From our previous ask, we got to know how to create b2c tenant using ARM API. This is the reference: https://learn.microsoft.com/en-us/rest/api/activedirectory/b2c-tenants/create?tabs=HTTP#scopes
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AzureActiveDirectory/b2cDirectories/{resourceName}?api-version=2021-04-01
But when we tried this from our end it's not working. This failed with error "The subscription is not registered to use namespace 'Microsoft.AzureActiveDirectory' "
In order to check what's going wrong we tried to create b2c tenant from Portal. But there is no use, same error:
Error
How to fix this error and where to register namespace in Azure?
This error usually occurs if you have not registered this provider before creating B2C tenant: Microsoft.AzureActiveDirectory
You can check whether that provider is registered or not like this: Go to Azure Portal -> Subscriptions -> Your subscription -> Resource providers
I tried to reproduce the same in my environment and got below results:
After registering the provider, I ran the below ARM API call via Postman and got Status: 202 Accepted like below:
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AzureActiveDirectory/b2cDirectories/{b2ctenantdomain}?api-version=2021-04-01
{
"location": "United States",
"sku": {
"name": "Standard",
"tier": "A0"
},
"properties": {
"createTenantProperties": {
"displayName": "b2ctenantname",
"countryCode": "US"
}
}
}
Response:
To confirm that, I checked the same in Portal and B2C tenant is created successfully like below:
When I opened B2C tenant in new tab, it took me to below screen:
Related
I am trying to create a new user through the backend.
My backend is a spring-boot application Java-based.
The API call end with a JSON object and have the result key set to false, with no other information to understand why the user has not been created. And then, when I tried to refresh the Mesibo dashboard, I got an empty page, with errors in the browser console.
This the user I try to save in Mesibo.
{
"op": "useradd",
"token": "I put here my app token",
"user": {
"address": "newuser#email.com",
"name": "User Name",
"token": {
"appid": "com.fake.id"
}
}
}
The image shows what I see in the browser console when I try to access It.
mesibo browser console
It is important to note, that the account I use is not mine, I use the one my company gave me.
We are trying to implement our flow, so we are not in prod we are just testing APIs and others...
Thank you very much for your help!
Anas
PS: I created my own account on mesibo and got the same result!
Is there any method to add a android app to exiting firebase project programmatically and i need the google-services.json as result then i need to add sha key with that same app using node-js
online documentation not solve my problem or i don't understand how to do it from that documentation
Thankyou for your answer i flowed it and facing another issue
#admin and #Frank van Puffelen please check
when i try to create android it showing this error.
{ "error": { "code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT" } }
I send post request from live api test window
and in parent i set it as `projects/343202254462`
{ "displayName": "testing", "name": "te4sting", "packageName": "io.asdasd.fdsfdsf", "projectId": "324324324", "appId": "wdeqwe" }
There is a REST api, Firebase Management API, which lets you control the apps connected and other such admin work. Friendly note, make sure you restrict all client api keys from using this api!
REST Resource: v1beta1.projects.androidApps
create POST /v1beta1/{parent=projects/*}/androidApps
I try to deply SQL Server Logical server with PS and ARM. I can succesfully create logical server at portal with contributor rights, but cannot figure out what is wrong here.
I have here PowerShell ISE on Windows.
ARM template is copy and paste from https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-logical-server/
//CODE
Connect-AzAccount -Credential $Credential -Tenant $tenant -Subscription $subscription
#ARM Deployment
$templateFile = "C:\Azure\SQLServer\azuredeploy.json"
New-AzResourceGroupDeployment `
-Name SQLDeployment `
-ResourceGroupName my-rg `
-TemplateFile $templateFile
ERROR:
New-AzResourceGroupDeployment : 17.35.18 - Error: Code=InvalidTemplateDeployment; Message=The
template deployment failed with error: 'Authorization failed for template resource 'sql
vasvtmcp42o3wko/Microsoft.Authorization/11fd61df-2336-5b96-9b45-ffc7160df111' of type
'Microsoft.Storage/storageAccounts/providers/roleAssignments'. The client 'john.smith#mycompany.
com' with object id '1115f3de-834b-4d28-a48f-ecaad01e3111' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/1111111
11111111111111/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/sqlvasvtmcp42o3wko/providers/Microsoft.Authorization/roleAssignments/11111df
-2336-5b96-9b45-ffc7160df168'.'.
I can succesfully create logical server at portal with contributor rights, but cannot figure out what is wrong here.
Because the template you used will enable the Advanced data security for you, this will create a storage account and service principal for your sql server, then assign the service principal to the storage account as a Storage Blob Data Contributor role automatically.
To do this operation, your user account need to be the Owner or User Access Administrator in the resource group or subscription. Or you can also create a custom role which has Microsoft.Authorization/roleAssignments/write in its actions, then the role will also be able to do that.
So in conclusion, you have two options to fix the issue.
1.Navigate to the Resource group or Subscription in the portal -> Access control (IAM) -> Add -> add your user account as a role mentioned above e.g. Owner, then it will work fine. See details here.
2.When you deploy the template, specify the enableADS with false in the azuredeploy.parameters.json file. Then it will not enable the Advanced data security for you, and you will be able to create the sql server with the Contributor via the template.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"value": "GEN-UNIQUE"
},
"administratorLogin": {
"value": "GEN-UNIQUE"
},
"administratorLoginPassword": {
"value": "GEN-PASSWORD"
},
"enableADS": {
"value": "false"
}
}
}
The error clearly states the account that is being used for the action doesn't have the proper role assignment to perform the action.
the client 'john.smith#mycompany. com' with object id '1115f3de-834b-4d28-a48f-ecaad01e3111' does not have permission to perform action 'Microsoft.Authorization/roleAssignments/write' at scope '/subscriptions/1111111 11111111111111
This means your next step should be validating what role assignment is assigned to that user, and then checking that the role does have the permission to perform Microsoft.Authorization/roleAssignments/write
I am working on a .net core app and have to integrate O365 security groups for roles assignment, does someone have sample code to share, will be very helpful.
I have already used Azure AD app registration concept for O365 authentication and its working perfectly. .Net core app is hosted on IIS, when accessed by typing in url in browser, it redirects users to login.microsoftonline.com, once authenticated, users then see dashboard part of .net core app.
Not so sure about how O365 groups can be used in .net core app for permissions management, so looking for some sample snippet, thanks in advance.
You can query graph api either as your app or impersonate the user, to read which groups the user is in and then use those Id to filter views or what ever you need to do.
you can use the "List memberOf"
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0
Hope it helps.
Office365 security groups can be used for permissions management in your app, by verifying if a user is a member of a security group. You can achieve that by using Microsoft Graph API as MohitVerma suggested.
First, define groups to roles mapping in your app (configuration file seems to be a good place for that). Each group has a unique id, which you can get using e.g. Office365 or Microsoft Graph and map to a custom role in your config.json file:
{
"AppRoles": [
"Admin": "d17a5f86-57f4-48f8-87a0-79761dc8e706",
"Manager": "9a6a616e-5637-4306-b1fe-bceeaa750873"
]
}
Then, after successful login to the app, call the Graph API to get all groups the user belongs to. You will get a list of groups, each containing id property:
GET https://graph.microsoft.com/v1.0/me/memberOf
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"#odata.type": "#microsoft.graph.directoryRole",
"id": "43a63cc2-582b-4d81-a79d-1591f91d5558",
"displayName": "Company Administrator",
"roleTemplateId": "62e90394-69f5-4237-9190-012177145e10"
},
{
"#odata.type": "#microsoft.graph.group",
"id": "d17a5f86-57f4-48f8-87a0-79761dc8e706",
"createdDateTime": "2017-07-31T17:36:25Z",
"displayName": "Admins group",
"securityEnabled": true
}
]
}
You can use MS Graph SDK for .NET to make a request and to create a group objects form the response:
var userGroups = await graphServiceClient.Me.Groups.Request().GetAsync();
Finally, verify the id of each group with your custom roles, e.g.:
public string GetRole(IEnumerable<Group> userGroups, IConfiguration config)
{
foreach (var group in userGroups)
{
switch (group.id)
{
case config.GetSection("AppRoles:0"):
return "Admin";
case config.GetSection("AppRoles:1"):
return "Manager";
default:
return "Unknown";
}
}
}
Make sure to grant permissions for your app to access Microsoft Graph.
I am attempting to setup Authentication with ApiGility.
I have added a Login route, and when I access this route with no authentication in place I am expecting to receive:
{
"type": "http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
"title": "Forbidden",
"status": 403,
"detail": "Forbidden"
}
As I do on my other ApiGility app.
However when I attempt to access the end point it is readily available despite having set Authentication.
Is there something that can affect this?
Here are some screenshots of my settings:
End point for login:
Fields
Authorized methods
Login Method - just returns true for now
Authentication setup
I updated ApiGility via composer and it started to work.