We have multiple Azure accounts for our various environments. I'm able to create schema extensions on the accounts we use for preproduction and development but for our production Azure account I'm unable to create schema extension even though setups are exactly identical.
Like our other accounts I use OAuth 2.0 token of a global admin and make HTTP POST to https://graph.windows.net/ourinstance.onmicrosoft.com/applications/ourmultitenantappId/extensionProperties?api-version=1.6 with the payload:
{
"name": "SA",
"dataType": "String",
"targetObjects": [
"User"
]
}
Graph API returns with HTTP 403 Forbidden with Authorization_RequestDenied error message.
I have definitely verified user account I'm using has global admin access role, I have created multiple global admin user accounts in old Azure portal and the new Azure portal, I have compared all user and multitenant app settings between the production Azure account and preproduction Azure account and have compared the manifests as well but to no avail.
I have done all these checked for at least 5 times. I'm at a loss why I keep getting Authorization_RequestDenied error message.
Anything I could have possibly missed?
As far As I know, there are two kinds of 403 error.
First one is like that Insufficient privileges to complete the operation. For this issue, please ensure the app has Directory.ReadWrite.All permission.
And the second one error is like The size of the object has exceeded its limit. Please reduce the number of values and retry your request. This error occur when if an application tries to set a value for an additional extension property on an object for which 100 extension property values have already been set. At present, there is no work around for this issue please check whether there are schema extensions which is not used and unregistered the extension.
Got the problem resolved through Microsoft Support.
Turns out OAuth token didn't have necessary permissions despite the fact I have added permissions needed in UI. I had to explicitly grant admin consent to the application using https://login.microsoftonline.com/{tenant-id}/oauth2/authorize?client_id={client-id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=query&resource=https%3A%2F%2Fgraph.windows.net%2F&state=12345&prompt=admin_consent
Related
Afternoon all
Trying to get a logic app to run a query on a log analytics workspace and email the results on a weekly basis. Created a service principal, and have given it Reader access at Subscriptions level and I'm allowed to create the connection, but when I try to populate the drop down in Designer, it's throwing with an error:
Could not retrieve values. Error executing the api '/listSubscriptions'. Client request id: 'undefined'
As seen here: https://imgur.com/a/CDp1g6L
I was following this guide, and it's failing to populate those list boxes:
https://thomasthornton.cloud/2020/11/09/log-analytics-queries-to-csv-emailed-using-azure-logic-apps
Tried temporarily giving it permissions as subscription Owner, same deal. Also the same error with the logic app's own System Managed Identity. Got it to work in a different subscription by using my global admin ID, but I don't want to do that as it's of course dependent on that account and it's way too privileged.
I also tried editing in the correct values in code view, just in case it was only some enumeration error, but the test run fails with:
"Message": "Failed to get valid request parameters. Authorization Error
In my other subscription, I also tried giving the account permissions at the root Tenant level, in case it was purely unable to evaluate all subscriptions, but no joy, same error when using Managed Identities or Service Principals.
I'm at a loss. Any ideas?
I'm trying to make a query to Application Insights using the Azure API format to retrieve data on multiple applications. I can successfully make queries for any application without a join.
I have previously done this using the Public API format, following the documentation for making "cross-application queries" successfully. Under the Azure API schema, however, once I add a second application to a query - either using the implicit or explicit mechanisms described in the documentation - I get an error of type InsufficientAccessError with the message: "The provided credentials have insufficient access to perform the requested operation".
If there are sufficient permissions to access either table individually, I would expect there to be sufficient to do a join. Is there a separate permission required to make these queries, or is it an issue with the API itself?
For reference, the Azure AD application has delegated permissions for:
user_impersonation
Directory.Read.All
Group.Read.All
User.Read
User.ReadBasic.All
User.ReadWrite
The user which is making the requests has the Owner role on all relevant applications.
And the final request has a JSON body (with the blanks filled in):
{
"query": "requests \n| summarize avgRequestDuration=avg(duration) by bin(timestamp, 1h)",
"applications": [
"/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/microsoft.operationalinsights/components/<applicationName>"
],
"timespan": "P1D"
}
Edit: I've tried this query using different forms of the resource identifiers as mentioned in the documentation, including the recommended "/providers/microsoft.operationalinsights/applications/" and "/providers/microsoft.operationalinsights/components/".
Based on a couple of things I've discovered, I believe it is impossible to do a cross-resource query in the Azure API URL format.
All experimentation with adding different roles to users and experimenting with permissions failed to find anything that worked.
The Go SDK uses the Azure API URL format and does not allow cross-resource queries, the .NET SDK uses the Public API URL format and does allow cross-resource queries, indicating that the feature set is different for the two APIs.
I would be happy to be proven wrong or to have this proven correct with a better reference.
First of all, I am no developer. I manage an Office 365 server for my company and I would like to do some heavy reporting using excel.
I have learned of Microsoft Graph and how I could get my data with it.
I created an app in Azure Active Directory, and I tried to set it up.
I added authorizations for Microsoft Graph, including Read All users full profile.
I add one Read directory data permission for Windows Azure Active Directory too.
I clicked on the Grant Permission button.
In the manifest, I changed those parameters to true :
oauth2AllowImplicitFlow
oauth2AllowUrlPathMatching
Now from Excel (2016), I am trying to add a new OData Source, and tried
https://graph.microsoft.com/v1.0/users
I entered my credentials (as Global administrator) using the Professionnal Account tab, and unfortunately, I only get Resource Access Denied (Sorry if the message is not accurate, I get it in another language).
Could anyone give me a hand in telling me what I have missed, please ?
Thank you in advance.
I had similar issue and found that the problem might be that incorrect flow is being used to authenticate.
Warning: once you change your permission and grant them it may take up to 30 mins for the permission to be granted.
First of all, please check your access token (you can decode it easily using https://jwt.io. As a result you should receive this part in your decoded payload:
"roles": [
"User.Read.All"
],
If you don't see it it means that permission is not granted properly. As you wrote that you enter the credentials I assume that you use authorization code grant flow.
To resolve this you you can first check whether you granted application permission or delegated permission to your app. You can look at this page to see the difference. If you want to use application permission you can use client credential flow. If you want to use delegated permission you can use authorization code grant flow.
In application settings > Required permissions you can check which permissions you granted and correct it, if needed:
If you are using authorization code flow you can also add delegated permission to your app and check if new access code contains required role (keep in mind that some permissions might be available only in one of the categories - however, Users.Read.All is available in both).
Source
I am trying out the Azure AD-B2C. The user signup/sign in is fine when the MFA is turned off. But when I turn it on, and the user tries to sign in and provides the phone number, and requests a text message by clicking "send code", I get the Http 400 error: size of request headers is too long. Anybody else have this issue?
The error HTTP 400: Size of header request is too long generally happens because there's too many cookies.
Azure AD B2C's login goes through login.microsoftonline.com, as does almost every Microsoft service (O365, Azure, etc). So if you've got several accounts that you've signed in to across these services, you're accumulating cookies that will cause this problem.
Clearing the cookies should resolve this problem. If this is happening on a recurring basis, you should edit your question to include details about the request and cookies in order to best figure out what's bloating the request and how to reduce it.
Short answer: The file with the custom UI was not found by Microsoft login service. After getting shipped around it resulted in the error.
I had the same error with AAD B2C but "cookies" was not the problem. In my case I got the error while testing in the Azure B2C portal checking the policies and the custom UI pages. We use Azure Blob storage to hold custom login setup, its fast and it scales without our attention. The problem was found by using my test website using the B2C service. I put a stop/break on the Account controller's "public Task OnRemoteFailure(RemoteFailureContext context)" method. The debugger message gave me the full context of the error, an http 404 error and it gave the file name it was trying to find. Blob storage is case sensitive. The setup configuration used to configure B2C has camelCase names. The group who created the actual UI customization uses all lower case names. It took someone with access to all the assets to find the simple case name issue. Errors in distributed systems can be difficult.
Recently I no longer been able to generate application keys in WAAD...(or to be more specific I can generate the key but I never get to see the value)
and after save I receive unauthorized access error...
I am a directory co-administrator - The key does appear to save, as after a page refresh there is an extra entry into the keys table. Currently only the directory full administrator can see the value but now no-longer co-admins.
The above issues also happens when making modifications to "permissions to other applications", azure reports unauthorized but the changes I make are again committed.
I have ruled out different browsers, have tired IE, and Chrome.
Help much appreciated.
co administrator is a subscription role not an Azure AD role.
In order to perform this you should have admin privileges in the Azure AD on which you're trying to create the keys.
What is the Azure AD role you're currently in ?
The issue was...
"Users may give applications permission to access their data" was set to "No"
Changing this back to "Yes" then allowed me to generate and see the key values.