as Multi-Tenant then you must make use of organizations endpoint:
Authorize Endpoint: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token Endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
I have an already deployed application on azure app service which uses azure AD for authentication and authorization.
Unfortunately the developer who worked on it is no longer available
i got access to all Azure resources and source code but i cant figure out how can i add my azure account as one of the users to the app (i can login but its an empty view for me unlike what it used to be with the developer access).
Also i find the app registered on Azure AD and i am an owner there but still with no right access.
When i try to login localy from the frontend it say
Selected user account does not exist in tenant 'Default Directory' and
cannot access the application '[some numbers] in that tenant. The
account needs to be added as an external user in the tenant first. Please use a
different account.
Would appreciate any help and many thanks in advance.
I can login but it’s an empty view for me unlike what it used to be
with the developer access
This is because your backend application is enabled with Azure AD Authentication.
After you sign in to your front-end application, you still can't access the data from the back-end app, because the back-end app now requires Azure Active Directory sign-in from the front-end app
To access the application, follow the below steps:
Grant the front-end access to the back end
Configure App Service to return a usable token
Use the token in your code
You can refer Enable authentication and authorization for front-end app in Authenticate users E2E - Azure App Service | Microsoft Docs for the detailed steps
I have a dotnet core api in an app service on Azure.
When I run this locally, with authentication switched on, I can generate a bearer token and use that to successfully access the end points.
On azure, when authentication is switched off I can access the end points, but when I switch authentication on in azure, I can't access any end points with a token. Postman is just returning the standard response "The page cannot be displayed because an internal server error has occurred".
I can't see anything in application insights so I'm really in the dark.
Hoping someone will know of any common issues that could be behind this.
Thanks in advance
You cannot access your web app authenticated with Azure AD using B2C token.
On local, created web app using Visual Studio only have three authentication choices:
As we can see, using Individual User Account is connecting to an Azure AD B2C account.
On portal, you could configure your app service with choices below:
If you are using Log in with Azure Active Directory, you should concern it is not same as B2C. Follow this page to configure Azure AD authentication with web app.
Get the AAD bear token:
Navigate to the app registrations page in your Azure Active Directory, choose the one you created in configuring authentication step. You would see the information like this:
Go to Certificates & secrets page to create a secret, and copy that value, cause you would not see it after leave this page.
Open Postman to get the access token, here is the required parameters:
Use the bear token you got from last step to access your web app:
I have configured azure web api and my react app and that is working perfectly until I turn On Azure authentication as shown in below screenshot. Once I turn it on I am getting
"You do not have permission to view this directory or page." for all my web apis.
And this message is from Azure and Authentication type is advanced in azure .
Am I missing anything here ? (My client want's it to be turned on. )
Easy Auth won't validate automatically the token for you. You need to add the JWT Validation to your webapi:
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-manual-jwt-validation/
I have created an Azure AD native client application and have given delegated permissions to Azure Service Management API. Now, I'm able to invoke the service management API using my id from a Windows Phone 8.1 app using ADAL library. However, another user can't invoke operations on their subscription even though I add them as co-administrator in my directory. I get the token for the user but when I try to make an API call, I get 'Invalid token:A security token exception occurred for the JWT token'. Is there a way to allow another user to access details about his subscriptions using ADAL authentication from an AD app hosted in someone else's AD? I have searched for any related information for quite some time and I'd gladly take any help.
Here is what I interpret what you are doing.
You have a native app and it is connected to your tenant and it works fine for accessing service management APIs in your tenant/subscription.
You gave the app to a friend and they are trying to use it to access service management APIs in their tenant/subscription.
The suggestion above in the comment is on the right track, but you need to look at the steps for making your native application multi-tenant. This way, the AD service will know to look for the tenant for the authenticated user. Changing the url to use 'common' instead of the tenant id is one of the steps required. Here are a couple of posts to help with that transition.
http://www.cloudidentity.com/blog/2013/04/09/walkthrough-3-developing-multi-tenant-web-applications-with-windows-azure-ad/
This is a native client example of multi-tenant for a windows store app. I could not find one in the repo for a phone app. Hopefully, this gets you on the right track.
https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore