堆栈内存溢出
  简体   繁体   English

尝试同意 Azure VPN 应用程序时出错

[英]Error when trying to consent Azure VPN application

 原文  2022-12-20 11:44:58       azure/ azure-active-directory/ azure-vpn

问题描述

I am trying to setup a p2s VPN using Azure Active Directory authentication.我正在尝试使用 Azure Active Directory 身份验证设置 p2s VPN。 I am following the steps described here https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant .我正在按照此处描述的步骤进行操作 https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant In the section Authorize the application, it's mentioned that we need to grant admin consent, so that Azure VPN application can sign in and read user profiles.在授权应用程序部分中,提到我们需要授予管理员同意,以便 Azure VPN 应用程序可以登录并读取用户配置文件。 I am logged in as GlobalAdmin, but when I paste the required URL ( https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent ) I am redirected to the portal with url:我以 GlobalAdmin 身份登录,但是当我粘贴所需的 URL ( https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal .azure.com&nonce=1234&prompt=admin_consent ) 我被重定向到带有 url 的门户:

https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor . https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a +resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor

What am I doing incorrectly?我做错了什么?

1 个解决方案

解决方案1
 0  2022-12-26 16:06:06

The above behavior was a code bug which was fixed by the Azure VPN and Azure AD Product Groups team and below is the RCA (Root Cause Analysis) for same:上述行为是一个代码错误,由 Azure VPN 和 Azure AD 产品组团队修复,下面是相同的 RCA(根本原因分析):

Issue: When setting up a P2S VPN using Azure Active Directory authentication following the steps described in our public doc tutorial and trying to grant admin consent to the Azure VPN application using GlobalAdmin account, the public URL redirects to "https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor" and doesn't give the prompt to accept the requested permissions.问题:按照我们的公共文档教程中描述的步骤使用 Azure Active Directory 身份验证设置 P2S VPN 并尝试使用 GlobalAdmin 帐户向 Azure VPN 应用程序授予管理员许可时,公共 URL 重定向到“https://portal.azure .com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+ been+removed+or+is+no+longer+available.+Contact+the+app+vendor”并且不提示接受请求的权限。

Root Cause: Admin Consent was failing for new customers as Azure VPN was trying to get access to Azure AD Graph and this is deprecated.根本原因:新客户的管理员同意失败,因为 Azure VPN 试图访问 Azure AD Graph,这已被弃用。 Refer: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions?tabs=http%2Cupdatepermissions-azureadgraph-powershell This impacted only new Tenants who want to onboard to VPN and not existing customers.参考: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions?tabs=http%2Cupdatepermissions-azureadgraph-powershell这只影响了想要加入 VPN 的新租户而不是现有客户。 Some code was updated in the backend which broke the admin consent flow.后端更新了一些代码,这破坏了管理员同意流程。 The app access has been changed to Microsoft Graph now and the newly added code was removed from the Azure VPN client app from the backend which has fixed the issue.应用程序访问现在已更改为 Microsoft Graph,新添加的代码已从后端的 Azure VPN 客户端应用程序中删除,从而解决了该问题。

Solution: Now if you follow the documentation/guide Configure Azure AD tenant and settings for P2S VPN connections: Azure AD authentication: OpenVPN - Azure VPN Gateway |解决方案:现在,如果您按照文档/指南配置 Azure AD 租户和 P2S VPN 连接设置:Azure AD 身份验证:OpenVPN - Azure VPN 网关 | Microsoft Learn , the public URL at Step 2 should work without any issues. Microsoft Learn ,步骤 2 中的公共 URL 应该可以正常工作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 尝试在Azure上创建MVC应用程序时出现Visual Studio错误 - Visual Studio error when trying to create MVC application on Azure 尝试运行 Django Web App 时出现 Azure“应用程序错误” - Azure 'Application error' when trying to run Django Web App 如何在Azure多租户应用程序中停止同意 - How to stop consent in an Azure multiple tenant application Azure AD Powershell:授予同意失败并出现错误:应用程序请求的权限无效或过期 - Azure AD Powershell : Grant consent failed with error: Application is requesting permissions that are either invalid or out of date 带有Xamarin的Azure ADAL,无管理员同意错误 - Azure ADAL with Xamarin, No admin consent error 当提示=同意并且用户是真实帐户时,Azure SSO错误:AADSTS50020 - Azure SSO Error: AADSTS50020 when prompt=consent and user is a live account 尝试将站点部署到 Azure 的应用程序错误 - Application Error trying to deploy site to Azure 向 Azure 应用程序授予管理员同意以获取 GraphAPI 权限 Powershell - Grant Admin Consent to Azure Application for GraphAPI Permissions Powershell 尝试将Azure程序包安装到Sencha Touch应用程序中时出现错误“无法解析程序包” - Error “Failed to resolve package” when trying to install Azure package into Sencha Touch application 是否可以将Azure Web应用程序配置为不提示用户同意? - Can I configure an Azure Web Application to not prompt for user consent?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM