Azure Active Directory - Access Denied in New Portal - azure

Using old azure portal, I am able to navigate to Azure Active Directory. But with the new portal 'Portal.Azure.com', I am seeing 'Access Denied' error message.
This is the below exact message I am seeing in the portal.
"Access denied.
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner."

If you use the external account to access Azure AD, such as MSA account(e.g. outlook.com, hotmail.com), and the account from other Azure AD tenant. You may experience the error message as below.
There are two methods to resolve this issue.
Method 1
Log in to new Azure Portal by using the account with Global Administrator permission for Azure AD. Navigate to the Azure Active Directory extension, from the User settings tab, toggle the setting Guest users permissions are limited to No.
Method 2
Log in to new Azure Portal by using the account with Global Administrator permission for Azure AD. Navigate to the Azure Active Directory extension, from the Users and Groups tab, search for the external account, and change the Directory Role to Global Administrator.

In my case the solution was different.
The clock on my machine got de-synchronized (lagging 13 hours behind) and when my browser was encrypting a security token to request a sensitive page at Azure Portal, this token was rejected by server and I received "Access denied" error page.
It seams like "time.windows.com" was providing a wrong world time to my computer (yes, it is insane) - I changed it to "time.nist.gov" via Control Panel / Date and Time / Internet Time / Change Settings. It immediately updated my computer with correct time.
Then I signed-out and singed-in to Azure Portal and it started working just fine.

As for me, is was to activate a subscription (adding a card bank).
Then I could access the services on my new Azure account

Related

Why can't my User login to the azure portal?

Background: I am trying to setup my azure infrastructure to deploy my new web app. I am working with an external contractor cloud engineer and I only want her to be able to setup my cloud infrastructure.
Steps: I have 1 Subscription and 1 Resource Group. I have created a User in my organisation (so not a guest) in Azure AD - I will share these details with her.
I have put this new User inside a User Group and I have permissioned the User Group (as a Contributor) against my Resource Group. I have shared the username and password with her.
Problem: When she logs on to portal.azure.com she gets the message "Your sign-in was successful, but you don't have permission to access this resource."
Clearly I am missing something? I thought this was straightforward... alas
TIA.
Sometimes this may happen due to the internal policy, make sure to recheck them once again.
After this if you create a personal login detail separately then it will work out.
Here is the reference of Your sign-in was successful but you don't have permission to access this resource for the same above.
If the user is a guest user incase, then administrator of guest tenant will delete your account from their tenant.
Here is the Reference given by #Amanpreet Singh.
Common steps to be followed as below,
After login to the Azure portal as a Admin.
Go to Azure Active Directory
Select the All services, then Azure AD Conditional Access.
Here you can select the restriction policy and / or make sure to recheck the Assignments from the Users & Groups of various permissions for your given user.
VPN....
I switched off my VPN and it then worked just fine. No idea why but it works and I can now log straight in to the portal

How do I add an initial User to a new Tenant in the Azure Portal?

I am trying to set up a new Web Application in Visual Studio using Microsoft authentication.
I have created a new Tenant in portal.azure.com. My issue is, every page I visit in the Azure Portal, including my profile, I receive a 403 error.
The only function I am able to perform is creating a new App Registration.
When I try to authentication in the Web Application, I receive the error "Selected user account does not exist in tenant".
I am confused with how to add the account that created the Tenant to it without the required permissions.
Does anybody know how I can go about resolving this issue?
TIA.
Error means that the logged in email address you are trying to use to link to is not yet added to your new tenant. Please make sure that the work email address is added in that tenant, if it is not admin.
If you have added the account to tenant or you are the admin itself , please refresh and try again.
Sign out and clear all cookies .
Try using a Microsoft Edge "InPrivate"/ Incognito browser and check if you are signing into correct tenant and switch the tenant and try to access the app.
If you have the same account with matching your personal account ,try to change it and add as Microsoft account .
Try to login with common endpoint https://login.microsoftonline.com/common, if it is personal account and app is multitenant.
If above doesn’t solve the issue see This document which lists several causes to find yours.
References:
azure active directory - Selected user account does not exist in tenant 'UserVoice, Inc.' - Stack Overflow
azure - Microsoft Graph Identity Java - Selected user account does not exist in tenant 'Microsoft Services' - Stack Overflow

Lost access to application when user was deleted

We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).

Authorization_RequestDenied Message when creating BOTs

I am creating a bot based on the instruction on this link but I am getting the Authorization_RequestDenied message when submitting.
Insufficient privileges to complete the operation.
Please check that your account has sufficient access to the Microsoft App
Registration Portal link below.
Open App Registration Portal
I am able to access the registration portal link.
Note that I am using a free account.
From the troubleshooting page: https://learn.microsoft.com/en-us/bot-framework/bot-service-troubleshoot-general-problems#why-do-i-get-an-authorizationrequestdenied-exception-when-creating-a-bot
Why do I get an Authorization_RequestDenied exception when creating a bot?
Permission to create Azure Bot Service bots are managed through the Azure Active Directory (AAD) portal. If permissions are not properly configured in the AAD portal, users will get the Authorization_RequestDenied exception when trying to create a bot service.
First check whether you are a "Guest" of the directory:
Sign-in to Azure portal.
Click All services and search for active.
Select Azure Active Directory.
Click Users.
Find the user from the list and ensure that the User Type is not a Guest.
Azure Active Directory User-type
Once you verified that you are not a Guest, then to ensure that users within an active directory can create bot service, the directory administrator needs to configure the following settings:
Sign-in to AAD portal.
Go to Users and groups and select User settings.
Under App registration section, set Users can register applications to Yes. This allows users in your directory to create bot service.
Under the External users section, set Guest users permissions are limited to No. This allows guest users in your directory to create bot service.
Azure Active Directory Admin Center

Assigning permissions to Azure AD B2C application in Portal fails with "Data validation error"

I have created a video to show you exactly what's happening: http://sendvid.com/urqpzeg2
I'm simply trying to give my application privileges to read directory data, and it fails with the following error:
Failed to add application Windows Azure Active Directory's
permissions. Error detail: Unable to complete the request due to data
validation error.
I created the app via the Portal, and then added it to the Company Administrator role via Powershell. I couldn't assign permissions before or after giving the app the Company Administrator role.
I'm logged in as the Directory owner.
Anyone any ideas?
I also could reproduce this issue. Based on the video, it seems you want to grant the app-permission to the b2c application. As a workaround, we can register a new normal application for the b2c tenant on the old Azure portal like figure below:
Then we can use this app to call the Azure AD graph REST and you can also see the required mission already be set in the new portal like figure below:
And for the original issue, I am also trying to report it internally.

Resources