I receive a 401 auth error: "Manage claim is required for this operation" upon executing the following statement:
if (namespaceManager.QueueExists(QueueName))
{
namespaceManager.DeleteQueue(QueueName);
}
I know this question is old and but wanted to add in my findings since the behavior confused me quite a bit. Hopefully this helps someone looking at this in the future.
You need a Manage claim in order to be able to do TopicExists/QueueExists kind of operations. If the topic or queue doesn't exist you can get away with no exceptions even without a Manage claim which was strange to me.
As of WindowsAzure.ServiceBus v3.4.1.
After verifying my connection string, I simply Regenerated my primary key for my access policy on the Azure Mgmt. Portal. I used the new key and was able to successfully auth.
Your original key could be generated without Manage option, which would result in manage operation failure.
Go into the access control (IAM tab) and give your user the following roles:
Azure Service Bus Data Receiver
Azure Service Bus Data Sender
Related
Currently, I am trying to run a trigger on a Logic App on Microsoft Azure, but every time I try, I receive an InvalidAuthorizationTokenTenant error. Let me explain.
So I have a Virtual Machine on Microsoft Azure called StaticReportingVM that runs a service automatically when it is turned on. I am trying to automate the process of turning the machine on and off using a Logic App called startVM. The logic design is below: it has a recurrence task that checks the time of year it is (the task should run at the beginning of every month), it tells the machine to turn on, and notifies me through my personal email whether or not the task has succeeded.
startVM design
startVM parameters
The parameters are correct for my machine and my subscription. However, every time I run the trigger, I get the following error:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant 'https://sts.windows.net/yyyyy-yyyyy-yyyyyy/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/yyyyy-yyyyy-yyyyyy' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
Note that xxxxx-xxxxx-xxxxx is different from yyyyy-yyyyy-yyyyy and the two yyyyy-yyyyy-yyyyys are the same. (Not sure if this helps answer my question but I just want to cover more bases!)
Below is a (poorly edited) image of the connections I have set for the Logic App to work, where the email above is the email registered with my Azure account and the Office 365 email is my personal email to notify me of whether or not the trigger has worked.
startVM connections
I have a few questions about this: why am I getting an InvalidAuthenticationTokenTenant error even though I only am using the one subscription? Is it possible I have multiple tenants under this account and if so how can I delete those tenants? How can I bypass the error and get the logic app working?
P.S. This is my first stackoverflow question so I'm sorry if I am missing any critical details! Any and all feedback is appreciated.
• The way you are trying to trigger a logic app on Microsoft Azure VM for starting a recurrence task and notify you through the personal email address is incorrect. You should create a managed identity for the logic app through which the trigger is configured. Once configured, then assign a new role to the logic app’s managed identity through the VM’s IAM (Identity and Access Management) blade. Once done, then update the ‘Start the Virtual Machine’ task in the logic app to connect using the managed identity created for the logic app.
In this way, your issue should get resolved and you should not receive any error regarding the ‘Tenant token authentication’. Also, you are getting this error because, when you are configuring the ‘StartVM parameters’, the tenant ID is not asked in it, rather only ‘subscription ID’ is asked and the ‘resourceGroup’ is asked. Thus, due to which, if you have atleast ‘Contributor’ role access in more than one tenant linked to each other, then the default tenant ID and the tenant in which your VM us deployed will be different and hence the conflicting error faced regarding it.
• Please find the below snapshot of the configuration for including the managed identity in your logic app design: -
Thus, once you give managed identity of a VM as the connection in the logic app ‘Start VM’ action, the logic app ‘Start VM’ trigger will use the managed identity’s assigned role to the VM as authorization to start the VM and hence the tenant token issue will get resolved.
For more information and clarification on this, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/azure-functions/start-stop-vms/deploy#enable-multiple-subscriptions
I've been using Azure API Management recently, and I would like to know if there is a way to detect the sign up process performed from the included Developer Portal.
Basically I need to be able to get the user unique id, to be able to map data stored in a database.
Is configuring Delegation the only way to capture this event?
Try to enable the Resource Logs, it includes the userId.
Reference - https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor#resource-logs
I'm trying to use the Computer Vision API from Microsoft's Cognitive Services. However, my keys don't seem to be working. I created an account using the free trial of that API and got the two keys from it. Trying to use the key with the ProjectOxford.Vision SDK always yields:
Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription.
I tried the API console, however I get the same error with my key in the Ocp-Apim-Subscription-Key field. I tried both keys and neither of them work. I even got the free version of Face API and tried its console, but encountered the same issue with its keys. I even tried different datacenters, but they all seem to return the same error.
This would need to be some problem with the key then right? This can't be a problem with my C# code, since the console doesn't work either. And since it's failing in the API console, there's nothing more I can do to rule out any other possibilities is there? I'm not sure what else I can do to debug this. I'd like to regenerate my keys (I saw a tutorial video which showed an older UI of getting the API keys and they used to have a "regenerate" link) but I don't see a way of doing that anymore.
I only just made the account and registered for the APIs, so there's no way I'd be over quota. Is there something else I need to do to enable these keys or something?
I managed to skirt around the issue of 'Access Denied' by performing the following actions:
I created a free Azure account
I set up an instance of the Cognitive Services Api (this generated a pair of new keys for me to use)
Utilizing the new key, I had to use the following link:
https://westus.api.cognitive.microsoft.com/vision/v1.0/ocr
Instead of
https://westus.api.cognitive.microsoft.com/vision/v1.0/recognizeText
(I obtained this link from the Cognitive Services Test Dashboard).
Look at the request pattern on the test dashboard and you should be able to tell how to use the api.
Even when #Xuan Hu response states correctly to the solution, I scratched my head some time trying to figure out how to change the end point. Here are my 2 cents:
Go to portal.azure.com, in the dashboard of your subscription to the Cognitive Services > General Information > End Point take note of the URL. You need it.
Find in the code of your VisionAPI samples where the VisionServiceClient is instantiated:
VisionServiceClient VisionServiceCliente = new VisionServiceClient(SubscriptionKey);
and change including the URL that you found in Azure:
VisionServiceClient VisionServiceCliente = new VisionServiceClient(SubscriptionKey, StringOfMyURLTakedFromPortal);
That worked for me.
If you are using the free trial keys got from azure.microsoft.com. You need to change the API endpoint region to westcentralus. The previous default region is westus and I think that is the reason of the invalid key problem.
FYI, there is a blog post that covers all of the 401 Access Denied scenarios, including this one regarding the free API keys and region specific API endpoint. Adding it here for folks in the future who find this SO post - https://blogs.msdn.microsoft.com/kwill/2017/05/17/http-401-access-denied-when-calling-azure-cognitive-services-apis/.
Using the incorrect regional endpoint
Most of the Cognitive Services APIs are region specific, which means that during API account creation you select which region you want to create the account in. These APIs have region specific endpoints such as westus.api.cognitive.microsoft.com or eastus2.api.cognitive.microsoft.com, and an API key for an account created in one region will only work using the endpoint for that specific region. This means that if you create an API account in West US you will not be able to call the eastus2.api.cognitive.microsoft.com API endpoint.
You can verify the region and endpoint in the Azure management portal.
Trial API Keys
The free trial API keys have 30 day expiration dates, and the same restrictions for region and version. If you are using the trial keys you can go to https://azure.microsoft.com/en-us/try/cognitive-services/my-apis/ to manage your API keys (if you are not already logged in then just click one of the ‘Create’ buttons and you can go through the wizard to login and see your existing API keys), and you will also see the expiration date and endpoint.
One thing to remember if using Postman to get the results is to use GET and put your keys in the Header.
Recently I no longer been able to generate application keys in WAAD...(or to be more specific I can generate the key but I never get to see the value)
and after save I receive unauthorized access error...
I am a directory co-administrator - The key does appear to save, as after a page refresh there is an extra entry into the keys table. Currently only the directory full administrator can see the value but now no-longer co-admins.
The above issues also happens when making modifications to "permissions to other applications", azure reports unauthorized but the changes I make are again committed.
I have ruled out different browsers, have tired IE, and Chrome.
Help much appreciated.
co administrator is a subscription role not an Azure AD role.
In order to perform this you should have admin privileges in the Azure AD on which you're trying to create the keys.
What is the Azure AD role you're currently in ?
The issue was...
"Users may give applications permission to access their data" was set to "No"
Changing this back to "Yes" then allowed me to generate and see the key values.
I'm having troubles debugging "upgrade" of my offer in Azure Store. I've "purchased" the offering, then I click "Upgrade", select a more expensive plan and click the "Proceed" arrow I see the following error message:
We cannot provide a billing estimate at this time. Please try again later. If this error persists, contact support with the following information.
(Subscription could not be found for the provided subscription id (DM - ActivityId={GuidHere}
On my service side I see that there's a GET to /storebase/subscriptions/sub-id-here/cloudservices/service-name-here to which my service returns an XML reply together with HTTP 200.
That's all the data I have.
How do I find why the upgrade process fails?
The answer is there's no way to actually debug something because there's no way to access Azure Store logs and no way to find what happens behind the scene when the user goes from one Azure Store purchase step to another. All the developer can do is contact support.