I created a Twins instance and got a basic example up and running. A few days go by and I launch the Twins Explorer from my dashboard in Azure Portal. The Single Sign on lets me sign on using my Microsoft Account and upon logging in it states:
Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '856....' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
How can I resolve this?
Successful Login After Host Popup with No Changes
As of the writing of this message, and after previous failed attempts, the Twins Dashboard (no settings changed mind you), on the last attempt the Enter Host popup was preseented to me. I was allowed to re-add my host and it worked.
Related
I am trying to understand the basic logics for receiving GMail emails with Google OAuth. I see this document Authorizing Your App with Gmail
Now I follow the instructions in Setting Up POP3 Importing with OAuth via Google to setup POP3 with Google OAuth.
I login one Google account(Account1) and then in Google Cloud, create the Google App and OAuth Client ID.
Then I start connect to GMail account(Account2) with the web application(WHMCS). When connecting, it asks me to choose an account that create the app, so I choose Account1. But get the following error:
Error 403: access_denied
The developer hasn’t given you access to this app.
Thus I am a bit confused. Since Account1 is used to create the app and OAuth Client ID, it should be able to access the app when I choose Account1, but the app will not be able to access the data in Account2. Or does the App in the error message means Gmail, not the app I created in Google Cloud?
Should I use Account2 to create the app for receiving emails in Account2? If yes, then for each Gmail account, should I create a separate app accordingly?
Update
Now I try to do as follows:
Use Account3(The admin of Google Workspace) to create the Cloud Project, Consent Window, Client ID, etc.
Then when connecting from WHMCS on our domain datanumen.com, it asks me to choose the account, I choose Account3, and then see a new window as below:
I then select "Allow" button, but then see the following error:
Connection unsuccessful. Please close this window and try again.
Update
I try several times. And find the first time will be successful. I forget enable POP3 in my Gmail account. After enabling it, everything is fine.
I am a bit confused as to what you are trying to do here.
You created a project on Google cloud console and created client id and client secret for the authorization of your project.
All this does is create a project that will be allowed to use Oauth2 to request authorization of a user to access their data.
If I understand what WHMCS is trying to do. Its going to let you use your client id and client secret to request access of a user to access their data.
So when it asks you to authorize a user this is the user whos data you want access to. That user must be added as a test user over on Google cloud console for the project that you created.
The project you create on google cloud console is still in the testing phase. Each user you want to allow to test your application must be added as a test user. Other wise only the owner of the project can test the applicaiton.
To fix this issue for me was this simple:
Go to https://console.developers.google.com/
open the project in question.
Click "OAuth consent screen" on the left.
Under "Test users" there is a button called "+ ADD USERS"
Type the email of the account you will be testing with, press enter, then click save.
It should work now
It seems like they updated this recently because last year I did not have to do this.
workspace
The issue you may be having is that if you created this project on a workspace account then i suspect only workspace domain users are going to be able to authorize it. It cant be authorized by someone on the standard google domain. So try with a workspace domain user. The same may go the other way I have never tried tbh. I tend to keep workspace within its domain.
If in Azure portal, I set Enterprise applications > Properties > User assignment required? to No, then authentication works as expected. However, if I turned it on, users get error Application needs permission to access resources in your organization that only an admin can grant. I understand that I need to add an API permission to my app, but what is it?
Interestingly, if a user has signed in into the app before, then they are not affected when turning the option on. Only users who have never use it are affected
Edit: To clarify, I already have App roles created. Users without app roles can't sign in, as expected. Users WITH app roles who sign in for the first time after the the option turned to Yes get the above error
Finally, I reproduce your issue with the request URL below, the scope also could be another one, e.g. https://storage.azure.com/.default, which has been added in the API permissions of the AD App.
https://login.microsoftonline.com/<tenant0id>/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://management.azure.com/.default
&state=12345
If the User assignment required is set to Yes, I notice it will not promote the user to consent the permissions. (e.g. user_impersonation in the Azure Service Management API.)
To fix the issue, we need the admin consent to the App, just navigate to the API permissions, click the Grant the admin consent for xxx button, then it will work fine.
we are using Microsoft Graph API for uploading files for business and personal accounts.
After the account logs in, we ask for some permissions, but we don't add the once needed for OneDrive. After the user explicitly requests to upload a file we send another request for an AccessToken including all scopes until now + files.readwrite.all. This was working perfectly until (maybe) a month ago. Now it works for business accounts, but not for personal accounts.
Steps that we do:
Redirect the user to login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmywebsite.com%2Fsignin-microsoft&response_type=code%20id_token&scope=openid%20offline_access%20profile%20email%20mail.readwrite%20mail.send%20contacts.readwrite%20calendars.readwrite%20people.read%20user.read%20files.readwrite.all&response_mode=form_post&nonce=636656...&state=CfDJ8MLMcPchE...
The user selects their account (whit which they are already signed in)
They get redirected to https://login.live.com/oauth20_authorize.srf with the following sreen:
The permissions are not added for our application and we don't get any error.
Here is also the response from the error page:
Error Info
"/pp1600/oauth20_authorize.srf?client_id=9d3c...&scope=openid+offline_access+profile+email+mail.readwrite+mail.send+contacts.readwrite+calendars.readwrite+people.read+user.read+files.readwrite.all&redirect_uri=https%3a%2f%2fmywebsite.com%2fsignin-microsoft&response_type=code+id_token&state=CfD...&response_mode=form_post&nonce=636...&x-client-Ver=5.2.0&display=host&uaid=521...&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&username=pesho..."
loginserverprotocolhandler(846)
HR=0x80041018
Method string:GET
URL:"/pp1600/oauth20_authorize.srf"
Query string:"code=5"
Server protocol:HTTP/1.1
Update: after a couple of tries i actually managed to grant access to one of my accounts for the OneDrive integration. Not really sure what changed. I was just logging in and out with different Outlook accounts in Outlook and in our app. After that, i tried the same process with a different account and it failed again. Every time I was trying this I was logged with the same account on both places.
One more thing that I noticed is that before the consent was for all permissions and now the consent screen showed request only for the files permission.
So I'm trying to connect an mvc app to AAD B2C, and retrieve the current users groups, so I can add them to their roles. Unfortunately, I am unable to successfully query the graph.
Insufficient privileges error when trying to access Azure Graph APIs
The link above is essentially the situation I'm in, save that I'm connecting to a B2C directory. As near as I can tell, I don't have a way to specify privileges as that questions answer suggested. There is a section for 'Keys' but the keys it generates are really quite different than the keys that regular AD apps generate.
When I do try to use the key, I just get the insufficient privileges error.
I also tried locating my app in the main, regular AD, and adding keys and ALL permissions, but I also got the same error (and there doesn't appear to be any way that I can see to determine if I even got closer)
To add to the confusion, there are different ways to get to the registered "applications" in the Azure portal. I can go in through the B2C settings, or through the regular AD settings. In the B2C side of things, I can generate keys (but as I said, they're quite different from the keys generated on the AD side), but I cannot do annything with Privileges... no option exists. on the AD side, I actually see two apps for my 1 B2C app... it looks like there's one which has the same ID as the B2C app (but using that key and privileges does nothing), and theres another, which also doesn't appear to have any useful qualities that I've figured out.
I'm out of ideas. What else can I try?
edit
I've done some more experimenting, and found that if I use an incorrect ID or Secret, I get appropriate error messages. So, by this I assume that I am "Authenticating" correctly. The problem seems to be that, as the error message indicates, my Key does not have sufficient permissions.
To that end, I've added every single available permission under both "Windows Azure Active Directory" and "Microsoft Graph" ... No improvement, I still fail to have the required privileges. I guess I'll add ALL the available permissions, and see if that seems to help any.
-- Nope, there are NO remmaining privileges to add, but I still get the insufficient Privileges error message.
Additionally, making the login-user an AD administrator, doesn't make any difference.
You're likely missing a so called admin consent in your flow. Basically, its not enough to grant permissions (those which are marked "Requires admin") using the portal, but also a user with admin rights should consent that grant. The tricky thing is that this consent isn't shown automatically when an admin user signs in (like it happens with regular user consent). You have to add a prompt=admin_consent parameter to the url of the page where you enter credentials, press enter, and then login. In this case you will see the admin consent, asking if you want to grant the permissions.
You can read more about admin consent here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent.
I also discuss this problem here: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/issues/38#issuecomment-264664883
I have a build service setup within TFS and I have a special AD user set as the user to run the service. When I enter the credentials for that user within the TFS Admin Console, everything works fine. For some reason, after so long (not sure how long yet) the Build Service stops running. When I look into the issue, it is because the password is blank. Any ideas why this would be getting cleared out? If I put the password back in, everything will work fine until is clears out again.
Is the account a member of the local administrators group? There could be a group policy within AD that removes Log on as Service rights from such accounts on restart. See this for an example