AADSTS50105 error message is unreadable for end users — UX improvement suggestion
1. What’s wrong with the current error message a. It’s written for administrators, not users The message exposes: Internal system names (AADSTS50105) GUIDs (aaaabbbb-cccc-dddd-eeee-ffff01234567) Identity provider jargon (“direct member of a group with access”) None of this helps the person who sees the error decide what to do next. b. The actual problem is buried in a wall of text The real issue is simply: You don’t have permission to access this app. Instead, the message forces users to: Read a long paragraph Decode domain-specific language Guess which part matters Cognitively, this is high effort for low payoff. c. “Contact your administrator” is vague and unhelpful Users ask: Which administrator? IT? Security? App owner? Their manager? What should they say? Without context, users either: Ignore the error Forward screenshots randomly Open the wrong support ticket d. Error codes without guidance increase support load AADSTS50105 may be meaningful internally, but: Users don’t know whether to Google it Support teams receive unclear tickets (“it doesn’t work”) This paradoxically raises support cost instead of lowering it. 2. What a better error message should do A good error message answers four questions in order: What happened? Why did it happen (in plain language)? What can the user do next? Who specifically can help? And it does so in under 30 seconds of reading time. 3. Example of a much better error message You don’t have access to [APPLICATION] Your account (email address removed for privacy reasons) isn’t currently authorized to use [APPLICATION]. This usually means: You haven’t been added to the required security group, or Access hasn’t been requested or approved yet. What to do next If you believe you should have access, contact IT Service Desk or your [APPLICATION] owner and request access. Helpful details to include in your request Application name: [APPLICATION] Your email: email address removed for privacy reasons Error reference: Access not assigned (Error ID: AADSTS50105 — for IT use) 4. Optional but high-impact improvement: Add a “Request Access” button or link One-click takes users to: ServiceNow / Jira / internal form Auto-populates app name and user email Administrators configure support link when configuring the applicationRequest to enable preview feature - Face Check with CAP
Dear Microsoft, I am on a business premium plan for my home test tenant. I cannot raise ticket nor do I have an account manager. I know this is in private preview. I would like my tenant to be enabled to test this new Verified ID feature to have "Face Check" in CAP as one of the Grant conditions. tenant id: bc85b508-0107-4472-a49c-fc8cefd4f0d7 Thank you.
Disable MFA for User with certain admin roles
Hello all, we have a user with sharepoint administrator role and a self build application support manager role (the suer is allowed to create apps in Azure). We are now at a point where this user has to register an app for our helpdesk tool, but we have to remove the MFA for the registration. We excluded the user from the "MFA is mandatory for all users"-policy, the "MFA is mandatory for admins"-policy and set his MFA in the MFA-per-user setting on disabled. We have no other policy that enforces MFA for this user. Wenn we try to log in with the user (under http://www.office.com), we still get the request to register MFA Authenticator. I am aware that MS enforced MFA for admins, when they try to log in into the admin portals. Does this also apply for sharepoint admins? Does anyone have an idea, where the MFA request for this user could come from. Any help is appreciated. Cheers, Erik
GSA client exclamation mark, Forwarding policy dosen't exist in registry
Good day, Have difficult time getting Entra Private Access working. Entra portal --------------- GSA > Dashboard > Device Status says : 0 have the Global Secure Access Client installed: 0.0% The client pc is entra joined and is compliant, the client user has Entra ID Suite Trail license assigned. Traffic forwarding > Private access is enabled, have Quick Access application configured for SMB access. User and group assigments is set to a group where the user resides. Microsoft traffic profile and Internet access profile = disabled (as for now i just want to make the Private acces profile working) Enterprise applications = 1 active Connectors are online with status active. Client PC ------ Event log of client pc says the understated: Error occurred while requesting a new forwarding profile: The SSL connection could not be established, see inner exception.. Request Parameters: Microsoft Entra Device ID: 61ma02-9453-1277-98gz-hkdhksa3d0, Correlation vector: kdfhkshfkashdJ.0, APS URL: https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0. The client will continue working with the existing forwarding profile. GSA Advanced diagnostics: Username : empty Tenant ID : empty Forwarding profile ID: empty Client version 2.8.45.0 Health check = is green till Policy server is reachable, after that exclamation mark. https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0 if i try the above url in the browser then i get invalid request, this means that the client is able to reach the server, which means network or DNS issues are unlikely and the The SSL handshake is successful, and the certificate is valid. Need guidance as to understand why the client is not able to retreive profiles, i am using windows 11. Tried with disabling firewall too. Thanks!
Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, GarimaRegistered App > Grant Permission to OneDrive?
Hello everyone, I'm trying to connect an automation platform (N8N) to our OneDrive. What I did: registered an app create a secret for it gave n8n the client id and secret value gave the app various api permissions (i.e. files.readwrite.all) created an app role (users & apps) added myself as an owner Error I'm running into: "Forbidden - perhaps check your credentials? You do not have access to create this personal site or you do not have a valid license." I know that I have all the needed permissions, because in another automation platform which is more hands-off (Make.com), everything works fine. Unfortunately, I need it in N8N, which requires more setup. My question: What permissions do I need to give the registered app? Did I miss a step in the grand scheme of things? Thanks a lot in advance!! TomSCIM provisioning - custom app authentication
Hi, in the documentation for https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments." ? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?
Microsoft Entra Internet Access Location Awareness
Hi all, I'm currently evaluating Microsoft Entra Private and Internet Access (with good result until now). By default, the agent is started meaning that all Internet traffic goes to MS Edge. Is it possible to disable (automatically) the agent based on the location of the computer ? Example, if the device is connected to the corporate network, the service needs to be disabled... Another question, does it detect captive portal in case the device is connected to a "kiosk" network ? And finally (for Private Access), is it plan to support LDAP traffic over UDP and more generally UDP ?? Regards, HA
Create a new user in Power App through register/log-in function
Hi. I am trying to implement the log-in function in Power App. The user should be able to create their own account through Power App and log-in again next time since their log-in data will be saved in a database. In this case, I am using Microsoft Entra ID as my database. This is my code of the "Submit" button in my Power App: MicrosoftEntraID.CreateUser(EnableAccountToggle.Value;EMailTextInput.Text; PasswortTextInput.Text). I dont know what is wrong with my code, because when I try to create a new user account from Power App, the data of the new user does not show on my Microsoft Entra ID. I have already connected my app to the Microsoft Entra ID connector. I have not changed anything at all in my Microsoft Entra ID since having an account for it. Do I have to create a group or something in my Microsoft Entra ID? I really appreciate your advice! You can also recommend other data management tools to me or tell me what your experience with them.New Blog | Microsoft Entra Private Access: An Identity-Centric Zero Trust Network Access Solution
On July 11, 2023, we introduced Microsoft’s identity-centric security service edge (SSE) solution and two new services: Microsoft Entra Private Access and Microsoft Entra Internet Access, which are now in public preview. In this blog, we take a deeper look into Microsoft. Entra Private Access. Read the full blog here: Microsoft Entra Private Access: An Identity-Centric Zero Trust Network Access Solution - Microsoft Community Hub
