I am trying to create a multi-tenant openidconnect based application using instructions from azure-sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
AADSTS50000: There was an error issuing a token.
AADSTS65005: The application needs access to a service that your organization EXTERNALTENANT has not subscribed to.
Please contact your Administrator to review the configuration of your service subscriptions.
I am the admin, where should I update the configuration for this?
Is it possible to avoid this error with a consent prompt? Are there any other options?
The error message indicates that the the tenant which account you were trying login belongs to has no subscription for the resource/permission you have config on the Azure portal.
For example, if you register a application which request the Office 365 SharePoint Online like figure below. However others who trying to sign the application without the subscription to Office 365, then the users would get the error message above.
To fix this issue, please ensure the customers have the sufficent subscription for the permission you have granted to the application.
Related
I've a code which sends resource health alerts to Microsoft Teams in from Azure using Logic app. Here I'm not able to authenticate Teams into logic app.
Please check your account info and/or permissions and try again. Details: Requested API is not supported. Please check the path. More diagnostic information: x-ms-client-request-id is '91A7CF58-4784-4107-8E48-FFE2DB45DC37'.
Below is the screenshot provided of the error I'mm facing.
Look like what you are using is a guest account.
I tried using a guest account and even enabling guest to send messages, I get the same error:
I don't think the connector manages to resolve the Team organisation when you use a guest account
Once I use an account from the same Teams domain
it works:
may be a better idea to try managed identity: https://learn.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity?tabs=consumption
or ask your sys admin to create a service account on the same Teams Azure AD
I have an application registered in Azure AD using https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
When trying to login to my app to connect to Microsoft Login. I am getting invalid client error. In logs I seen following error.
error=invalid_client&error_description="AADSTS650052 The app needs access to a service (https://aks-aad-server.azure.com) that your organization xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions"
Note: I have Microsoft Office 365 standard subscription plan,
AADSTS650052 The app needs access to a service (https://aks-aad-server.azure.com) that your organization
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx has not subscribed to or enabled.
Contact your IT Admin to review the configuration of your service
subscriptions
To resolve the above error, please check the below workarounds
While registering the application in Azure AD, check the supported
account type you have selected
If you selected “single tenant” you can’t login to your application
from different tenant
To access your application from different tenant update supported
account type to “multi-tenant”
To know how to do that in detail refer this link:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant
After registering the application, navigate to Exposing an API
and set App ID URI and Add required scopes such as read, user
impersonation etc.
Add Client ID of your Application to knownClientApplications
parameter in the Manifest
Your admin needs to accept the consent prompt to access this application use the below URL by updating the ClientID parameter with your application client-id
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code
When your admin granted those permission, you can login to your
application successfully
Reference :
https://learn.microsoft.com/en-us/answers/questions/28697/invalid-client-aadsts650052-the-app-needs-access-t.html
Found the wrong scope in the oauth2-proxy configuration which sending incorrect request to azure and after updating the scope to correct the issue is resolved.
I am having difficulty logging in to a Microsoft site using my Azure AD (Work) account.
After successfully authenticating, I get the error:
AADSTS700016: Application with identifier '3075c070-b4d6-4bba-88c3-bcc51c74a2f4' was
not found in the directory '{my-directory}'. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You may have sent your
authentication request to the wrong tenant.
I have gone into my Azure AD tenant and searched for an application with that Id so I can add it, but it returns no results.
I am able to authenticate if I use an account that has a Microsoft Account, however, when I get to the Microsoft page, I get an error saying I need to log in using the same email account that the account was registered under.
Unfortunately, the work account I need to use does not have an associated Microsoft Account.
I think a solution to this would be to add the Application into my tenant, but not sure how to find the application with ID only.
I am afraid that you can not add the application into your tenant manually. When you successfully login in to this application, this application will exist in your tenant under enterprise application.
But it seems that this application only allows Microsoft account to login.
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!
We have a requirement to integrate the Web application to Azure active directory Multi-tenant authentication. We have changed the end point URL to "https://login.microsoftonline.com/common". We tried to login to our application with our work email id. We got the following Error.
Additional technical information:
Correlation ID: 72ec287c-XXXX-XXXX-XXXX-4bf49d167541
Timestamp: 2017-04-07 09:48:57Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.
We have find that we missed some permissions to our Application in AD.Could anyone please help us what kind of permissions need to provide.
Thanks in advance.
The error is saying that the user who is logging in cannot give consent for the app. When you log in from a tenant where the app is not yet consented, you must be an AAD admin.
This error indicates that the users are not able to give the consent to the app.
There are two permission level in Azure AD developing, one requires administrator's consent and the other doesn't.
If the app you were using was developed by your organization, you also can grant the permission via the Azure portal when it is register like figure below:
If the app was developed by other organization, please ensure the app also provide a way(maybe a separate button) to grant the consent for the organization. Then you can notify the administrator to grant the permission for all organization. More detail about the admin consent, you can refer this document.