I have a team set up in VSTS and I am trying to upgrade certain team members who need access to the test suite functionality. I have procured several paid enterprise level accounts that show as available. However, when I attempt to change someone's access level from basic to enterprise I get the following error:
vs1720077: Subscription could not be validated.
I have the top level account so I am not sure why I am not able to upgrade these users.
Just as Daniel commented, you must link your work ID. For troubleshooting:
Make sure in the https://msdn.microsoft.com portal you have actually linked your work ID. You still need to explicably do this
even if your MSA and Work ID use the same email address e.g.
user#domain.com. Using the same email address for both IDs can get
confusing, so I would recommend considering you setup your MSA email
addresses to not clash with your work ID.
When you login to VSO MAKE SURE YOU USE THE WORK ID LOGIN LINK (LHS OF DIALOG UNDER VSO LOGO) TO LOGIN WITH A WORK ID AND NOT THE
MAIN LIVEID FIELDS. I can’t stress this enough, especially if you
use the same email address for both the MSA and work account
If you still get issues with picking up the MSDN subscription
. In VSO the admin should set the user to be a basic user
. In https://msdn.microsoft.com the user should make sure they did not make any typo's when linking the work account ID
. The user should sign out of VSO and back in using their work ID,
MAKE SURE THEYUSE THE CORRECT WORK ID LOGIN DIALOG. They should see the features available to a basic user
. The VSO admin should change the role assignment in VSO to be MSDN
eligible and it should flip over without a problem. There seems to be
no need to logout and back in again.
Source Link: Why can’t I assign a VSO user as having ‘eligible MSDN’
using an AAD work account?
Also take a look at this similar issue: Lost capability when msdn.microsoft.com was forced to my.visualstudio.com link and VSTS Validation
Related
I'm new to Umbraco and I configured it to use Active Directory for login following the official documentation (https://github.com/umbraco/UmbracoDocs/blob/master/Reference/Security/index.md#authenticating-with-active-directory-credentials). The behavior is a bit odd.
Before I configured the AD integration, I was able to to login to Umbraco with the email/password defined upon installation. After the integration, I could login with the same email but with my AD password so I guess that the integration kind of work...
However, now, I'd like some other people to login on the site via their AD credential, however, I have no idea how to achieve that. If I invite user, it creates an account with his email but he has to define a password, so it's not AD integrated. Same thing occurs if I try to create a new user.
So at the end of the day, I have no idea how to integrate reliably AD with Umbraco. Does anyone already achieve this and can give me pointers?
I'm running Umbraco 7.10.2.
You need to first create a User account in Umbraco so that you can assign the necessary permissions etc. This is a standard Umbraco User and needs to correspond to the AD username. I'm not sure though that the Umbraco User needs a designated password though; it's possible you can just let Umbraco auto-generate the password and they will be able to log in with the AD credentials.
To fully integrate Umbraco with AD in the way you're expecting would require some extra code on your part to query AD and pull in the users, auto-generate and link them to a corresponding Umbraco User with an auto-generated password. It's doable, just will take some creative coding on your part.
Update:
If you look in the Umbraco Log after attempting to log in as an Active Diretory user without a corresponding Umbraco User you will most probably find an error with the following message:
The user <UserName> does not exist locally and currently the ActiveDirectoryBackOfficeUserPasswordChecker doesn't support auto-linking, see http://issues.umbraco.org/issue/U4-10181
The referenced Issue has more details available: http://issues.umbraco.org/issue/U4-10181
TFSConfig Identities listed all TFS accounts and all but one matched Windows.
How do I fix the lone user account where the Match is False?
While this may not be relevant, I add it to the post in case it provides any additional clues. I tried to reapply the user in the Application Tier Console Users list and it failed. The log stated the account is also an orphaned SQL Server Login. I assume that makes sense if the SID is mismatched, though.
Since you have reapply the user in the Application Tire Console Users list. Changes you make to local or Active Directory groups do not get reflected in TFS immediately.
It may be a identity synchronization issue. You must wait for the next identity synchronization with Windows before the properties of accounts that you do some account change will be updated. This requirement includes changes from group to user, user to group, and domain account to local account.
You could also force TFS to sync, details please refer this blog. After this run the TFSConfig Identities again.
I was told by one of the engineers at Microsoft that in order to display the jobtitle field, using users method in REST, I need an admin permission. I would appreciate if someone can answer exactly what steps the domain administrator needs to take in order to give user.read.all permission to all users in the domain that will run the graph query. I would appreciate if anyone can provide detailed step by step instruction.
For user.read.all, you will need to get administrative consent from the organization before a regular user can sign-in to your application.
To do this, you'll first need to have them go through the “Admin Consent” workflow. This workflow requires an administrator but once complete any users of your application will have “admin consent” to the restricted scope.
For example, you would normally you would then authenticate users by redirecting them to
https://login.microsoftonline.com/common/oauth2/authorize?<your params>.
Since this scope requires an Admin however, you fist need to obtain consent by first having an Admin authenticate by redirecting them to
https://login.microsoftonline.com/common/adminconsent?<yours params>.
Once an Admin grants consent, normal users will be able to use OAUTH to authenticate.
Dan's link took care of the problem.
In the link the below sample link was the answer. Instead of the word "common", I have replaced it with the tenant ID as shown below:
https://login.microsoftonline.com/{tenant id from azure ad}/adminconsent?
client_id={application client id}
&state={can be anything. I used the same as the redirect url}
&redirect_uri={URL that exactly appears in the app application portal}
So I'm trying to connect an mvc app to AAD B2C, and retrieve the current users groups, so I can add them to their roles. Unfortunately, I am unable to successfully query the graph.
Insufficient privileges error when trying to access Azure Graph APIs
The link above is essentially the situation I'm in, save that I'm connecting to a B2C directory. As near as I can tell, I don't have a way to specify privileges as that questions answer suggested. There is a section for 'Keys' but the keys it generates are really quite different than the keys that regular AD apps generate.
When I do try to use the key, I just get the insufficient privileges error.
I also tried locating my app in the main, regular AD, and adding keys and ALL permissions, but I also got the same error (and there doesn't appear to be any way that I can see to determine if I even got closer)
To add to the confusion, there are different ways to get to the registered "applications" in the Azure portal. I can go in through the B2C settings, or through the regular AD settings. In the B2C side of things, I can generate keys (but as I said, they're quite different from the keys generated on the AD side), but I cannot do annything with Privileges... no option exists. on the AD side, I actually see two apps for my 1 B2C app... it looks like there's one which has the same ID as the B2C app (but using that key and privileges does nothing), and theres another, which also doesn't appear to have any useful qualities that I've figured out.
I'm out of ideas. What else can I try?
edit
I've done some more experimenting, and found that if I use an incorrect ID or Secret, I get appropriate error messages. So, by this I assume that I am "Authenticating" correctly. The problem seems to be that, as the error message indicates, my Key does not have sufficient permissions.
To that end, I've added every single available permission under both "Windows Azure Active Directory" and "Microsoft Graph" ... No improvement, I still fail to have the required privileges. I guess I'll add ALL the available permissions, and see if that seems to help any.
-- Nope, there are NO remmaining privileges to add, but I still get the insufficient Privileges error message.
Additionally, making the login-user an AD administrator, doesn't make any difference.
You're likely missing a so called admin consent in your flow. Basically, its not enough to grant permissions (those which are marked "Requires admin") using the portal, but also a user with admin rights should consent that grant. The tricky thing is that this consent isn't shown automatically when an admin user signs in (like it happens with regular user consent). You have to add a prompt=admin_consent parameter to the url of the page where you enter credentials, press enter, and then login. In this case you will see the admin consent, asking if you want to grant the permissions.
You can read more about admin consent here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent.
I also discuss this problem here: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/issues/38#issuecomment-264664883
I am using the new OAuthWebSecurity wrapper for DotNetOpenAuth to allow users to log in to an MVC4 application with their Microsoft Account (aka Windows Live ID).
I have registered the microsoft client:
OAuthWebSecurity.RegisterMicrosoftClient(clientId: "...", clientSecret: "...");
It is all working, and I love the simplicity of it. But how do I refine what it's doing?
After selecting to log in with their Microsoft Account, the user is taken to a screen asking them to log in:
When they log in, I want them to be able to check the "keep me signed in" box.
Microsoft then asks for them to OK my access:
But I don't actually want that much access. All I want is their name and email address. And maybe their picture. I certainly don't need or want access to their contacts and friends. This is going to scare off my users.
Where can I pass parameters to OAuthWebSecurity or DotNetOpenAuth to control this?
So the user clicks yes and all is ok. However, when they leave and come back to my site - the "keep me signed in" option should have been honored. It isn't. Instead, they see this:
I don't understand the message that says:
Because you're accessing sensitive info, you need to verify your password.
What sensitive info? The contacts/friends I didn't want to begin with? Or something else?
How can I get around these two issues to make my application more user-friendly?
You need to pass the scopes you want, you can just use wl.signin which will sign users into your application if they are already signed in to live without asking for the credentials again.
Check http://msdn.microsoft.com/en-us/library/live/hh243646.aspx