I have a web app in Azure. The access to that web app is controlled by Azure Active Directory. The app is up and running since September of last year. I didn't make any changes to the app for a while and have 33 users in that app.
So, a week ago I tried to add a user, using the same methods and paths I used before.
The new user can log in to microsoft (portal.office.com). After the initial log in and changing of the password the user goes to the web app in Azure and get the following error: You do not have permission to view this directory or page.
Error tracing gives me this:
HTTP Error 401.73 - Unauthorized You do not have permission to view
this directory or page.
Most likely causes: The authenticated user does not have access to a
resource needed to process the request.
Things you can try: Create a tracing rule to track failed requests for
this HTTP status code. For more information about creating a tracing
rule for failed requests, click here.
Detailed Error Information: Module EasyAuthModule_32bit
Notification BeginRequest Handler
ExtensionlessUrlHandler-Integrated-4.0 Error Code 0x80004005
Requested URL https://*******:80/.auth/login/aad/callback Physical
Path D:\home\site\wwwroot.auth\login\aad\callback Logon Method
Not yet determined Logon User Not yet determined
More Information: This is the generic Access Denied error returned by
IIS. Typically, there is a substatus code associated with this error
that describes why the server denied the request. Check the IIS Log
file to determine whether a substatus code is associated with this
failure. View more information »
Microsoft Knowledge Base Articles:
Another observed behavior: usually when new users are logging in the web app asks for permissions for the AD to access their account information. Ever since this problem came up this is not the case any more.
Other users do not have any problems logging in. This problem only happens with new users who never logged in before.
EDIT: When I go to Active Directory and look at sign ins, I see failures to log into the web app with sign-in error code 90092. Failure Reason: Other.
Microsoft help desk could not give me details on that error code.
Checkout the related question and answer here. All new users have to first consent the application (agree and give your application permissions to access their profile / or you indicated as required permissions).
In short, you have to design "sign-up" button for your application, which uses the "login_url" and appends "&prompt=consent" to the query string.
Read all related resources here to better understand the consent framework.
And please read the documentation about Azure App Service Authentication/Authorization here, as well as the Azure AD specific documentation here.
OMG, I just found an answer. I created a test app and set it up to mirror the settings of my live app.
In Required Permissions the new app had nothing for Microsoft Graph, the live app had 5 permissions. I deleted Microsoft Graph and it works now!
I wish Microsoft communicated better about discontinued API's. I did get an alert, but it was mostly talking about MS Office 365.
Related
I am an administrator to a DevOps project and i have full access to the project.
I am trying to provide a user whom i only need to give access to a certain pipeline.
Steps Take:
Initially i provided him with only Reader access and he is not able to access the URL (404 error)
I removed him from reader and provided with Contributor access and still cannot access the pipelines.
Getting below error,
404 - Page not found Looks like this page doesn’t exist or can’t be found. Make sure the URL is correct. 23/05/2022 2:48:04 PM (UTC) 1e9217ce-2731-4aaa-b853-80c7444299e8
Like i said, the user is a member of the Valid Users and Contributor built-in roles without any customization.
The user is able to navigate to releases and environments and deployment groups, but not able to access build pipelines, library, or Task groups.
Error screen and screenshots attached
This issue is resolved after i contacted microsoft. The issue was due to the user access is stakeHolder. Thanks for GeralexGR comment i was able to streer through that direction.
Resolution:
Change users access level from StakeHolder to Basic.
I am developing a multi-tenant application to use Microsoft's Business Central API. At first I want to check if I can simply log in myself.
However, every time I try to grant admin consent inside the app's API permissions, I get this error:
This app requires access to a service (\"https://*.api.cds.appsplatform.us/\") that your organization is not subscribed to or has not enabled.
I cannot find anything online about "api.cds.appsplatform.us". I have a subscription (trial) set up, I also have a trial subscription with Business Central (although removing all the API permissions to just the default Microsoft Graph permission, still gives me the same error).
The error message is sort of unhelpful, so what do I need to enable to access my own app?
I believe that the CDS here is Common Data Service. Common Data Service for Apps is a service built on the Common Data model that you can use to store, build, and manage apps and app data. It's used most by PowerApps and Microsoft Flow.
https://learn.microsoft.com/en-us/powerapps/maker/common-data-service/data-platform-intro
https://powerapps.microsoft.com/en-us/common-data-service/
https://learn.microsoft.com/en-us/business-applications-release-notes/april19/dynamics365-business-central/
The only API permissions I needed for a Microsoft Dynamics 365 Business Central app was "Dynamics 365 Business Central" and its subpermissions.
I had included "Dynamics CRM" as an API permission, which requires CDS (Common Data Service), hence the error above.
However, when I wrote above that I had attempted to remove the above permissions and tried the 'grant admin consent' button again, and I got the error again, the problem was that I had forgotten to refresh the page after I had removed the "Dynamics CRM" permission.
Indeed, the takeaway from the error is that one has added a permission too many. But every time one removes a permission, it is paramount that one refreshes the page before attempting the 'grant admin consent' button again.
I have created three B2C applications:
TestWebApp
TestApiOne
TestApiTwo
Both API applications were created the exact same way. Web API access is enabled, reply URLs have been specified, an App ID URL has been assigned, and keys have been generated. Both APIs have an additional read and write scope.
In TestWebApp API access, I am able to add TestApiOne with all three scopes without an issue.
When trying to add TestApiTwo to the TestWebApp API access list, the operation fails with the following error.
Failed to add the API access. Reason: The B2C service has an internal
error. If you created this B2C directory just now, please try again
after couple of minutes. If the problem persists, please contact
Support
(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/).
If you do not have a B2C directory you can refer
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/
I thought maybe there is a limit of one API per application. To test, I created a temporary application "TempApp". I received the same error displayed above while trying to add API access for both TestApiOne and TestApiTwo.
Has anyone else experienced this issue?
There's not a limit of one API per application. I have done research and it works fine by my side.
Please have a look at the guide and check your steps.
I have tried to replicate the issues that you are facing by putting diff redirect reply url domains and also by making one application to be native and one normal web app but it doesn't help.
Could you try to delete all the webapps and try making 1 and then adding another to it.
Then create the 3rd one.
Please check this or if you can share some screen shots. That would be helpful.
You can definitely add multiple web apps to api access of one web app.
I am trying out the Azure AD-B2C. The user signup/sign in is fine when the MFA is turned off. But when I turn it on, and the user tries to sign in and provides the phone number, and requests a text message by clicking "send code", I get the Http 400 error: size of request headers is too long. Anybody else have this issue?
The error HTTP 400: Size of header request is too long generally happens because there's too many cookies.
Azure AD B2C's login goes through login.microsoftonline.com, as does almost every Microsoft service (O365, Azure, etc). So if you've got several accounts that you've signed in to across these services, you're accumulating cookies that will cause this problem.
Clearing the cookies should resolve this problem. If this is happening on a recurring basis, you should edit your question to include details about the request and cookies in order to best figure out what's bloating the request and how to reduce it.
Short answer: The file with the custom UI was not found by Microsoft login service. After getting shipped around it resulted in the error.
I had the same error with AAD B2C but "cookies" was not the problem. In my case I got the error while testing in the Azure B2C portal checking the policies and the custom UI pages. We use Azure Blob storage to hold custom login setup, its fast and it scales without our attention. The problem was found by using my test website using the B2C service. I put a stop/break on the Account controller's "public Task OnRemoteFailure(RemoteFailureContext context)" method. The debugger message gave me the full context of the error, an http 404 error and it gave the file name it was trying to find. Blob storage is case sensitive. The setup configuration used to configure B2C has camelCase names. The group who created the actual UI customization uses all lower case names. It took someone with access to all the assets to find the simple case name issue. Errors in distributed systems can be difficult.
I have a Sharepoint 2013 on premise environment for which I am developing an provider hosted app using Visual Studio.
The Visual Studio project has an app project which contains a custom ribbon button that goes to the web project. The web project is hosted on Windows Azure and here I get the error that the context token is null or an empty string.
Getting the token is done using the following code:
var contextTokenString = TokenHelper.GetContextTokenFromRequest(Request);
SharePointContextToken contextToken =
TokenHelper.ReadAndValidateContextToken
(contextTokenString, Request.Url.Authority);
When I see what is passed to the site hosted on Azure I notice that the SPAppToken is null. When using ULS viewer I get the error "The Azure Access Control service is unavailable"
I have already checked if the app is registered (using appregnew.aspx) and that the id is the same for this and in the appManifest.xml and web.config files.
How do I get the context token? Do I need to do something else in Azure in order to make it work?
The link from the comments helped me. I'm posting the answer here so we don't need to rely on a url sticking around.
You get the "EndpointAuthorityDoesNotMatch" message when your app's launch url doesn't match the "app domain" registered for your app's client_id.
For mine this meant that I needed to re-register the app for our test server separately from our develoment server via the _layouts/15/appregnew.aspx page on the O365 site. Here's a link with more info on registering client ids: http://msdn.microsoft.com/en-us/library/jj687469.aspx
Message 'The Azure Access Control service is unavailable' says that SharePoint can’t construct the SPAppToken because it can’t talk to ACS (Azure Access Control) in order to do that. This could be for a variety of reasons (e.g. network connectivity problems).
You can also check this blog: CJG: The Azure Access Control service is unavailable.