Having a hard time manipulating Azure AD B2C scopes. What kind of permissions do we need to be able to do this?
Mine
The one I found on the net the person is editing it.
I reproduced your issue and I found this issue caused by that I didn't add my APP ID URI . Then I add it and I could add Published scopes.
The point you should pay attention is as following image:
The result:This issue had been resolved.
Related
I was simply following this guide:
Get started with custom policies in Azure Active Directory B2C
Following all the previous instructiones without a problem. I got to "Test the custom policy" where I got stuck. When I open any of my custom policies it is a same story. Application select and select reply url is greyed out.
Any idea what might cause it?
Sreenshot of my problem:
Image
Please create a B2C application registration.And you can refer to this doc.
I have several client apps registered in the Azure portal. Each app has different scopes that are enabled/disabled. I used to be able to modify the scopes and save the updates for each of the register apps. Now I get the following error from the Azure portal:
Failed to update {my app} application. Error detail: Property identifierUris is invalid. [mURNc]
I also get this same error even if all I try to do is rename the client app. If I create a brand new app there are no issues. This appears to be a bug in the azure portal, but I'm looking for a workaround as I don't want to redefine all the scopes again, there are quite a few!
I've tried to rename things, change the client app ID, etc, but nothing seems to fix the issue, I get the same error. Again, this all used to work fine and now suddenly with no changes I get this issue.
The error says the identifierUris is invalid, but it isn't descriptive at all on which URI it is referring to. Any suggestions on how to correct this?
As junnas said, click try out the new experience in the Authentication tab of App registration and try again.
Also, when you see the above error, we recommend the following:
1.Edit the attributes individually in the manifest editor instead of uploading a previously downloaded manifest. Use the manifest reference table to understand the syntax and semantics of old and new attributes so that you can successfully edit the attributes you're interested in.
2.If your workflow requires you to save the manifests in your source repository for use later, we suggest rebasing the saved manifests in your repository with the one you see in the App registrations experience.
Hope this helps.
I am new in Azure B2C. I tried to implement test app to see if we can use it in our company. I started with build-in policies and everything worked fine, but I realised that for our pourposes it is not enough. So I started to implement Custom Policies using this article from MS:
https://learn.microsoft.com/en-us/Azure/active-directory-b2c/active-directory-b2c-get-started-custom
I implemented RestApi from the article and I the Sign-Up process seems to work fine (I tested it with my own test app and with https://jwt.ms).
The account is created, but I can not log-in... I am 100% sure that email and password are correct, but i become this User/Pass Incorrect error. When I switched to the build-in policy i tested at the very beginning - i could log in with the same email and pass. So the problem is with my custom policy. The policy itself was created by MS (there is a link to github in the article). I have changed only Tenant and some minor things referenced in the article. Does anyone had such a problem before?
Problem has been solved.
As I wrote to Chris - i did the whole process of registering the apps and configuration one more time and it works now (with custom rest api).
I based on this tutorial -> https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom#register-identity-experience-framework-applications
I have created three B2C applications:
TestWebApp
TestApiOne
TestApiTwo
Both API applications were created the exact same way. Web API access is enabled, reply URLs have been specified, an App ID URL has been assigned, and keys have been generated. Both APIs have an additional read and write scope.
In TestWebApp API access, I am able to add TestApiOne with all three scopes without an issue.
When trying to add TestApiTwo to the TestWebApp API access list, the operation fails with the following error.
Failed to add the API access. Reason: The B2C service has an internal
error. If you created this B2C directory just now, please try again
after couple of minutes. If the problem persists, please contact
Support
(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/).
If you do not have a B2C directory you can refer
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/
I thought maybe there is a limit of one API per application. To test, I created a temporary application "TempApp". I received the same error displayed above while trying to add API access for both TestApiOne and TestApiTwo.
Has anyone else experienced this issue?
There's not a limit of one API per application. I have done research and it works fine by my side.
Please have a look at the guide and check your steps.
I have tried to replicate the issues that you are facing by putting diff redirect reply url domains and also by making one application to be native and one normal web app but it doesn't help.
Could you try to delete all the webapps and try making 1 and then adding another to it.
Then create the 3rd one.
Please check this or if you can share some screen shots. That would be helpful.
You can definitely add multiple web apps to api access of one web app.
The situation of getting list of tenants of user. When user is logged in directory where he is a member, the exception doesn't occur. Otherwise it does, but this user is assigned to that directory as Guest.
Exception: {
"error":"invalid_grant",
"error_description":"AADSTS50034: To sign into this application the account must be added to the GUID directory.\r\nTrace ID: GUID\r\nCorrelation ID: GUID\r\nTimestamp: 2017-08-03 14:32:32Z",
"error_codes":[50034],
"timestamp":"2017-08-03 14:32:32Z",
"trace_id":"GUID",
"correlation_id":"GUID"
}
Stack shows on AcquireTokenSilentAsync.
If you were not developing an multi-tenant app, to get the token from Azure AD the user sign-in should be in that tenant.
And if you were developing an multi-tenant app, we should replace tenant with common in the authorization/token request(refer this link).
Update
Okay, so I was really curious with what was wrong - and it was actually a mistake I made in the sample (I didn't even notice from the Fiddler logs, what a shame). The issue was that I have been using the common endpoint everywhere for the token cache and obtaining new tokens. This seems to work for Microsoft Account but not for B2B users. I have updated the code sample to include the fixes for the authority URL to always take in the tenant's id instead of the common namespace - which really shouldn't be used anyways. More on that on Vittorio's blog.
try to use User Principal Name instead of email