Login with AzureAD Account sync instantly goes in "Error" state

Brass Contributor

Hi

 

Please see this video about my problem: https://youtu.be/atxOfCJBKRE

To recap in words, When I sign-in with my personal AzureAD account to Edge Dev and Canary (Newest builds 78.0.262.0/78.0.267.0) it instantly goes into Error state.

 

I have tried on 3 different PC's. 2 of them newly installed Win10 1903 setup and logged in directly with the AzureAD credentials. 

So it's not a PC problem, cause as the video shows I have two other profiles, which both are setup with AzureAD account sync.

EDIT: It hasn't worked in previous builds either.

88 Replies

Same situation here. Same build, same user experience, same error. Just like before the update.

@Elliot Kirk Hi sorry for the mention, but this still isn't working with latest dev update, can you assist, or mention some who can help?

Regards Lars Mortensen

I got the same behavior. It seems to come from my firewall with inspection ssl.

I asked urls exception with the feedback button but I didn't get any answer yet.

 

When I whitelisted a lot Microsoft URL (specially link to azure), everything was looking better.

 

 

We need an online dashboard to see which data are saved (date last sync) and able to clear them as well.

I think that a personal Microsoft account has a dashboard.

@Shaecky 

 

good path. I tested on my "guest" network that does not have ssl inspection turned on but still does layer 7 inspection. Same issue, however I used hotspot on my cell phone and it stayed logged in. I have asked my FW team to look at layer 7 inspection to see if it is being blocked due to unknown protocol or other unusual traffic. Will let you know.

Hey

It’s not a FW problem for me. I can log in and synchronise fine with my Admin account to my Office 365 tenant and with my work Office 365 account.
So I am having issue like you. I can sync with hotmail account. Can sync with an id for a "test" tenant but cannot sync with an id from my primary tenant.

Hi

Just thinking, you who have the same issue, is your account wither an AD synced, or an old AD synced account converted to Cloud only?

Cause I have just created a new in-cloud user in my tenant with out a license, but with the same domain as my own domain, and it works. (My own account is sourced from AD Sync, but has been converted to In-Cloud)

So it's not tenant nor domain specific, it must be the specific user object, in my case at least, so just wondered if the "history" of the account could be the culprit.

Regards Lars

@nOrphf my account is a sync account from on prem AD. Both accounts (dev tenant) and prod Tenant are sourced from same AD but with different anchor attribute. We are no longer actively syncing the dev tenant account. I took a look at the logs files located at AppData\Local\Microsoft\Edge Beta\User Data\Profile 6\Sync Data\mip\logs\mip_sdk.miplog and a couple of things stand out. 

As part of the tenant setup we had to change the upn of our users. I originally setup sync with my old upn (userid@olddomain.com). And now my upn is userid@newdomain.com. When i look at the logs i can see an Owner attribute that still references my old upn even though is shows authenticated as userid@newdomain.

 

Info 2019-10-07 16:36:19.279 usage_restrictions_client.cpp:137 msedge (78904) "Owner: userid@olddomain" mip::UsageRestrictionsClient::GetRestResponseFromHttpResponse 108172

 

Sending HTTP request: ID: MIP-1, Type: POST, Url: https://api.aadrm.com/my/v2/enduserlicenses?userEmail=userid@newdomain.com, Body Size: 9573, Headers['Accept'] = 'application/json', Headers['Content-Type'] = 'application/json', Headers['Authorization'] = 'SCRUBBED', Headers['Accept-Language'] = 'en-US', Headers['x-ms-rms-request-id'] = '41fa4384-9ccd-4386-8894-00007db44834;83975697-6773-41da-b544-0000b5a3d59a', Headers['x-ms-rms-platform-id'] = 'AppName=Microsoft Edge;AppVersion=78.0.276.14;DevicePlatform=WindowsStore;SDKVersion=4.2;UniqueId=ecd6b820-32c2-49b6-98a6-444530e5a77a;OsName=win;OsVersion=10-0-18362;MipVersion=1.3.181;'" mip::SendHttp 108172



 

another interesting entry in the log is this entry"
Adding OAuth2 challenge to cache. Domain: api.aadrm.com TenantId: 'XXXXXXXXX-b782-4f44-b0b5-XXXXXXXXXXXX' Challenge: 'Bearer resource=""https://aadrm.com"", realm=""e2ba673a-b782-4f44-b0b5-XXXXXXXXXXXXXXX"", authorization=""https://login.windows.net/XXXXXXX-b782-4f44-b0b5-XXXXXXXXXXX/oauth2/authorize""'" mip::AuthInfoStore::AddChallenge 108172

the reason this is interesting is when I look at another user who is able to sync the request from his log is missing the tenant id info.
Adding OAuth2 challenge to cache. Domain: api.aadrm.com TenantId: '' Challenge: 'Bearer resource=""https://aadrm.com"", realm="""", authorization=""https://login.windows.net/common/oauth2/authorize""'" mip::AuthInfoStore::AddChallenge 6884
succesful response in log is this:
Info 2019-10-08 08:47:38.448 publish_client.cpp:85 msedge (10780) "Publish response (custom)" mip::PublishClient::GetRestResponseFromHttpResponse 6884
Info 2019-10-08 08:47:38.448 publish_client.cpp:86 msedge (10780) "Id: 00000000-0000-0000-0000-000000000000" mip::PublishClient::GetRestResponseFromHttpResponse 6884

failed resonse is this
Info 2019-10-07 16:36:19.279 usage_restrictions_client.cpp:132 msedge (78904) "Received a usage restrictions response:" mip::UsageRestrictionsClient::GetRestResponseFromHttpResponse 108172
Info 2019-10-07 16:36:19.279 usage_restrictions_client.cpp:133 msedge (78904) "AccessStatus: AccessDenied" mip::UsageRestrictionsClient::GetRestResponseFromHttpResponse 108172

@jasonsch69 @Elliot_Kirk 

@jasonsch69 Sorry that you're experiencing issues with browsing data sync. Could you share the video repro with me so that we can help better debug? 

 

Also adding @akhator to help.

@Avi Vaid how do i share a  video with you without showing everyone in the world what my id is?

Hi @Avi Vaid and @akhator 

 

This video shows whats happening.

https://youtu.be/caAp3QVVN-g

 

I also every 2-3 days sends this problem to you through the feedback system, so you constantly get fresh logs to look through.

 

Regards Lars

Is there anywhere in Azure AD the "Sync Store" or what it should be called or is this this not visible to the user/admin at all?
Could there be any settings in Azure AD which could give the above issues?
did you check the log file at AppData\Local\Microsoft\Edge Beta\User Data\(current profile)\Sync Data\mip\logs\mip_sdk.miplog

@jasonsch69 

Everything after \Sync Data doesn't exist. The message for me has changed to "Couldn’t connect to the sync server. Retrying…"

make sure you are looking under the active profile directory, may be "user data\default" or may be "user data\profile 1" or any other profile #
I get the" couldnt connect to server" with the canary build.

Hi @jasonsch69 

 

In the log files, I see the error: "Authorization has been denied for this request."

(I'm testing with Canary builds, so my path is Edge SxS instead of Edge Beta)

 

Regards