Microsoft (Azure AD) Auth - Error

I have…

  • [ X ] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [ X ] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

Unable to connect using a custom tenant id for Microsoft (Azure AD)
Getting a unmanaged error with no more details

Environment

Windows Server 2019

  • [ ] Self hosted with docker
  • [ X ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: 4.3.0

Browser:

  • [ X ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Screen(s):

After “Sign-in with Microsoft”

Configuration

Error:
Message : An error was encountered while handling the remote login.
Trace:

at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler\u00601.HandleRequestAsync()\r\n
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync()\r\n

I’m running in debug logs level and have attached my logfile if needed.
Logifle: https://pastebin.com/raw/bABMgWJb

I guess it’s related to API permissions on Azure AD, if so, can you tell me what permissions are needed on user scope ?

Thanks in advance for help :grinning: !

I don’t know, sorry. Something in your browser logs? I am google Cloud user, not that experienced with Azure.

Nothing in my browser logs just a 500 on Squidex’s OIDC when response come back from Microsoft API.
I’ll try to changes some options like ID_Tokens and so on for testing purposes

After few hours of trying to changes options nothing seems to work…

I finally decided to clone the repository and I’ve added an override Task RemoteFailure (RemoteFailureContext context) on MicrosoftHandler for better understanding.

Now I can see that the underlying error is: “An error occurred when retrieving Microsoft user information (Forbidden). Please check if the authentication information is correct and the corresponding Microsoft Account API is enabled”.

I’m stuck at this point because the only scope requested that I can see is https://graph.microsoft.com/user.read and it’s already granted in API permissions …

Any thought?

Do you get an error code? There is a list: https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-aadsts-error-codes

No that’s the problem, no error code, only a message :unamused:

I’ve also tried to grant User.Read for Azure AD Graph with no success…

And have you checked the Account API?

I am no azure user, sorry. I can only google it and check the resources, e.g. https://docs.microsoft.com/de-de/aspnet/core/security/authentication/azure-ad-b2c?view=aspnetcore-3.1#create-the-azure-active-directory-b2c-tenant

Account API means nothing in particular… It’s Microsoft Graph and permissions.
I’m done for today, I’ll try to investigate more tomorrow, thanks for your help, I’ll keep you informed if I’m getting this stuff work.

1 Like