Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Why Azure Information Protection Client Requires Global Admin's Login Details?

August 30, 2018, 1:35 am
$
0
0

Hi,

I am learning Azure Information Protection. I am following the quick tutorial at https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-quick-start-tutorial .

In step 3, after installing the client, the tutorial says “If you are prompted to enter your user name and password, enter the details for your global administrator account.”. But I think that is not in the correct logic. The global administrator is the manager of the whole company. While each employee in the company should install Client in their own computer. Therefore, the client should NOT know the password of the global administrator account. Otherwise, each employee will become global administrator and the information protection is meaningless.

Thanks for any advice on my opinion.

Search

We need to migrate over 5-7 ADs to 1, and thinking about having that just running AAD, no DC on-prem

August 29, 2018, 5:14 pm
$
0
0

we use AAD Connect now, but the plan is to migrate 5-7 different ADs to one new. And the main question for that, can we just use AAD plan 1 or 2, or must we still have Domain Controllers on-prem? Would be nice to not have to :)

We also need the ability to connect on-prem server 2016 directly to AAD, and later on also other services such as Atlassian, firewalls, AP, things that we want to use AAD as a directory server.

Thanks, have a great day

Azure AD Connect with SQL Database Guideline

September 2, 2018, 9:24 pm
$
0
0

I have Azure AD Connect server which is pointing to backend SQL for storing the database. My question - Is it recommended to use a SQL instance which is already having other databases or to use a new SQL instance always? Article is saying 

 It is not supported to share a SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync.

are they suggesting not to share a SQL instance with other sync services or they are saying always use a new SQL instance.

In my case-  I am using SQL instance where other DBs are also present and i didn't find any issues but need to know the recommended solution.

Can Excel do ad b2c authentication?

September 3, 2018, 2:56 am
$
0
0
I know and tested Excel doing normal azure AD authentication when accessing odata.
 
But can Excel do AD B2C authentication? 

Authorization has been denied for this request -- Microsoft Graph API, Microsoft Booking API

September 3, 2018, 5:32 am
$
0
0

I have a simple ASP.Net web application consist of .aspx web from hosted on azure as cloud service. In my application there is no user login.
I want to connect with Microsoft Graph API and and to use Microsoft Bookings API to get the BookingBusiness collection on my home page load without user login. I am currently debugging my web app on my desktop using Azure emulator.
I have the ofiice 365 premium account access assoiciated with my microsoft account (v-sheeal@microsoft.com) and I had created a Booking business using my v- alias through Booking tools (https://outlook.office.com/owa/?path=/bookings).
I registered an app in AAD in the same tenant with all required permission and provided the Cliend Id and secret in the code to get the access token. I am using Client credentials Grant flow to get the access token and try to invoke the booking API.I am able to get the access token, but when the code try to get the the list of booking businesses it is giving below exception.

DataServiceClientException: {
  "error": {
    "code": "",
    "message": "Authorization has been denied for this request.",
    "innerError": {
      "request-id": "d0ac6470-9aae-4cc2-9bf3-ac83e700fd6a",
      "date": "2018-09-03T08:38:29"
    }
  }
}

The code and registered app setting details are in below screen shot.


        private static async Task<AuthenticationResult> AcquireToken()
        {
            var tenant = "microsoft.onmicrosoft.com"; //"yourtenant.onmicrosoft.com";
            var resource = "https://graph.microsoft.com/";
            var instance = "https://login.microsoftonline.com/";
            var clientID = "7389d0b8-1611-4ef9-a01f-eba4c59a6427";
            var secret = "mxbPBS10|[#!mangJHQF791";
            var authority = $"{instance}{tenant}";
            var authContext = new AuthenticationContext(authority);
            var credentials = new ClientCredential(clientID, secret);           

            var authResult = await authContext.AcquireTokenAsync(resource, credentials);
            
            return authResult;
        }


        protected void MSBooking()
        {               
            var authenticationContext = new AuthenticationContext(GraphService.DefaultAadInstance, TokenCache.DefaultShared);
            var authenticationResult =  AcquireToken().Result;

                      
	    var graphService = new GraphService(
            GraphService.ServiceRoot,
            () => authenticationResult.CreateAuthorizationHeader());

           // Get the list of booking businesses that the logged on user can see.
            
            var bookingBusinesses = graphService.BookingBusinesses; ----- this line throwing an exception "Authorization has                                been denied for this request."
        }

GraphService.cs

// ---------------------------------------------------------------------------
// <copyright file="GraphService.cs" company="Microsoft">
//     Copyright (c) Microsoft Corporation.  All rights reserved.
// </copyright>
// ---------------------------------------------------------------------------

namespace Microsoft.Bookings.Client
{
    using System;
    using System.Net;

    using Microsoft.OData;
    using Microsoft.OData.Client;

    public partial class GraphService
    {
        /// <summary>
        /// The resource identifier for the Graph API.
        /// </summary>
        public const string ResourceId = "https://graph.microsoft.com/";

        /// <summary>
        /// The default AAD instance to use when authenticating.
        /// </summary>
        public const string DefaultAadInstance = "https://login.microsoftonline.com/common/";

        /// <summary>
        /// The default v1 service root
        /// </summary>
        public static readonly Uri ServiceRoot = new Uri("https://graph.microsoft.com/beta/");

        /// <summary>
        /// Initializes a new instance of the <see cref="BookingsContainer"/> class.
        /// </summary>
        /// <param name="serviceRoot">The service root.</param>
        /// <param name="getAuthenticationHeader">A delegate that returns the authentication header to use in each request.</param>
        public GraphService(Uri serviceRoot, Func<string> getAuthenticationHeader)
            : this(serviceRoot)
        {
            this.BuildingRequest += (s, e) => e.Headers.Add("Authorization", getAuthenticationHeader());
        }

        /// <summary>
        /// Gets or sets the odata.maxpagesize preference header.
        /// </summary>
        /// <remarks>
        /// Using the Prefer header we can control the resulting page size of certain operations,
        /// in particular of GET bookingBusinesses(id)/appointments and bookingBusinesses(id)/customers.
        /// </remarks>
        public int? MaxPageSize
        {
            get;
            set;
        } = null;

        /// <summary>
        /// Gets or sets the odata.continue-on-error preference header.
        /// </summary>
        /// <remarks>
        /// Using the Prefer header we can control if batch operations stop or continue on error.
        /// </remarks>
        public bool ContinueOnError
        {
            get;
            set;
        }

        /// <summary>
        /// Gets or sets the web proxy to use when sending requests.
        /// </summary>
        public IWebProxy WebProxy
        {
            get;
            set;
        }

        partial void OnContextCreated()
        {
            // Default to send only the properties that were set on a data object
            this.EntityParameterSendOption = EntityParameterSendOption.SendOnlySetProperties;

            // Allows new results to override cached results, if the object is not changed.
            this.MergeOption = MergeOption.PreserveChanges;

            if (this.BaseUri.AbsoluteUri[this.BaseUri.AbsoluteUri.Length - 1] != '/')
            {
                throw new ArgumentException("BaseUri must end with '/'");
            }

            this.BuildingRequest += (s, e) => e.Headers.Add("client-request-id", Guid.NewGuid().ToString());

            this.SendingRequest2 += (s, e) =>
                {
                    var requestMessage = e.RequestMessage as HttpWebRequestMessage;
                    if (requestMessage != null)
                    {
                        var preferenceHeader = new ODataRequestOnHttpWebRequest(requestMessage.HttpWebRequest).PreferHeader();
                        preferenceHeader.MaxPageSize = this.MaxPageSize;
                        preferenceHeader.ContinueOnError = this.ContinueOnError;

                        requestMessage.HttpWebRequest.Proxy = this.WebProxy;
                    }
                };
        }
    }
}

Azure group writeback permission-issue

September 3, 2018, 6:11 am
$
0
0

Hi,

I'm currently trying to get group-writeback working. Although we do have a subscription for Azure AD Premium and I've used the script from https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74 to configure the advanced permissions, I'm still seeing permission-issue-errors in Synchronization Service Manager. I've also checked the permissions using the script and the steps described here:

https://blogs.technet.microsoft.com/dkegg/2018/01/30/testing-aad-connect-write-back-permissions-on-an-ou/

Trying to further narrow down the cause of this issue, I remembered that it seemed impossible to explicitly specify an OU for group-writeback when I ran the AzureADConnect-Wizard, as the field was not editable / greyed out. Therefore, I've manually set the OU-value using Powershell:

$gs = Get-ADSyncGlobalSettings
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.GroupWriteBack.Container", String, SynchronizationGlobal, $null, $null, $null
$p.Value = "OU=Office365-Cloudgroups,DC=learnship,DC=net"
$gs.Parameters.Remove($p.Name)
$gs.Parameters.Add($p)
Set-ADSyncGlobalSettings -GlobalSettings $gs
..which seems to have worked so far:
$a = Get-ADSyncGlobalSettings
$a.parameters | where {$_.Name -eq "Microsoft.GroupWriteBack.Container"}



Name                   : Microsoft.GroupWriteBack.Container
InputType              : String
Scope                  : SynchronizationGlobal
Description            :
RegexValidationPattern :
DefaultValue           :
Value                  : OU=Office365-Cloudgroups,DC=xyz,DC=net
Extensible             : False
PageNumber             : 0
Intrinsic              : False
DataType               : String

However, the permission errors still persists :-( How can I find further details / debug this?



Azure B2C AD password reset wording

August 30, 2018, 7:59 am
$
0
0

Hi we have azure portal with yourselves and have custom B2C AD login, but would like the password reset policy wording (strong) to be displayed to the user

Minimum 8 characters and maximum 64 characters in length 3 of 4 character classes - uppercase, lowercase, number, symbol

is this possible?

http://accesscontrol.windows.net is down

September 3, 2018, 2:13 am
$
0
0

We have a few namespaces live onhttp://accesscontrol.windows.net  for authentication. This entire domain seems to be removed from the DNS servers / is seemingly down already while it is supposed to be going down in November 2018.

You can see an example when you visit https://start.mijnhva.nland click the login with Microsoft or login with Google button.

Please fix this!


Search

AD FS with Azure AD Domain Services

September 3, 2018, 8:49 am
$
0
0

Hello,

I'am trying to implement Azure AD Domain Services but I find two doubts:

- Is it possible tom implement +1 Azure AD Domain Services in the same tenant?

- If I have AD Federation Services (on-premise), is it possible to implement Azure AD DS? Is it necessary syncr passwords?

thanks!


Azure Web-App Permissions through azure-powershell

August 28, 2018, 5:20 am
$
0
0 

Is it possible through azure-powershell to check all the permissions available to an Azure App?

For e.g- Get-AzureRmRoleDefinition <role_name> for fetching all the permissions attached to a role

Inaddition, can we add graph api permissions to a custom RBAC roles. If yes, any relevant link will be more helpful.

Query tenant ID in PowerShell

August 28, 2018, 5:13 am
$
0
0
I have created an additional Azure AD in my subscription.  How do I retrieve the tenant ID **using PowerShell** so I can now run automation against that directory using PowerShell. 

Corey Hynes


Odata + Azure authentication

August 28, 2018, 6:34 am
$
0
0
Does anyone know of a readily available sample/example of oData service which uses the Azure authentication?

ie. one that requires to go through the Excel's "Organizational account" authentication.

permissions

August 27, 2018, 3:16 pm
$
0
0

Hello, i have problem with application. My admin grant permissions to securityevents. but in graph explorer i am unable to call this methods. appID:493c1ca9-xxxx-xxxx-xxxxx-1eae574b6007 Can you please check please? Thank you

n permissions for graphAPI is allow to usehttp://SecurityEvents.Read .All but when i try to use it in https://developer.microsoft.com/en-us/graph/graph-explorer#  there is still prohibited with anton.xxxxx@xxxxx.com Need admin approval Graph explorer Graph explorer needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.


Azure ZD

August 29, 2018, 6:26 am

How to handle 401 error when using Azure App Authentication

August 16, 2018, 10:43 am
$
0
0

Hi!

I'm using Azure App Authentication with Azure Active Directory as the provider. I have it set to Allow Anonymous Requests and the site pushes the user to /.auth/login/aad when authentication is required. This works flawlessly UNLESS the user has a valid Microsoft login but it's not assigned to my AD App (basically authenticated but not authorized). In that case they land at /.auth/login/aad/callback and get the ugly text message below:

{"code":401,"message":"An error of type 'access_denied' occurred during the login process: 'AADSTS50105: The signed in user is not assigned to a role for the application '18b35087-4aa1-453d-8770-89e52942ce59'.\u000d\u000aTrace ID: e690c46c-f61c-49ca-8ba8-9bed3e2b2800\u000d\u000aCorrelation ID: 23160c20-d9cf-4f0e-8678-57cbbcb3a5db\u000d\u000aTimestamp: 2018-08-16 17:27:22Z'"}

So my question is, how do I prevent this ugly message? I do set post_login_redirect_uri when calling /.auth/login/aad to tell the provider where to return the user once authenticated. Shouldn't it return them there? Or is there another parameter I can set to tell the provider where to return a user who isn't authorized?

I know I could set User Assignment Required in the AD App settings to No and then everyone would just get passed on through and then my code could do the authorization... but I like the security of AD doing it. I just want more control over what happens if authorization fails.

- Ron

Search

Keep having to reinstall Azure AD Connect every month or so

August 28, 2018, 10:51 am
$
0
0

I installed AD Connect on a brand new instance of Windows Server 2016 Standard and everything worked well for a while and then I started getting an email every day from Microsoft saying "Unhealthy identity synchronization...".

I checked the server and fount the service "Microsoft Azure AD Sync" in a stopped state. I tried to start it but when I did, I got an error saying: "Windows could not start the Microsoft Azure AD Sync service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion." I tried rebooting the server, checking the service account it uses and nothing seemed out of the ordinary. The service accounts password was set to never expire so it couldn't be this.

I tried all sorts of things but finally resorted to uninstalling AD Connect, having to delete some registry items, then reinstall. IT WORKS AGAIN! or at least I thought.

Anywhere between a week to a month later, it fails again and I'm back to square one. This has happened 4-5 times now. Any ideas what could cause this?

OWA via Azure App proxy - SPN - Multiple connectors possible?

August 28, 2018, 1:38 am
$
0
0
Exchange 2016, Hybrid joined, however not ready to migrate mailbox for several months at least.

Prior to then I will be migrating off RSA SecurId to MFA for my 2FA solution and was hoping therefore to publish OWA using Azure Application Proxy with AAD authentication and MFA.

Central to publishing OWA and getting KCD working appears to be setting the SPN for the internal OWA on the computer account hosting the AAP connector, e.g. setspn -s http/owa.domain.local ConnectorComputer

But of course we cant have two identical SPN ... right? ... so I'm therefore limited to one connector for this Enterprise app, e.g. I can't:
setspn -s http/owa.domain.local ConnectorComputer1
setspn -s http/owa.domain.local ConnectorComputer2

Am I right?

How do people build resilience in to publishing this way or is there a better way to do this? 

The only solution I can think off is to publish two Enterprise apps, a primary and a backup.

Hope above makes sense?

Thanks,

Aengus


Using ADFS to provide Kerberos token for WAP and backend system

September 4, 2018, 1:14 am
$
0
0

Greetings experts!

We have SharePoint on-prem using Kerberos and want to enable external users to connect to our system through WAP.

We like to avoid exposing our SharePoint directly to the outside network (pass-through) and not connect WAP with our internal AD domain (Kerberos delegation).

What are our remaining options?

Is ADFS capable of passing a Kerberos token? (it's on the internal network side)

Br,

Tom

Unable to verify domain (add custom domain)

September 4, 2018, 1:58 am
$
0
0
 Site: https://azure.microsoft.com/en-us/resources/knowledge-center/technical-chat/

2018-09-04 12:27 AM PDT
Transcript ID: q86p5vJMmtSHQvDX1b6pq0K66j13ik6B
Your recent chat with David
You 
Hello 
U there? 
 
David
;Hello! This is David from Azure Technical Chat. Happy to help you today
 
You
Hey David.
I have added a custom domain to my Azure Free Trial Subscription
the custom domain name is globalrescue.com
I have added the TXT record in DNS and also verified that the DNS propogation is complete
however when i verify the domain i get:
Unable to verify domain name. Ensure you have added the record above at the registrar 'globalrescue.com', and try again in a little while.
 
David
ok let me take a look
 
You
TXT with value MS=ms59830286
is added to public dns server and i have used several online dns propogation tools to verify that the same is published throughout
for example: https://dnschecker.org/#TXT/globalrescue.com/MS=ms59830286 

shows that record is published on all severs in its list
 
David
When was the domain created/added?
 
You
Its been two days now
 
David
ok thanks for that
 
You
usually it takes less than 15- 20 mins
I have added many domains in the past
but this one wont validate
Directory is grpl2018outlook.onmicrosoft.com
subscription id is b26575a7-02b3-4e97-86b7-6d4011a9cb3b
 
David
Can you tell me where this message about unable to verify domain main is showing?
 
You
I go to portal.azure.com
 
David
Im looking at the site now, looks good.
 
You
Then go to Azure Active Directory
Then to Add Custom Domains
I the custom domains list i see globalrescue.com as unverified
i click on GlobalRescue.com and click verify
and then this error is displayed
uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/513cab62-f513-4366-b7ed-82d5dd10e69e.png 

uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/e47592e8-1d22-487e-8f69-64de5cc5d120.png 

 
David
Perfect thanks for that
 
You
welcome
 
David
Did you use godaddy for this?
 
You
no. This domain is from Network Solutions and DNS is also hosted by Network Solutions
Used the Network Solutions site to create the TXT record
 
David
Is it possible to verify on the network solution site as well, you can do this on GoDaddy which is why I asked about it previously?
 
You
on the netsol site all we can do is add dns records
which i have done
 
David
Did you follow this guide https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain#troubleshooting 

 
You
and the dns records are published correctly
 
David
ok perfect
 
You
Yes, we are Microsoft Partners. I have added many domains for many customers and have never come across this issue
usually domains verify within minutes some take a few hours but this one wont complete its verificaiton and we cannot continue wiht POC until the domain is verified
 
David
Can you try the command on this page and let me know what it comes back with please
https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddomainverificationdnsrecord?view=azureadps-2.0 

 
You
ok.
give me a sec
 
David
just to rule out a couple of things also, i know its basic but just to check anyway, was www added in Azure or the Records of TXT on network solutions and can you try a different browser or clear your cache just to rule that out also
 
You
PS Azure:\> Get-AzureADDomainVerificationDnsRecord cmdlet Get-AzureADDomainVerificationDnsRecord at command pipeline position 1 Supply values for the following parameters: Name: globalrescue.com Get-AzureADDomainVerificationDnsRecord : Error occurred while executing GetDomainVerificationDnsRecord Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADDomainVerificationDnsRecord+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADDomainVerificationDnsRecord], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomainVerificationDnsRecord\
 
David
Did you used powershell in Admin mode?
 
You
used cloud shell
its already in admin mode
used powershell in azure portal
 
David
Just to confrim did you use -Name?
ok perfect
thansk for that
 
You
to run the command
yes used the -name switch
command i typed is as follows:
Get-AzureADDomainVerificationDnsRecord -name globalrescue.com
 
David
ok thats correct.
O I ve just read that a user had a similar issue and on the txt record they removed the @ and could then verify, can you try that please
http://gerryhampsoncm.blogspot.com/2015/03/could-not-verify-domain-in-azure.html 

 
You
I first added with @ and it did not work then i deleted doamin and re-added in Azure then created record without @ and it still wont verify
 
David
ok thanks for trying that
 
You
wait i am trying to run the command a different way
 
David
no problem
 
You
nope
still getting same rror
 
David
hmm ok, again thanks for trying.
 
You
Get-AzureADDomainVerificationDnsRecord : Error occurred while executing GetDomainVerificationDnsRecord Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADDomainVerificationDnsRecord + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-AzureADDomainVerificationDnsRecord], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomainVerificationDnsRecord
article says to give read / wrtite permissons to direcotry
let me try this
wai
wait
 
David
That sounds promising
 
You
please wait i am trying
 
David
No problem
 
You
almost there
Nope
i tired my partner account which has owner rights on subscription
but got sam eresult
PS Azure:\> Get-AzureADDomainVerificationDnsRecord -Name globalrescue.com Get-AzureADDomainVerificationDnsRecord : Error occurred while executing GetDomainVerificationDnsRecord Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed At line:1 char:1 + Get-AzureADDomainVerificationDnsRecord -Name globalrescue.com + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Get-AzureADDomainVerificationDnsRecord], ApiException + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetDomainVerificationDnsRecord
lastly i can try azure power shell on my pc
wait
in admin mode
 
David
That was my next suggestion!!
 
You
Installing Azure Powershell as i had older versoin
 
David
perfect
 
You
installed
connecting to azure subscription
connected
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\WINDOWS\system32> Connect-AzureRmAccount Account : grpl2018@outlook.com SubscriptionName : Free Trial SubscriptionId : b26575a7-02b3-4e97-86b7-6d4011a9cb3b TenantId : 673db1a0-9530-46cc-b16a-6496aa84810b Environment : AzureCloud
 
David
excellent
Did the commandGet-AzureADDomainVerificationDnsRecord -name globalrescue.com return anything in the local powershell?
Any update?
I understand if you had to step away from your computer. Unfortunately, I will need to close this chat. Please re-open it if you would like to continue our discussion!
 
You
I am here
 
Ewelina
Hello, this is Ewelina from Azure Portal Chat. What can I help with today?
 
You
I am guessing that David is not there any more
its ok just wanted to update him on the progress
 
Ewelina
yes, he is not available at the moment.
he will be able to see our conversation later on.
so did you manage to connect?
 
You
well
same error even with local powershell
in admin mode
uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/9f30ec12-4d2f-46b6-a1ff-cdef83a4f662.png 

I have shared screenshot of error with local powershell in admin mode
uploaded file: https://olark-file-uploads.s3.us-west-1.amazonaws.com/processed/58e5feaa-82ae-43ee-97f8-4de73c95b2ed.png 

add the above is the error in online cloud shell
i am trying with different user (local shell)
as the error says user not found
 
Ewelina
ok, so in that case, we would like this to be checked by our engineering team. As at this point, this seems to in depth to troubleshoot over the chat. Can you please post this issue on this forum and provide me with the link to your post so I can escalate this to our experts team: aka.ms/azadMSDNforumq
I will also send them the full transcript of your conversations so they can see all the steps you have completed and all the screenshots
 
You
smae
ok i will send them details

Join over 10,000 companies who rely on Olark Live Chat to chat directly with customers. 
Olark Live Chat 



Wrong redirection after delegated permission user consent

August 22, 2018, 12:07 am
$
0
0

Hi,

I originally posted on SO here so will be brief and somewhat reword because I understood some things better since yesterday.

I have a registered Azure AD app, with "Sign in and read user profile" delegated permission granted for both "Windows Azure Active Directory" and "Microsoft Graph" APIs. Indeed I have an API entry point that returns the JWT access token so guess the "Microsoft Graph" API should be granted too.

The problem lies here: when a new user logs in by calling my API app, he's redirected to microsoftonline.com to login, but after he acknowledges consent for app to "sign in and read user profile" the redirection is incorrect. Instead of redirecting to the originally called url, http://localhost/my-api-entry-point, it gets redirected to the previous url in the authentication flow, http://localhost/signin-oidc, that displays the following error message:

OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.

How can I remedy to this please? Thank you very much.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>