Develop Reference

What is causing the error "Device Certificate was not found for Cert Authorities" in an Azure AD Application?

I have a multi-tenant Azure AD application. It has been running fine for over a year. Let's say that the App is published by the "corp" Azure AD tenant. If I log into the app with an account from the "corp" tenant, the application works as expected. However, if I access the application with an account from a different tenant, I get an error saying
"Device Certificate was not found for Cert
Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net"
I found this article that looks very similar to the problem I am seeing. We recently enabled Conditional Access in the "corp" Azure AD tenant, but not specifically for this application. I tried updating ADAL to version 3.19.2 but the error persists.
The application does work in my dev environment with a test Azure AD. I think there is some sort of issue going on between ADAL on the Conditional Access Policy of my Corp AAD tenant. However, since there is no CA policy for this app in particular, I am not even sure why it would try to access a device cert to verify if the device was registered in AAD.
Error Details
Description:
An unhandled exception occurred during the execution of the current
web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: Device
Certificate was not found for Cert
Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net
Full Stack Trace:
[AdalException: Device Certificate was not found for Cert Authorities:OU=82dbaca4-3e81-46ca-9c73-0950c1eaca97,CN=MS-Organization-Access,DC=windows,DC=net]
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.DeviceAuthHelper.FindCertificateByCertAuthorities(IDictionary`2 challengeData, X509Certificate2Collection certCollection) +710
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.DeviceAuthHelper.FindCertificate(IDictionary`2 challengeData) +138
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.<CreateDeviceAuthChallengeResponseAsync>d__2.MoveNext() +144
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<HandleDeviceAuthChallengeAsync>d__25`1.MoveNext() +479
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<GetResponseAsync>d__22`1.MoveNext() +3220
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.<GetResponseAsync>d__21`1.MoveNext() +359
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<SendHttpMessageAsync>d__72.MoveNext() +401
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<SendTokenRequestAsync>d__69.MoveNext() +415
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<CheckAndAcquireTokenUsingBrokerAsync>d__59.MoveNext() +605
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.<RunAsync>d__57.MoveNext() +4005
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.<AcquireTokenCommonAsync>d__37.MoveNext() +451
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +68
Microsoft.IdentityModel.Clients.ActiveDirectory.<AcquireTokenAsync>d__0.MoveNext() +313
[AggregateException: One or more errors occurred.]
System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) +116
AvanadeExternalAccess.Utils.AzureADAuthHelper.GetAuthResult() +397
AvanadeExternalAccess.Utils.InvitationManager.GetUrl(Invitation Invite) +24
AvanadeExternalAccess.Controllers.HomeController.Index() +616
lambda_method(Closure , ControllerBase , Object[] ) +87
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +1180
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +1366
System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +40
System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +74
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +43
System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +72
System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +385
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +43
System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +30
System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +185
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +39
System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +29
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +70
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +52
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +36
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +39
System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +43
System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +70
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +39
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +649
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +213
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +131

That error only occurs for resources that are using Device Based Conditional in Azure A2. For example we have CA policies for Exchange Online and SharePoint Online, that for any location, the device must be either Compliant or Hybrid Azure-AD joined. However, this is where it gets complicated, any resource or application that is calling those services/applications where conditional access is applied, must also have the same or higher CA Policy to pass that header information to the resource you are accessing. That is in detail here.

This error could mean the user has conditional access enabled and requires a domain joined device. This scenario is not currently supported in ADAL at the moment. Guidance is to use only MFA and not require a domain joined device. ADAL does not have Windows 10 WAM certificate support, which would allow both domain joined devices and MFA for authentication. This is on the backlog. Vote for the issue here to help gauge impact and customer interest.

This error occurs because your VM is not joined to the Azure AD domain. If it was working before and then stopped working, it's because a new policy was implemented by your company.
I had a similar problem when running powershell scripts. I was trying to access AZ.KeyVault and Get-AzKeyVaultSecret. I also had issues when installing the On-Premises Data Gateway.
IMPORTANT: To execute the steps below, you must sign-in to the VM with an account that exists in the Azure AD, you may try using your personal account. If you are using a Service Account, it's most likely that the Service Account is not in the Azure AD.
To join the Azure AD Domain
Download Microsoft Workplace Join.
Install Workplace_x64.msi.
Open a Command Prompt (Run as Administrator), and type...
Type: cd "C:\Program Files\Microsoft Workplace Join"
Type: AutoWorkplace.exe /i
When prompted with
"This device is currently not joined to your organization's Azure AD domain.", click Join. If the VM is already joined "This device is currently Hybrid Azure AD joined to your organization's Azure AD domain for XXXXX", you can click Leave if you want to leave the domain.
Try again and it should work.
Cheers

Error: The bot's MSA appId or password is incorrect

Hi I am working in Bot framework in that I am facing the issue when I am testing the bot in local bot emulator after publishing the bot in to azure, and in the bot emulator I am providing the published url and Microsoft appid and Microsoft secret in bot emulator. When I am connect to azure, it’s show the issue like below.
Command failed: 4294967295 System.AggregateException: One or more errors occurred. ---> System.Exception: Couldn't acquire lock, is another instance running at Squirrel.SingleGlobalInstance..ctor(String key, TimeSpan timeOut) at Squirrel.UpdateManager.<acquireUpdateLock>b__32_0() at System.Threading.Tasks.Task`1.InnerInvoke() at System.Threading.Tasks.Task.Execute() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Squirrel.UpdateManager.<CheckForUpdate>d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Squirrel.Update.Program.<CheckForUpdate>d__8.MoveNext() --- End of inner exception stack trace --- at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions) at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) at System.Threading.Tasks.Task`1.get_Result() at Squirrel.Update.Program.executeCommandLine(String[] args) at Squirrel.Update.Program.main(String[] args) at Squirrel.Update.Program.Main(String[] args) ---> (Inner Exception #0) System.Exception: Couldn't acquire lock, is another instance running at Squirrel.SingleGlobalInstance..ctor(String key, TimeSpan timeOut) at Squirrel.UpdateManager.<acquireUpdateLock>b__32_0() at System.Threading.Tasks.Task`1.InnerInvoke() at System.Threading.Tasks.Task.Execute() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Squirrel.UpdateManager.<CheckForUpdate>d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Squirrel.Update.Program.<CheckForUpdate>d__8.MoveNext()<--- {}
POST 401 [conversationUpdate]
POST 401 [conversationUpdate]
Error: The bot's MSA appId or password is incorrect.
Edit your bot's MSA info
POST 401 [conversationUpdate]
Error: The bot's MSA appId or password is incorrect.
Edit your bot's MSA info
I removed the App Id and password and tried to run it locally then it’s working properly.
I researched around the internet and could not find any solutions that solves my problem. Please help.
Thanks in Advance

you can try using http://localhost:3979/api/Messages in your bot emulator but do not enter any kind of id and password and also remove it from your web.config
like this shown in below picture:
And hit ctrl+f5 and then try. It will start working on your local environment.
For remote debugging you need to use the ngork.
do let me know in case you need more clarification.

I solved the same issue with following way:
When the supported account types is set to single tenant, if you use a personal subscription instead of a Microsoft account, the Emulator would issue the error: The bot's Microsoft App ID or Microsoft App Password is incorrect..
Go AD Application registration : Select Authentication -> Supported Account Type -> Accounts in any organizational directory ( Any Azure AD Directory - Multitenant )
Check AD registration to see if the supported account types is set to Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts.

Apparently, the emulator allows to test local bots only and won't work with published/hosted bots. For published, i am testing on Azure on directly through the "Test in Web Chat" feature

What's the Issuer name of service bus in LOB Setting

I'm new to Azure Biztalk Service. While creating SQL LOB in Azure BizTalk Adapter Service (localhost:8080),
I got the below errors.
Service Bus in Azure now has only SAS, What's the Issuer name of service bus in LOB Setting? I used SAS account and got the below security token error.
500
Code: '13'
Message: 'Error occurred while trying to bring up the relay service. Error Message: 'The request was aborted: The request was canceled.
Server Error in '/elainedev_orderproce~_e1ccffe4ff14482ba3578aece913d975' Application.
The request was aborted: The request was canceled.
Description:
An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details:
System.Net.WebException: The request was aborted: The request was canceled.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[WebException: The request was aborted: The request was canceled.]
System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) +334
System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult) +21
Microsoft.ServiceBus.TokenRequestAsyncResult.<GetAsyncSteps>b__4(TokenRequestAsyncResult thisPtr, IAsyncResult r) +25
Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.EnumerateSteps(CurrentThreadType state) +881
[SecurityTokenException: The token provider was unable to provide a security token while accessing 'https://elainedev-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'The request was aborted: The request was canceled.'.]
Microsoft.ServiceBus.Common.AsyncResult.End(IAsyncResult result) +774
Microsoft.ServiceBus.RelayedOnewayTcpListenerClient.Connect(TimeSpan timeout) +425
Microsoft.ServiceBus.RelayedOnewayTcpClient.EnsureConnected(TimeSpan timeout, Boolean isRetry) +589
Microsoft.ServiceBus.RelayedOnewayTcpClient.OnOpen(TimeSpan timeout) +12
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
Microsoft.ServiceBus.RelayedOnewayTcpListener.OnOpen(TimeSpan timeout) +15
Microsoft.ServiceBus.Channels.RefcountedCommunicationObject.Open(TimeSpan timeout) +435
Microsoft.ServiceBus.RelayedOnewayChannelListener.OnOpen(TimeSpan timeout) +117
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
Microsoft.ServiceBus.RelayedSocketListener.Open(TimeSpan timeout) +15
Microsoft.ServiceBus.Channels.BufferedConnectionListener.Open(TimeSpan timeout) +23
Microsoft.ServiceBus.SocketConnectionTransportManager.OnOpen(TimeSpan timeout) +584
Microsoft.ServiceBus.Channels.TransportManager.Open(TimeSpan timeout, TransportChannelListener channelListener) +572
Microsoft.ServiceBus.Channels.TransportManagerContainer.Open(TimeSpan timeout, SelectTransportManagersCallback selectTransportManagerCallback) +210
Microsoft.ServiceBus.Channels.TransportChannelListener.OnOpen(TimeSpan timeout) +104
Microsoft.ServiceBus.Channels.ConnectionOrientedTransportChannelListener.OnOpen(TimeSpan timeout) +63
Microsoft.ServiceBus.SocketConnectionChannelListener`2.OnOpen(TimeSpan timeout) +63
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
Microsoft.ServiceBus.Channels.LayeredChannelListener`1.OnOpen(TimeSpan timeout) +81
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +307
System.ServiceModel.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) +130
System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) +740
[ServiceActivationException: The service '/elainedev_orderproce~_e1ccffe4ff14482ba3578aece913d975/RuntimeService.svc' cannot be activated due to an exception during compilation. The exception message is: The token provider was unable to provide a security token while accessing 'https://elainedev-sb.accesscontrol.windows.net/WRAPv0.9/'. Token provider returned message: 'The request was aborted: The request was canceled.'..]
System.Runtime.AsyncResult.End(IAsyncResult result) +466
System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity) +100
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +241
System.ServiceModel.Activation.ServiceHttpModule.EndProcessRequest(IAsyncResult ar) +39
System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +166
Version Information:
 Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.57.0'.'

You can still use ACS authentication for Service Bus if you create the Service Bus namespace using Powershell. See https://msdn.microsoft.com/en-us/library/azure/dn170478.aspx.

Solution:
Go to Azure PowerShell
PS C:\> Get-AzurePublishSettingsFile
PS C:\> Import-AzurePublishSettingsFile "C:\mine.publishsettings"
PS C:\> Get-AzureSubscription
PS C:\> Select-AzureSubscription "Visual Studio Ultimate with MSDN"
PS C:\> New-AzureSBNamespace -Name elainedev1 -Location "East Asia" -CreateACSNamespace $true -NamespaceType Messaging
Notice it's only used to create a new service bus namespace, cannot create ACS account for existing service bus.

AdalServiceException: AADSTS50001 when provisioning files on site collections

I am writing an app that is using Windows Azure AD to authenticate to SharePoint Online.
I'm trying to provision some files from the app to an existent site collection on the SharePoint tenant.
This works with the default site collection located on [subdomain].sharepoint.com but when I'm trying to provision files on a non default site collection,i.e. [subdomain].sharepoint.com/mysite the code throws this exception:
[WebException: The remote server returned an error: (400) Bad Request.]
System.Net.HttpWebRequest.GetResponse() +6540964
Microsoft.IdentityModel.Clients.ActiveDirectory.<GetResponseSyncOrAsync>d__2.MoveNext() +382
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
Microsoft.IdentityModel.Clients.ActiveDirectory.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext() +414
[AdalServiceException: AADSTS50001: Resource 'https://[subdomain].sharepoint.com/sites/mysite' is not registered for the account.
Trace ID: f9d32123-4a42-4890-bf5d-7e979083ed18
Correlation ID: 71a6d021-270d-4974-8bd6-b17fb06aab9d
Timestamp: 2014-12-19 11:21:30Z]
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask(Task`1 task) +89
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenByRefreshToken(String refreshToken, ClientCredential clientCredential, String resource) +59
...Authorization.Azure.TokenHelper.GetContext(String refreshToken, String site) in d:\...\Authorization\Azure\TokenHelper.cs:30
...Authorization.AuthorizationManager.GetClientContextFromAzureCode(String code, String site) in d:\..\Authorization\AuthorizationManager.cs:57
...Pages.Install.btnInstall_Click(Object sender, EventArgs e) in d:\..\Pages\Install.aspx.cs:65
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +9628114
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +103
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +35
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1724
I checked App permission in AD and it has permissions to write on all site collections. Is there something wrong with my configuration or should I try a different approach?

We had the same issue here. In our C# app we use HttpClient to hit the SharePoint REST API to read items from a list. During development, we had set up a list under Team Site. The URL we used to hit the API looked a bit like this:
https://mycompany.sharepoint.com/_api/web/lists/getbytitle('MyList')/items
In the App.config we set up a ServiceResourceId parameter. This was used as the resource parameter when calling the AcquireToken() method of Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext. Importantly, we also used this as our base URL for API calls.
When we tried to move over to a production scenario, the list in question sat within a custom site - not the team site. We could log into a browser and hit the URL like this and see results being returned:
https://mycompanylive.sharepoint.com/MySiteName/_api/web/lists/getbytitle('MyList')/items
We had changed the ServiceResourceId to https://mycompanylive.sharepoint.com/MySiteName/ which no longer allowed us to sign in and threw the exception you mention. The fix was to have a config parameter with the base service URL which is used when authentication then another parameter used as the base URL when calling the API. In the example I mentioned, it looks like this:
<!-- Pass this to AcquireToken() during authentication. This should be the root of your SharePoint instance. -->
<add key="ServiceResourceLoginId" value="https://mycompanylive.sharepoint.com/"/>
<!-- The base URI when using HttpClient to call the API. -->
<add key="APIBaseURI" value="https://mycompanylive.sharepoint.com/MySiteName/"/>

Certificate Store Access denied

I'm receiving a System.Security.Cryptography.CryptographicException Access is denied. when trying to create media service task or job. The app is running on an azure website instance. Everything works locally. Look like the app is unable to write to the certificate store. I have tried elevating the trust level for the app to full with no effect.
System.Security.Cryptography.CryptographicException: Access is denied.
at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
at Microsoft.WindowsAzure.MediaServices.Client.EncryptionUtils.SaveCertificateToStore(X509Certificate2 certToStore)
at Microsoft.WindowsAzure.MediaServices.Client.BaseContentKeyCollection.GetCertificateForProtectionKeyId(DataServiceContext dataContext, String protectionKeyId)
at Microsoft.WindowsAzure.MediaServices.Client.BaseContentKeyCollection.GetCertificateToEncryptContentKey(DataServiceContext dataContext, ContentKeyType contentKeyType)
at Microsoft.WindowsAzure.MediaServices.Client.JobData.ProtectTaskConfiguration(TaskData taskData, X509Certificate2& certToUse)
at Microsoft.WindowsAzure.MediaServices.Client.JobData.Submit()
at MediaServices.Encoding.Encode_video_h264(IAsset asset)
at Business.Background_tasks.Kickoff_encoding(IAsset asset, Guid id)
at Routing.Controllers.BlobsController.UploadBlock(Int32 id)
at lambda_method(Closure , ControllerBase , Object[] )
at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12()
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation)
at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass15.<>c__DisplayClass17.<InvokeActionMethodWithFilters>b__14()
at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
at System.Web.Mvc.Controller.ExecuteCore()
at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext)
at System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext)
at System.Web.Mvc.MvcHandler.<>c__DisplayClass6.<>c__DisplayClassb.<BeginProcessRequest>b__5()
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.<MakeVoidDelegate>b__0()
at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _)
at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End()
at System.Web.Mvc.MvcHandler.<>c__DisplayClasse.<EndProcessRequest>b__d()
at System.Web.Mvc.SecurityUtil.<GetCallInAppTrustThunk>b__0(Action f)
at System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action)
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Edit
I have moved the application to a VM and still receive the same exception
Edit
Final solution found here http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/67216e79-c259-4685-95d0-3a09bab5c0c5/
When running on IIS7 - you can specify to load the user profile of the App Pool. This gives you access to the per user store of the app pool account.

This is what you would expect from Windows Azure Web Sites. You're running in a shared environment together with other Web Sites and for security reasons there are a many things you cannot do.
If you want full control of the machine where your web application is hosted (like full access to the certificate store, making changes in the registry, ...) you should deploy your application to a Web Role.