[英]Error when trying to consent Azure VPN application
I am trying to setup a p2s VPN using Azure Active Directory authentication.我正在尝试使用 Azure Active Directory 身份验证设置 p2s VPN。 I am following the steps described here https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant .我正在按照此处描述的步骤进行操作 https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant 。 In the section Authorize the application, it's mentioned that we need to grant admin consent, so that Azure VPN application can sign in and read user profiles.在授权应用程序部分中,提到我们需要授予管理员同意,以便 Azure VPN 应用程序可以登录并读取用户配置文件。 I am logged in as GlobalAdmin, but when I paste the required URL ( https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent ) I am redirected to the portal with url:我以 GlobalAdmin 身份登录,但是当我粘贴所需的 URL ( https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal .azure.com&nonce=1234&prompt=admin_consent ) 我被重定向到带有 url 的门户:
https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor . https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a +resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor 。
What am I doing incorrectly?我做错了什么?
The above behavior was a code bug which was fixed by the Azure VPN and Azure AD Product Groups team and below is the RCA (Root Cause Analysis) for same:上述行为是一个代码错误,由 Azure VPN 和 Azure AD 产品组团队修复,下面是相同的 RCA(根本原因分析):
Issue: When setting up a P2S VPN using Azure Active Directory authentication following the steps described in our public doc tutorial and trying to grant admin consent to the Azure VPN application using GlobalAdmin account, the public URL redirects to "https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor" and doesn't give the prompt to accept the requested permissions.问题:按照我们的公共文档教程中描述的步骤使用 Azure Active Directory 身份验证设置 P2S VPN 并尝试使用 GlobalAdmin 帐户向 Azure VPN 应用程序授予管理员许可时,公共 URL 重定向到“https://portal.azure .com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+ been+removed+or+is+no+longer+available.+Contact+the+app+vendor”并且不提示接受请求的权限。
Root Cause: Admin Consent was failing for new customers as Azure VPN was trying to get access to Azure AD Graph and this is deprecated.根本原因:新客户的管理员同意失败,因为 Azure VPN 试图访问 Azure AD Graph,这已被弃用。 Refer: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions?tabs=http%2Cupdatepermissions-azureadgraph-powershell This impacted only new Tenants who want to onboard to VPN and not existing customers.参考: https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions?tabs=http%2Cupdatepermissions-azureadgraph-powershell这只影响了想要加入 VPN 的新租户而不是现有客户。 Some code was updated in the backend which broke the admin consent flow.后端更新了一些代码,这破坏了管理员同意流程。 The app access has been changed to Microsoft Graph now and the newly added code was removed from the Azure VPN client app from the backend which has fixed the issue.应用程序访问现在已更改为 Microsoft Graph,新添加的代码已从后端的 Azure VPN 客户端应用程序中删除,从而解决了该问题。
Solution: Now if you follow the documentation/guide Configure Azure AD tenant and settings for P2S VPN connections: Azure AD authentication: OpenVPN - Azure VPN Gateway |解决方案:现在,如果您按照文档/指南配置 Azure AD 租户和 P2S VPN 连接设置:Azure AD 身份验证:OpenVPN - Azure VPN 网关 | Microsoft Learn , the public URL at Step 2 should work without any issues. Microsoft Learn ,步骤 2 中的公共 URL 应该可以正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.