Microsoft (Azure AD) Auth - Error

Support
1

I have…

  • [ X ] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [ X ] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

Unable to connect using a custom tenant id for Microsoft (Azure AD)
Getting a unmanaged error with no more details

Environment

Windows Server 2019

  • [ ] Self hosted with docker
  • [ X ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: 4.3.0

Browser:

  • [ X ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Screen(s):

After “Sign-in with Microsoft”

CMXPYRg.png1431×447 28.1 KB

Configuration

Error:
Message : An error was encountered while handling the remote login.
Trace:

at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler\u00601.HandleRequestAsync()\r\n
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()\r\n

I’m running in debug logs level and have attached my logfile if needed.
Logifle: https://pastebin.com/raw/bABMgWJb

I guess it’s related to API permissions on Azure AD, if so, can you tell me what permissions are needed on user scope ?

Thanks in advance for help :grinning: !

2

I don’t know, sorry. Something in your browser logs? I am google Cloud user, not that experienced with Azure.

3

Nothing in my browser logs just a 500 on Squidex’s OIDC when response come back from Microsoft API.
I’ll try to changes some options like ID_Tokens and so on for testing purposes

4

After few hours of trying to changes options nothing seems to work…

I finally decided to clone the repository and I’ve added an override Task RemoteFailure (RemoteFailureContext context) on MicrosoftHandler for better understanding.

Now I can see that the underlying error is: “An error occurred when retrieving Microsoft user information (Forbidden). Please check if the authentication information is correct and the corresponding Microsoft Account API is enabled”.

I’m stuck at this point because the only scope requested that I can see is https://graph.microsoft.com/user.read and it’s already granted in API permissions …

Any thought?

5

Do you get an error code? There is a list: https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-aadsts-error-codes

6

No that’s the problem, no error code, only a message :unamused:

I’ve also tried to grant User.Read for Azure AD Graph with no success…

chrome_b1ffymjQIb
chrome_b1ffymjQIb.png1034×194 6.32 KB

7

And have you checked the Account API?

8

I am no azure user, sorry. I can only google it and check the resources, e.g. https://docs.microsoft.com/de-de/aspnet/core/security/authentication/azure-ad-b2c?view=aspnetcore-3.1#create-the-azure-active-directory-b2c-tenant

9

Account API means nothing in particular… It’s Microsoft Graph and permissions.
I’m done for today, I’ll try to investigate more tomorrow, thanks for your help, I’ll keep you informed if I’m getting this stuff work.

1 Like
10

Were you able to resolve this issue? Our team is experiencing the same error when trying to login with Azure AD.

11

I have only found this: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#register-a-web-application … not sure if it helps

12

Had to pause work on this, but finally found some time again.

The issue was, that I’ve always created a Single Page Application in Azure instead of a Web App. Don’t know why, but I’ve always assumed it to be the right choice.

Now, it works like a charm.

13

Perfect :slight_smile: … Yes, the difference is that there is identity-system in Squidex in between. So the user flow is

Frontend => Squidex Backend => Azure AD => Microsoft login and then back via redirects.