Outlook client for Dynamic CRM cannot connect to CRM in Azure - azure

Hi: I have a Dynamic CRM server set up on an Azure VM. I configured the web address for the CRM to be accessible from outside the VM. When I log in via a browser I'm prompted for credentials to the VM and then everything connects fine. When I try to connect via Outlook I am not prompted for a user/pwd and the connection attempt errors out with the following message
"The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed."
Any help to the problem would be much appreciated!

Dynamics CRM hosted in Azure is not a supported configuration, this is probably the cause why the outlook client is not able to connect.

Related

Trying to sign-in Office Add-in via SSO with a guest Azure AD account from another Azure tenant

We are developing an Office Add-in, in an Azure VM hosted in our main Azure tenant #ourcompany.com.
The Azure AD App Registration is provisioned in the main Azure tenant.
The Users in the main tenant are licensed to Microsoft 365.
We also have an Azure development tenant #ourcompanydev.onmicrosoft.com with Users who do not have Microsoft 365 licenses.
These users have been added as external guest Users in the main Azure tenant.
When testing in Postman, all Users from both tenants can authenticate with Azure AD and access the Web App using token acquired via implicit OAuth2 flow.
However when singing into Office SSO with external guest Users, the process fails.
The following Office SSO attempts were made and their outcome
User
Microsoft 365 License
Outcome
user1#ourcompany.com
Yes
Success
user2#ourcompany.com
No
Success
user3#ourcompanydev.onmicrosoft.com
Yes
Failed
user4#ourcompanydev.onmicrosoft.com
No
Failed
The Failed error message is rather ambiguous, to suggest we have our <WebApplicationInfo> settings misconfigured but it is not, as the Success scenarios above prove
code: 13004
message: "Invalid resource Url specified in the manifest."
name: "Invalid application resource Url provided."
The error "Invalid resource Url specified in the manifest" if there is any domain mismatch.
AFAIK, the External users have domain (#ourcompanydev.onmicrosoft.com) that does not match the domain of the add-in (#ourcompany.com) so you are getting the error code 13004.
Check whether the manifest has been configured correctly.
Check whether the resource protocol is api or not.
Check whether you have included any port in the domain, if yes it should be same as add-in domain.
Try Validating your office add-in Manifest.
For more in detail, please refer below links:
Troubleshoot error messages for single sign-on - Office Add-ins | Microsoft Docs
validate-office-addin passes, Office.context.auth.getAccessTokenAsync fails with error 13004 by Rick-Kirkham

Microsoft Teams Desktop Personal app not working with SPFX and GraphApi

I added a Personal Tab in MS Teams which references a SharePoint Webart with on it an SPFx webpart using #microsoft/microsoft-graph-client.
In the MS Teams Web Client on TEST and PROD the page loads as expected, and the #microsoft/microsoft-graph-client calls work.
In the MS Teams Desktop client on TEST environment also work perfect.
However, in the MS Teams Desktop Client (on windows) on PROD environment the #microsoft/microsoft-graph-client does not work.
Looking in Fiddler, I can see the following happening (only on the dekstop client):
A call is made to https://o2fitcom.sharepoint.com/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%2758066c29-7a47-418b-9cb8-69adf68633b3%27&clientId=%2708e18876-6177-487e-b8b5-cf950c1e598c%27
with error result Failed to load resource: the server responded with a status of 403 ()
The call returns an HTTP 500 with message:
<m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
<m:code>-2147024891, System.UnauthorizedAccessException</m:code>
<m:message xml:lang="en-US">Attempted to perform an unauthorized operation.</m:message>
</m:error>
I already success make solution work on TEST but not in PROD, checked all the configuration and manifest are the same. All the configuration of permission in the SharePoint Online Client Extensibility Web Application Principal are granted.
Finally I have a solution that:
Delete the app SharePoint Online Client Extensibility Web Application Principal and SharePoint Online Client Extensibility Web Application Principal Helper
Wait few mins let the AAD create them again.
After that request permission from custom app.
Go to API access page to grand again the permission will automatically sync to "SharePoint Online Client Extensibility Web Application Principal".
Test again the app. Also deactivate the Limited-access user permission lockdown mode could be help. Now all my app work as expected.
Why?
Limited-access user permission lockdown mode could block your permission to request api.
Delete App in AAD to get the the token and all the configuration sync again.
The way to grand permission from API Access it correct not grant from AAD App.

How to authorize API Connections in Azure as different user using powershell when single sign on

We use Azure Logic Apps that are deployed from DEV to TEST to PROD using powershell scripts. Thoe Logic Apps use API connections.
For certain API connections we want to use a different Service User instead of my personal account. So if a Logic App sends an E-Mail it should send it as Service User and not myself. The special thing about API connections is, that Azure forces you to re-authenticate them after deployment by powershell script. So after each deployment you need to re-authorize API connections.
I successfully managed to authenticate using powershell script with the sample mentioned here: https://github.com/logicappsio/LogicAppConnectionAuth
However, it will always somehow authorize me on with my Windows account. I am not able to log in as someone else. When the Azure Logon Window appears and I enter the service users name, but it will then not ask me for the passwort, it will authorize the connection with my personal user right after entering a username.
How can I use Azure powershell commands to perform connection authorization as a different user?
I was hoping someone could point me into a better direction (google keywords, etc.) on how to authorize API connection as a different user.
I understand your question is about authorizing API connections with different user account or service accounts. The behavior you specified above is specifically for office 365 connection. Authorization mechanism differs in different set of connectors.
However, for using service accounts to authorize Office 365 API connections, we need to make sure that browser cache doesn't use the Windows/Azure logon credentials automatically.
You can clear the browser cache and do the authorization from a private browser.
If that doesn't help you, there is a hack that's explained in this blog.
https://techcommunity.microsoft.com/t5/integrations-on-azure/using-service-account-for-office-365-outlook-connector/ba-p/1978513
Let me know if you have any questions.
Haris

How to execute requests from backend deamon for graph.microsoft.com API endpoints that do not support application permissions?

It is more about how microsoft cloud API and azure application implementation details...
I would like to set up the backend deamon that would periodically get data from microsoft's online Office 365 Excel documents, and store it to database.
I've successfully went with authorisation part, for so called "client credentials flow" (RFC6749 describes it as "client credentials grant").
So I authenticate and get a valid token, without need for a user to interact. It goes with azure application that I set up on https://portal.azure.com, and that has permissions confirmed by admin. Now I'm able to execute requests to https://graph.microsoft.com like:
https://graph.microsoft.com/v1.0/users/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/drives
The problem is that does not solve requests that assumes calls with authenticated user and not application like below does not work:
"https://graph.microsoft.com/v1.0/me/drive/items/ZZZZZZZZZZZZZZZZZZZZZ/workbook/worksheets('test')/usedRange"

Active Directory Password Authentication for Azure SQL not working

I followed all the mentioned steps but couldn't get it to work with "Active Directory Password Authentication" for AD principal which is a contained user in my SampleDB. I get this error:
Cannot connect to sql01.database.windows.net.
ADDITIONAL INFORMATION:
Failed to authenticate the user user#customDomain.com in Active
Directory (Authentication=ActiveDirectoryPassword).
Error code 0xCAA20003; state 10
ID3242: The security token could not be authenticated or authorized.
(Microsoft SQL Server, Error: 0)
We are using Ping Federate as our federation provider.
To my surprise, "Active Directory Integrated Authentication" works for the same user. Do we need to open some firewalls or ports at our on-prem environment to make it work?
Please create a support case. ADAL.DLL had issues in the past with Ping Federate so the support team would be the best to look into it

Resources