Forum Widgets
Latest Discussions
Trying to create token with scope https://cnt-prod.loadtesting.azure.com
Hello. I have created a web app, and updated its permissions within Azure App registration. To be able to access Graph, and Azure Management (user impersonation) Using Microsoft.identity.Web I am able to add a downstreamAPI, and make a successful call to it. response = await downstreamApi.GetForUserAsync<HttpResponseMessage>("Azure Management", options => { options.RelativePath = relativePath; }); if (response?.IsSuccessStatusCode ?? false) { string responseData = await response.Content.ReadAsStringAsync(); } However when I try to create a token with a different scope, for example. var token = await tokenAcquisition.GetAccessTokenForUserAsync(new[] { "https://cnt-prod.loadtesting.azure.com/.default" }); The general error I get is that my app is trying to access a resource its not allowed to. However I cant find this resource at all to give it access (Within App Registration and API permissions) With Azure Load Testing, I have learned there is a resource plane and a data plane. The resource plane requires management.azure.com, but the access to the data plane requires https://cnt-prod.loadtesting.azure.com/.default (from the tests I have done in powershell). Anyone else come across this similar issue? Any assistance is greatly appreciated. Thank you
Resolving AADB2C90205 error during immediate sign-in with new Azure B2C App Registration
We are developing a multi-tenant application where users can request new business tenants through the main domain by specifying a subdomain for each. We use Graph API to automate the creation of specific App Registrations in Azure AD B2C for each tenant's subdomain. After the App Registration is created, attempting an immediate sign-in with Azure B2C results in a failure with the following error: https://webuilduat.b2clogin.com/webuilduat.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/token 400 (Bad Request) "AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation." This error persists until about 30 minutes post-creation, after which sign-in functions normally. We ensure that all required scopes are correctly configured in the App Registration. This delay leads us to suspect issues with resource propagation. What causes the AADB2C90205 error specifically when attempting immediate sign-ins post-App Registration creation? Are there known strategies to mitigate this delay or expedite the propagation process so that authentication becomes promptly available after creating a new App Registration? Your insights on this would be greatly appreciated as they could significantly improve our application's user experience by reducing wait times for new tenant setups.
Best practice for managing client Id and secret when developing Azure Web app
Hi all. I don't know where the best place to ask this is, but I'm developing an integration with Azure for Sharepoint access via graph api and its not entirely clear to me what the best practice is on who holds the Enterprise App client ID and secret token used by the 3rd party application that an admin grants consent to. If you've done a bunch of direct backend integrations you typically manually create the Enterprise App, and add a token, then hand the generated app ID, client ID and token to the integration application to direct you through the consent URI step. At the point its up to you to manage the app's token which can expire. My understanding is when you seek to develop an official MS Gallery App, it's the developer/vendor that sets up their own Azure Entra and manages their application's access to Graph. When an admin that uses your application wants to integrate it with Azure for whatever it does, they would pick the Gallery App, and everything related to Graph access is handled by the vendor/developers. I believe this is separate because the vendor/developer may want to manage their own SaaS service install separate from the customer/admin, and I believe Microsoft also can revoke the vendor/developer's account/tokens as well if they're being malicious. The admin can control what the app accesses in their Azure via access permissions and of course removing the app. Is this a best practice? Where can I find guidance on who and where the secret is managed? Please remember this is related to the developer of a Gallery App, not a direct integration. I understand the direct integration, it's not how I believe a Gallery App is supposed to work exactly.AzureAD RefreshToken Lifetime fixed instead of Expiration sliding window
When requesting an access_token for an app on AzureAD, getting an AccessToken as well as a RefreshToken. The Refresh token has a specific Lifetime (Expiration) configured via Conditional Access Policy of 8 hours. Now in this 8 hours you can try to renew the accessToken which will expire, if default settings are used, in 1 hour. Then also for the new RefreshToken again 8 hours will be valid. And if the refreshToken is used always in this 8 hours the access will be there for forever from my view. I see no limiting factor here, such as fixed Expiration, even though the refresh token is very frequent used for example. Docs are not really describing this use-case. Happy to get any hint and support on this. Thanks a lot.
Azure App Service Flask Deployment issues with Error "didn't respond to HTTP pings on port: 8000"
Hello Everyone, I am Deploying the Flask Web app with Immersive Reader and I am trying deploying it by a ZIP file, tried with visual studio code too by the steps mentioned over the link below: https://learn.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=flask%2Cwindows%2Cazure-cli%2Czip-deploy%2Cdeploy-instructions-azportal%2Cterminal-bash%2Cdeploy-instructions-zip-azcli So, I have gone through each step mentioned there and applied it and showing me the below result. I have gone through diagnostic resources. But didn't find any solution for the following error in logs.
Persistent volume with Azure Files on AKS
Based on our document, when we need to statically create persistent volume with Azure Files integration, we need to create Kubernetes Secret to store storage account name and access key. And assign the secret into PV yaml file. https://learn.microsoft.com/en-us/azure/aks/azure-csi-files-storage-provision#create-a-kubernetes-secret However, this mechanism will allow other people that has read permission of AKS cluster to easily read the Kubernetes secret and get the storage account key. Our customer has concern about this and want to know if there was other mechanism that can prevent this risk (for example , need to fetch account key from key vault first , not directly put storage account key into Kubernetes secret)Running WordPress from a Subfolder in Azure App Service - Not Working
I’m running into an issue with my Azure App Service deployment. I have a primary PHP site running smoothly from the root directory, but I'm having trouble getting a WordPress blog to work from a subfolder (e.g., https://mydomain.com/blog). Despite ensuring that all WordPress files are correctly placed in the site/wwwroot/mysite/blog directory, accessing https://mydomain.com/blog results in a "Not Found" error. Here are a few details about my setup: The primary site is a custom PHP application. The application is running on Linux. The WordPress files are located in site/wwwroot/mysite/blog. I've verified that the subfolder and its contents are accessible via FTP. The main site and the blog use same databases. I have set WORDPRESS_MULTISITE_CONVERT = true and WORDPRESS_MULTISITE_TYPE = subdirectory in the Environment Variables. .htaccess file looks like this: # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /blog/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /blog/index.php [L] </IfModule> # END WordPress Has anyone encountered a similar issue or have any insights on how to successfully run a WordPress site from a subfolder in Azure App Service? Any tips or configuration changes that I might be missing would be greatly appreciated!
Azure Logic App - Scheduler is delayed but needs to run on a certain time
I have a workflow which should run every day at 6am, but on several days it is delayed up to 4 hours or sometimes more. And it is not, that the workflow is triggered at 6am and was on hold for 4 hours, it is, that the trigger itself was fired delayed. I have an Azure Logic App in standard tier. Currently I have 10 Workflows deployed, some of them with Blob triggers, some of them with schedulers. At least one of the Workflows has a very high load of consumption. These high loads are usually between midnight and 1am. I am aware, that if there is a workflow, which has a huge number of parallele instances, could affect other workflows. But is there a chance, to make sure, that the scheduler is triggered at the right time? Is there an option, that a certain workflow could be prioritized? The config of my scheduler is as followed: { "type": "Recurrence", "recurrence": { "interval": 1, "frequency": "Day", "timeZone": "W. Europe Standard Time", "schedule": { "hours": [ "6" ], "minutes": [ 0 ] }, "startTime": "2024-10-07T06:00:00Z" } } In the trigger history I can see, that the scheduler was "fired" to late:
Authentication deadlock
I got a Microsoft 365 developer account and a sandbox as well. Many months ago it asked me to configure 2FA which I did using Microsoft Authenticator app on Android. I also had other 2FA setup on the same device for some work accounts. Later, somehow my sandbox account got deleted or overwritten from the authenticator app on my phone. I haven't been able to login to my Office 365 sandbox ever since. Ever flow I try asks me to use the authenticator on application. But the problem is that access to authenticator for 2FA was lost due to an app error. Our company's IT department said they can't do anything about it. I tried to delete the profile but when I created it Microsoft gave back the same sandbox which was already not working. My employer spends a good deal of money on Microsoft and it's very upsetting to get such a treatment from Microsoft. This account is needed for my office work. Help appreciated.SalesForce SSO
Production SalesForce instance has SAML configured, has been active for years and everything continues to work as desired. New instance of SaleForce, data will be migrating over soon. Setup another SAML application in Azure for SSO to the new instance, everything looks to be correct. When I hit SSO for the new instance of SF it fails with a default something went wrong with SSO blah, blah from SF, no errors or correlationID. Azure sign-in logs show correct time stamp and a status of success. I'm thinking the hand off has been successful so SF should be happy. On the SF side there are no login attempts at all; it's like nothing even tried to auth. SalesForce support has been helpful, but the ticket remains open. Looking for ideas, how do I capture where the hand off is failing, how do I fix this?
