I used to manage bot and channel registrations via https://dev.botframework.com/bots.
I'm running an app service on azure that is hosting my bot. This app service is under a corporate azure subscription and I login to azure with my company O365 account via my organizations's sign-in page.
I use this login for eu.luis.ai, portal.azure.com, apps.dev.microsoft.com and dev.botframework.com.
Since i'm trying to migrate the bots, I'm facing several issues:
The migration button
When pressing the migration button, I'm getting the error
Failed to find any Azure subscriptions for the current user.
From Scratch "Bot Channel Registration"
In the Azure portal, when I create a new Bot Channels Registration I'm able to see it on dev.botframework.com, but in the azure portal on the blades Channels, Test in Web Chat and Analytics (IFrame to dev.botframework.com) I get the error
There was an error refreshing your sign-in information. Refresh and try again.
But: When I open the IFrame source in a new tab, I'm able to access those pages.
Where goes my app in the Application Registration Portal?
In the newly created "Bot Channel Registration" resource on azure, when I click the "manage" link for the Microsoft App Id, I get an error, that the application is not available or not assigned to my account (but I'm still logged in with the same credentials).
What I tried so far:
- I asked several collegues to try the same (they all have the same problem)
- Deleted browser cache, tried in-private sessions, tried different browsers etc., logged out & in, ...
- I also have no live account with my organizations email address
- For the migration button problem, I was able to hack around the problem using a chrome extension to replace authorizations headers for requests going to https://management.azure.com with the access token from the azure portal.
It looks to me to some kind of token incompatibility but I'm not sure where the problem needs to be fixed.
Any ideas or help appreciated!
see also:
https://learn.microsoft.com/en-us/Bot-Framework/bot-service-migrate-bot
https://feedback.azure.com/forums/223579-azure-portal/suggestions/32714965-bot-registration-unusable-after-migration#comments
Related
I have my website integrated with Live SDK applications to allow customers to login to their MSN, Hotmail, Outlook, etc. email accounts and invite friends to my website by reading the contacts. This used to work properly but now it's not working anymore.
When I use the App ID / Client ID from the old Application Registration Portal (https://apps.dev.microsoft.com) I get the following message when I try to login using my Microsoft account.
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
I see from the Application Registration Portal that I can now use Azure to manage my App Registrations, so I basically setup the same app under Azure with the following criteria.
Authentication: Selected Web and setup the same Redirect URI I was using previously when this was working.
API Permissions: I added "Microsoft Graph" with email, Contacts.Read, openid, profile, and User.Read.
And when I try to login to my Microsoft account using my Azure app Client ID / App ID I get the following message.
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Should I try making this work using Azure instead of Application Registration Portal credentials? If so, why is it saying "unauthorized_client" when I try to login?
Thank you!
Register your Azure AD app as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
Unable to authorize multiple users for a BOT within the same organization using Azure AD authentication
Following are the steps we tried.
1. Created an office 365 organization, so as to be the admin of the Azure AD
Registered the Azure AD app thru app registrations on Azure in the same Org, and then assigned the permissions to the app to read emails and calendar, by following the URL - https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=csharp%2Cbot-msgraph-auth
Then created the web app bot under azure
Then under [OAuth Connection Settings] settings of the bot added the Azure AD app details, first added as Azure AD V1.0 with as per the recommendation in the URL of Microsoft
Used the standard template code of the project - BotAuthenticaionMSGraph from the Github sample code repository - https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
In the sample code, we just need to edit the appsettings.json file to add the [ConnectionName, MicrosoftAppId, MicrosoftAppPassword]
Then published the local bot code to the app service of the web app bot on Azure
Tested the Bot Auth on the [Test in Web Chat] on Azure -- It works for my Azure AD
Then enabled the Directline Channel for bot and distributed bot to other users of the same organization
The issue is here - when the other user opens the bot, they can see the emails and calendar of the admin user who has already logged in initially. So when the other user logs off and logs in thru his AD credential, then only his emails and calendar data is available since then.
Issue - So, at a given point of time only one user's o365 data is visible globally on the bot chat, and not individual user's data who logs in for that session. The AD token is not per user session but instead its a universal token across for all the conversations.
When I use the Azure AD V2, I get the bad request while trying to login.
Please help. Thanks.
https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
used the BotAuthenticaionMSGraph project
Expected is, every user should be able to log in individually, and only his data shud be visible on the bot conversation distinctively.
I have tested the sample code and it works fine for both Azure AD V1 and V2.
I followed Azure AD v2 to configure it. Don't forget to enter Mail.Read Mail.Send openid profile User.Read User.ReadBasic.All for Scopes. It's different from Azure AD V1. Otherwise, it will return 400 bad request while trying to login.
I didn't reproduce the first issue. Could you tell where the other user opens the bot? From "Test in Web Chat"?
Update
You need to be aware that your are dealing with two user identities:
The user’s identity in a channel.
The user’s identity in an identity provider that the bot is
interested in.
See Security considerations. When a bot asks user A in a channel to sign-in to an identity provider P, the sign-in process must assure that user A is the one that signs into P. If another user B is allowed to sign-in, then user A would have access to user B’s resource through the bot.
To enable the protection, you need to configure trusted Origins and tamper-proof user IDs.
You can refer to the sample code.
And this blog Using WebChat with Azure Bot Service’s Authentication provides more detailed infomration.
As part of the Virtual Assistant deployment documentation, it asks to set the application registration to allow Accounts in any organizational directory.
However, it doesn't describe the implications are of this overlooked setting.
For example, say we want this application to only be available to employees of a particular organization. Should we still set the app registration to Accounts in any organizational directory and then build authentication into the bot elsewhere?
What if we are required to set it to Accounts in this organizational directory only. For example, say you're deploying this for a client and their security practices don't allow us to make this change. How can we work around this?
How does this impact testing with the bot emulator? How about through the Azure Portal interface?
This was actually a discussion point that popped up last week internally. Posting answer here so the community can see sooner, before we can get official MSFT documentation out there
User's issue
User created a bot with manual app registration, and continued to get "Internal Server Error"
"We tried a number of things to get around this, and through trial and
error we found that once we changed the app registration setting for
Supported account types from “Accounts in this organizational
directory only” to “Accounts in any organization directory”, restarted
the app, and the bot started working again. I replicated this in my
sub, as well."
"Accounts in any organizational directory" Explanation
This is required so that we (in the bot framework.com) can request a token for the bot. Pulled from a related thread:
Issue
Bots failing to work from the start due to the below error:
[Error] Microsoft.BotBuilderSamples.EchoWithCounterBot: Exception caught : Microsoft.Bot.Connector.Authentication.MicrosoftAppCredentials+OAuthException: Bad Request --->System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.Bot.Connector.Authentication.MicrosoftAppCredentials.<RefreshTokenAsync>d__36.MoveNext()
This exception was occurring because the Bot Framework SDK was trying to make a call to the botframework.com AAD tenant to retrieve a token, and AAD was replying back with an HTTP 400 Bad Request, indicating there was an issue with the app registration credentials.
Further troubleshooting uncovered the below specific error from AAD:
Application with identifier '[appID]' was not found in the directory 'botframework.com'.
Context
An app registration has three options/scopes for what kind of accounts can use it:
Accounts in the current organizational directory (for you, that would be the xxx directory)
Accounts in any organizational directory
Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Outlook.com, Xbox, etc.)
I refer to the numbers above numerous times below.
By default, when allowing the Azure Portal to create its own app registration during Bot resource creation, it does so with option 3 above. This is true if you opt for automatic creation, or click the link during creation to manually create a registration – both of those create a registration with option 3.
For example, if creating a Web App Bot in the portal, the default option (at the bottom) is this:
You can expand that part to get this:
If you click the link to “Create App ID …” it brings you to the current App Registrations portal with a pre-populated app ID and name.
Both methods above create an app registration with the #3 scope above.
Cause
Based on discussions with the AAD team and testing I performed on Bots and registrations last week, the issue was caused by the scope of the registration being too narrow.
In your case, app registrations were configured with a #1 scope above, which limits the registration so it can be used only by xxx. Since the Bot Framework SDK needs the AAD botframework.com tenant to use that registration, it failed to retrieve a token.
Resolution
As a test, we modified the existing registration from option #1 to option #2 using the App registrations (Preview) blade in the Azure Portal (under the Azure Active Directory section). Since this option opens the registration to be used by any AAD organization, which includes botframework.com, the Bot SDK had no issues retrieving a token and started working immediately.
Going Forward
Since your organization utilizes a separate management system/application for app registrations, you’ll need to ensure that registrations created for use by Bots are created with option #2 or #3, or modified afterwards if created with #1. A Bot will not work, guaranteed, if the registration can only be used by the xxx tenant, which is option #1.
Existing registrations can be modified from the Azure Portal:
Portal -> Azure Active Directory -> App registrations (Preview) -> [choose one] -> Authentication blade
If you see this, then the registration is already scoped for #3 and should be fine:
If you see this, then ensure #2 is selected:
I'm developing an application that incorporates the Skype for Business Online Web SDK. I've noticed that it is not possible to access information about the signed in user's Skype account/profile (via Skype's mePerson object).
The only way that I see to do this now is by having yourself as a contact and accessing information about that account/profile, via the Skype person object. This doesn't seem possible to me as it isn't feasible to set a requirement upon every client using my application to have themselves added as a contact on Skype for Business.
This issue is related to the one posted here, on the GitHub Skype Web SDK Samples page: https://github.com/OfficeDev/skype-web-sdk-samples/issues/1
My question: Are there plans to add the User.ReadWrite Permissions in Azure AD for an application extending Skype for Business? Or, is there a known workaround to retrieve the signed in user's profile/account information, which includes status, activity, or avatar/avatarUrl?
I've also posted this on the Microsoft Azure forums:
https://social.msdn.microsoft.com/Forums/azure/en-US/27d6ebdc-f023-4829-96dd-eefb9e1aaeaf/userreadwrite-permissions-in-azure-ad?forum=SkypeWebSDK
However, I've had no response so I'm also posting here in hopes of anybody having any input. Thank you in advance.
As you might have noticed from the issue link in GitHub, the permissions for the information you're trying to grab have been turned on in Azure AD.
You can plug in your Azure AD settings into the Interactive Web SDK to see it in action: https://ucwa.skype.com/websdk
Before you sign in, you'll need to do the following in the Azure AD management console:
Update your app to use the permissions in the image
Change your app's reply URL to this: https://ucwa.skype.com/websdk
Make sure you turn on OAuth implicit flow by modifying your app's manifest. Steps here https://msdn.microsoft.com/en-us/library/office/mt622687%28v=office.16%29.aspx?f=255&MSPPError=-2147217396 under "Configure your app for OAuth implicit grant flow"
Paste your app's Azure client ID into the "Client id" field on https://ucwa.skype.com/websdk
After you sign in, you'll notice one of the examples in the left hand navigation will let you view the signed-in user's presence, ID, etc.
I've also created a forked version of the Web SDK samples that you can easily update with your own Azure AD settings and deploy to your localhost. You might find this more useful for playing around than the hosted Interactive Web SDK.
https://github.com/tamhinsf/skype-web-sdk-samples