We are facing issue to login Azure portal with account "**admin#hclazureersmts.onmicrosoft.com".Please look in to this and help us.
Erroor issue
We are trying to log in Azure portal.
We tried to clear cache and check on all browsers.
We have built a provisioning with google SDK API to create and update employees in google workspace.
We are using a service user without a role and authentication using one of the admin users.
There is an issue, when the admin account we are using is set with COMPLETE API Privileges and in the user payload we are sending “suspended”: true we are getting an error back from google “403 “Not Authorized to access this resource/api” “.
If we change the admin account to SUPER ADMIN its working correctly and we are not getting an error.
We have tried cloning the Super Admin permissions, and set the admin account with the cloned permission yet again we are getting the same error.
Can anyone assist with understanding why its happening or how to overcome this issue?
I have an azure web app with nothing but .HTML and .CSS files - there is no code of any kind.
Azure AD authentication is enabled.
I am able to visit the site URL, get redirected for authentication and I get in just fine.
Everyone else gets sent to this page after login:
https://myurl.com/.auth/login/aad/callback
and they get a 401 error on the browser:
You do not have permission to view this directory or page.
Why is it working for me, and not everyone else who authenticates?
Is there somewhere I need to tell Azure Web Apps that I want all the files to be available to any authenticated user?
This issue may caused by that the AD application for your Web App has not been configured correctly. I did a test in my lab and found this solution:
Solution:
Go to Azure Portal > Your Web Application > Authentication/Authorization > Azure Active Directory > Manage Application > Required permissions >
Delete other permissions except Windows Azure Active Directory > Ensure the DELEGRATED PERMISSIONS Sign in and read user profile has been enabled and the REQUIRES ADMIN is NO:
Also, Ensure the App ID URI and the Home page URL are all the URL of the Web app
Additional, if your configuration still cannot work, you can delete the Azure AD application and follow this steps to recreate a new one. It will work perfectly.
Please let me know if it helps!
Found the answer to this, posting here to help others.
When you setup "App Service Authentication" with Azure using the "Express" option, an "App Registration" is created in Azure Active Directory.
When this happens a Client secret is automagically created on the Azure AD Object and then inserted into the Azure App service
It seems that something happened along the way in my website, where this was set correctly initially, but then changed - I'm sure it was my own doing.
The symptoms of this are a bit interesting.
Any account that worked prior to the change of the App Registration continued to work.
Any account that hadn't yet signed in, failed.
This is why one of my accounts worked and the rest did not.
The solution was fairly simple, I clicked on the app service in azure, the on the Azure AD line, then in the "Azure Active Directory Settings" blade, set the "management mode" to "off" hit ok,
and saved in the blade to the left, then refreshed the browser.
Next I went into Azure AD and deleted the app registration for that app, (I did this so I could re-use the app registration name)
Here is a screenshot of that screen, it's under the active directory category, and not part of your web apps settings. find your app registration, click it and then delete.
Next I went back to the Azure App service (web app) and Re-configured Azure AD Auth using the "express" settings.
Hope this helps someone!
Is it possible to achieve Azure Active Directory authentication without going to browser window? I will have username and password via the mobile app login interface.
I need to achieve below scenario:
Use open mobile application (ios/android)
Enter Azure AD username and password to app login screen - e.g. user#tenant.onmicrosoft.com & password
I pass those information to .net web service - which need to call some Azure AD api to validate user credential before proceed to perform other business logic/make database calls
Any recommendation? I DON'T want user to redirect to any login window/page as this will not be good user experience.
I have already checked few different articles but not satisfactory response yet.
Thank you for your time.
I believe below link is helpful.
http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/
I am trying to have Azure federation in one of my MVC application, but ending up having this error
Sorry, but we're having trouble signing you in.
Account 'soandso#microsoft.com' is not configured to sign-in to this application.
Sign-out and sign-in with another account.
Additional technical information:
Trace ID: b94e380f-8234-4221-a59d-6efb5e644c83
Timestamp: 2014-06-25 08:35:00Z
ACS50001: ACS50001: Relying party with identifier 'http://testsmb.azurewebsites.net/testsmb' was not found
Not sure where I am doing wrong. Any help would be highly appreciated. I tried doing googling but nothing helps.
Vinod
Did you try running the browser in in-private mode? It looks like you are signing in automatically to the microsoft.com directory, whereas you want to use a test directory for your development.
Azure AD does not issue a token to an application if the application hasn't been installed in the directory. The installation of the application can happen in two modes: Administrator consent and User only consent. With administrator consent, the application can sign-in any user in the organization, however with user only consent, the application can sign-in only that specific user. This help topic (msdn.microsoft.com/en-us/library/azure/dn151789.aspx) explains how to get consent in the 'Add Sign-Up Capabilities to the Application' section.