I try to give new users in our domain access to our VSTS. We have MSDN enterprise subscriptions via MPN. The subscription is assigned and visible for the user if he logs in my.visualstudio.com with his work account. If the user tries to access the VSTS at [ourprojects].visualstudio.com he gets “VSTS login fails with 401 not authorized – [user] has multiple accounts associated with it. Your work or school account does not have access to [ourprojects].visualstudio.com, but your personal account does have access. “.
Signing in with the personal account as suggested by the error message leads to another error: “This Microsoft account does not exist.” This is correct. The account in charge is definitely a work account in Microsoft Azure Active Directory. So the first error message is somehow strange and leads into the wrong direction.
Our domain accounts are synchronized with Azure Active Directory (AAD). I can see the new users both in our domain and AAD. The user can login into my.visualstudio.com with his work account. So sync with Windows Server AD and AAD looks working correctly. MSDN assignment works, too.
Loggin into my.visualstudio.com redirects to the login page of our domain. thsi is corect and works fine. But this redirect does not take place loggin into VSTS.
For other older accounts in our domain VSTS access with work account works completely fine. Has anybody experienced similar problems?
Finally I talked to Microsoft support. It turned out that this VSTS account is not backed by Azure Active Directory. It has to be converted to do so.
To check if a Azure DevOps/VSTS account is backed by AAD, you can look in the settings page ("gears"->Settings) of Azure DevOps at the very bottom.
Related
We are doing Office 365 with asp.net mvc , in this example working fine for local system,(we are using VS2015), when i publish to azure web application its successfully published.
After open the URL click the Email button go to login page and enter the credentials its successfully logged and redirect to mail page now it showing some error message, but local working fine everything.
Please let me know anything required after publish.
Oops you've reached an error!
We weren't able to process the action you requested. This was caused by an exception in the below table:
Exception Cause Action
AdalException This exception is thrown when either you have a stale O365 access token that can cause authentication errors, or you attempted to access a resource that you don't have permissions to access.
You'll may need to refresh the access token. Try signing out and signing back in to the app again, or refreshing the session Click here.
Make sure the app is configured with the correct service permissions in the Services Manager menu. If any of these permissions are not configured, or configured incorrectly, some parts of the app may throw an error. For example Right click the project, select Connected Service..., and ensure the following permissions are set for this app:
(Calendar) – Have full access to users’ calendar and Read users' calendar
(Contacts) – Have full access to users’ contacts and Read users' contacts
(Mail) - Send mail as a user, Read and write access to users' mail, and Read users' mail
(Users and Groups) – Enable sign-on and read users’ profiles.
Thanks,
hemanth
I am using the following project: https://github.com/OfficeDev/O365-ASPNETMVC-Start
I set the configurations as requested in the documentation but I am receiving an error after sign in.
Cause Action
AdalException This exception is thrown when either you have a stale O365 access token that can cause authentication errors, or you attempted to access a resource that you don't have permissions to access.
Make sure the app is configured with the correct service permissions in the Services Manager menu. If any of these permissions are not configured, or configured incorrectly, some parts of the app may throw an error. For example Right click the project, select Connected Service..., and ensure the following permissions are set for this app:
(Calendar) – Have full access to users’ calendar and Read users' calendar
(Contacts) – Have full access to users’ contacts and Read users' contacts
(Mail) - Send mail as a user, Read and write access to users' mail, and Read users' mail
(Users and Groups) – Enable sign-on and read users’ profiles.
The permissions are set correctly:
How can I solve this problem?
You are missing the Send permission under the Mail API.
I fixed the problem...I was logging with the developers account without an assigned license. You have to create a new user and ensure that it has the Microsoft Office 365 Developer set as Assigned license.
If not this error would occur:
When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids.
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.
I need to build an app with Office 365 API and tried several examples provided here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples.
I manage to login to tha app with a user from within my own Azure Active Directory, e.g. user.name#tenant.onmicrosoft.com.
But, whenever I use another Office 365 account from another domain e.g. user#pivabo.be I get this error:
AADSTS50020: User account 'user#pivabo.be' from external identity provider 'https://sts.windows.net/908b6c6d-f582-461d-9e73-88a4e48f5d88/' is not supported for application 'df1a02fd-f096-46df-9b5a-5cf1b0f9ef6d'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
The defined application in Azure is set to Multi-tenant!!
I also tried to add the foreign users to my AAD but everytime I get the message "This Microsoft account does not exist"
EXCEPT: I also made a hotmail account which I was able to add to my AAD and with this account logging in to the app was succesfull. But, without adding it to my AAD I get the above error message.
Any help would be welcome.
Make sure you are using "https://login.microsoftonline.com/common/..." and not "https://login.microsoftonline.com/[your tenant name]" when forming authorization link.
I am late to the party, but what it fixed for me was that I had to use "common" as tenantId.
I've 2 distinct webapp:
a CRM webapp which show customer resume to office users
a portal webapp for customer users
my CRM webapp use a combination of LDAPManager and InMemoryManager with a BasicAuthenticationFilter and BasicAuthenticationEntryPoint
my portal use a classic JDBC Manager with a standard UsernamePasswordAuthenticationFilter
Now, I need access transparently to my portal from my CRM webapp.
For example, I work in office on the CRM webapp. A customer call me and ask explanations about what is mentionned in Portal.
I would be possible for office user to access Portal as a customer from a http link in the CRM customer account page.
So I would bypass my LoginUrlAuthenticationEntryPoint and access directly to the customer account.
EDIT after Michael help, I realize that I need to keep a trace of which CRM user access to which portal account :
My questions are :
- should I use PreAuthenticatedManager or RunAsManager?
- do I need declare a 2nd EntryPoint?
- what about AuthenticationFilters?
- Is to possible to recover a user BASIC authenticated from my CRM webapp in my new portal AbstractPreAuthenticatedProcessingFilter ?
I have the following assumption / conclusion from your explanation:
1) The CRM user repository and the portal user repository have different users
2) CRM users should not know portal users passwords
I do not think you need to use RunAsManager.
(When you use RunAsManager it mean you first authenticate as a CRM user in the portal and then replace the authentication by a portal user authentication. I do not think you can authenticate a CRM user against the portal user repository.)
I suggest to create your own “AuthenticateAs” functionality: when a CRM user press on a link in a CRM page of a portal user it will be authenticated in the portal as a portal user without providing a password.
How it works?
1) When a CRM user presses a link the parameter with an encrypted portal user name is added to URL.
2) When the request with an encrypted portal user name access to the portal application, a new created PreAuthenticatedProcessingFilter decrypt the user name and authenticate the user
That’s it :)
Couple of comments:
1) Please use AES-258 algorithm to encrypt / decrypt the user name
2) Please ensure that the key for encrypt / decrypt can not be accessed by HTTTP
3) You can extend AbstractPreAuthenticatedProcessingFilter for your
PreAuthenticatedProcessingFilter
4) I strongly suggest to create two roles in the portal application: USER_WRITE_ROLE and USER_READ_ROLE. When a CRM user access using “AuthenticateAs” authentication - it should get USER_READ_ROLE. When a portal user access using regular authentication - it should get USER_ WRITE_ROLE.
5) You should think how a CRM user will perform the logout for a portal user (otherwise he always will work on the first user). The simplest way I can think about it - PreAuthenticatedProcessingFilter should process each request (even it authenticated) and if it contains the parameter with the user name to clean the portal user session and to perform the new authentication.
Please tell me what you think about the suggestion and tell me if you need any additional clarifications.
Best regards,
Michael
P.S. Added after the question was edited.
The simplest way to track CRM users on the portal is to add the additional encrypted parameter to the URL with the CRM user name