When trying to create a storage account in azure from VS Code's Bash Terminal, I get the following error:
error retrieving default location: The client '' with object id '' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '' or the scope is invalid.
If access was recently granted, please refresh your credentials.
After successfully logging into Azure using az login, I still get the error.
The error means your logged user account/service principal as mentioned in the error does not have enough permission,
to solve the issue, navigate to your subscription in the azure portal -> add it with a role e.g. Contributor like below.
Note: To add the role, your account logged in the portal need to be the Owner or User Access Administrator of the subscription.
After some time past, I was able to run my bash scripts without issues. I ran AZ login again and changed to my subscription. I did all of this before, but I believe it worked this time because the previous session timed out. Previously when I logged into that session I didn't have the necessary permissions and logging in again without previously logging out did not refresh my permissions.
Related
When "User Assignment Required" is turned on for the application in Azure AD and the user is not directly assigned on in the group that is assigned, the logon process gets stuck at an Azure AD error message and won't return to the Angular code.
Is there any setting in MSAL that will allow for handling this error and displaying a "not logged on" type of screen that can provide instructions for how to get access?
This is the know issue.
This AADSTS50105 error means the user is not assigned to a role for the application when trying to sign into a SAML-based single sign-on configured app that has been integrated with Azure Active Directory.
When the silent signin sent to the login.microsoftonline.com endpoints, then AAD cookies is not being detected. And the cookies determined if the user is loggedin or not
Possible resolution: Some of the third parties disabled the cookies from which user can face this issue. You need to whitelist the login.microsoftonline.com endpoints in the browser extension.
Possible resolution: You can catch the error in callback and ask the user to login again and if the error occur you will ask the user to login again.
I want to use azure active directory as my authentication provider for my Spring boot application. Which seems to be quite easy as long as you've got either admin rights yourself or you know someone with admin rights who can give you permission for the tickbox "Directory.AccessAsUser.All". Unfortunatly I dont have that. I know due to other successful projetcs that azure itself gives the oppertunity to still act as an authentication provider even without given any permission to the API Call permission section.
When I start the Server and go on localhost:8080/home whilst tracking my network traffic I can see in the Autherization file the following scope: openid profile https://graph.microsoft.com/User.Read https://graph.microsoft.com/Directory.AccessAsUser.All
So My Idea of Handling this is to reducing the scope of the Authorization request spring is asking for, to meet the authorization scope which I allowed in azure. Which is all of them but the last one as mentioned before.
I tried to configure the scope in my application.propertie with the following: spring.security.oauth2.client.registration.azure.scope=openid
So what happens is after im trying to access my application online im redirected to the mircosoft login page. After putting in my details im getting this:
In order to be able to access resources in your organization, requires authorization that only an administrator can grant. Ask
an administrator to grant permission for this app so that you can use
the app.
Has anyone an Idea of how to handle this?
I'd be greatfull for any help!
I think you can only log in as an administrator, because you are using the SDK provided by Microsoft when you log in, so you cannot customize the scope of permissions in application.propertie.
When you log in to the application, it will require you to consent to all permissions. If you just log in as a user, you cannot consent to all permissions. So, at least in the login module, I think it cannot meet your requirements.
Usually we can customize the scope of permissions only when requesting an access token. For example, if you only need to read user permissions, you can set: scope: https://graph.microsoft.com/User.Read .
Login sample.
Ok, I found the Problem. In my application.property I had this line of code azure.activedirectory.user-group.allowed-groups=. That was reponsible for the bigger scope. After deleting it everything worked fine.
The goal is to have a service create a process which has the security context of a user whose password is not known.
I understand and accept the limitation that the new process will only be able to access local resources
I think I am close to a solution. Everything works fine so long as the user to be impersonated is in the local administrators group.
But if not I get an exception 0xc06d007e.
It seems the user to be impersonated lacks some permission or privilege that it has when it is in the administrators group.
But how can I find out what this missing right/permission/privilege is without by trial and error going through the thousands of permutations
get a token for the user to be impersonated
token = new WindowsIdentity("username#domain").Token
create a primary token
token2 = duplicatetokenex(token)
The process to be created is a simple console application and indeed I don't even need a console.
process_creation_flags.DETACHED_PROCESS
| process_creation_flags.CREATE_NO_WINDOW
| process_creation_flags.CREATE_NEW_PROCESS_GROUP
try to start the new process as the impersonated user
createprocessasuser(token2, "myapplication.exe" etc etc)`
As I say this works fine if username#domain is in the local admin group
otherwise I get exception 0xc06d007e I think when the new process is trying to start
As one of the steps towards creating the service, I was running the code as a console application and it was during that stage I was getting the exception mentioned above.
But I found that running the code as a service works fine!!
So I never found out why the user-to-be-impersonated (impersonatee?) needs to be in the local admin group when the impersonation is done from a console application.
I suspect it is something to do with sessions and / or desktops.
I have not found many discussions where the scenario is impersonating a user whose password you do not know. So I just want to re-assure anyone having problems that it is indeed possible and the main points are:
1) run the code as a service (with local system or a user with all the required privileges)
2) get the s4u token from windowsidentity (this will be an impersonation token if the call has the required privileges)
3) create a primary token from the impersonation token using duplicatetokenex
4) createprocessasuser using the token from 3
note the process will only have access to local resources
Without changing my code or configuration, now google is asking users to grant permission every time when a user is trying to authenticate to my App. Even though the user already grated access and the scope didn't change.
I don't get any errors and the login works fine is just that now the google dialog asking for permissions appears every time.
To initialise google I use gapi.auth2.init with the "https://www.googleapis.com/auth/plus.profile.emails.read" as scope.
Also to request for access I use auth2.grantOfflineAccess.
I also checked in my Google account for Apps that have access and the application is registered successfully in there.
Anyone else has seen this issue? Or does know if google changed something in the way they handle permissions?
I believe I am seeing similar behavior... that the authentication flow has begun asking the user to grant the app permissions to the scopes every time they sign in. Previously, it would only proceed from sign-in to grant permissions the first time the user signed into the app. I haven't changed the scopes requested nor the underlying code recently... but also hadn't used the app in awhile (months?)
I'm using the oAuth2 server-side authentication and grantOfflineAccess() outlined here .
Given that there are no implementation details posted, i can't tell if the fix I found will apply to your situation.
The correction I found... so that the authentication only asks the user to grant the first time they sign into the app was to explicitly specify the "prompt" attribute when calling getOfflineAccess().
var auth2 = gapi.auth2.getAuthInstance();
auth2.grantOfflineAccess({
prompt : 'select_account'
}
).then(signInCallback);
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
Check Step 1 prompt parameter
I got the super admin privileges for to my Google Account.
I need to get the list of all the chrome devices through an API.
I did enable Google Admin SDK but still facing some issues.
I copied the exact python script from Python Quickstart for checking but still getting error as
"googleapiclient.errors.HttpError: https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&orderBy=email&alt=json&maxResults=10 returned "Insufficient Permission">"
When checked on Admin SDK API dashboard I can see 4xx errors for every call made from my python script.
When you run the sample you need to make sure that this step
The sample will attempt to open a new window or tab in your default browser. If this fails, copy the URL from the console and manually open it in your browser.
If you are not already logged into your Google account, you will be prompted to log in. If you are logged into multiple Google accounts, you will be asked to select one account to use for the authorization.
Is done from the Google account which has access to your admin account. The user you are logged in with now does not have access.
I managed to get Super Admin access of Google account and then grant access to my project for different scopes. The docs/ references are so confusing hence it took a while for me to figure it out. So under the admin console, we have to get into Security >> Advanced Settings >> Manage API Client Access(under Authentication) and then add the client name and the scopes(multiple scopes separated by commas) for which we need access. Client name is the client-id which we can get from the client-secretxxxxx.json file(downloaded while creating the oauth id).
NOTE :- You do NOT need super admin access it is just that I was new and the guy who gave me the initial access wasn't sure what has to be enabled across.
Also couldn't post as a comment due to the limitation of characters.