FAQ / Troubleshooting¶
This page lists common problems and solutions when authenticating with Azure AD.
Missing Application Access Policy¶
Your application (named A
in the examples below) attempts to consume another application (named B
).
When requesting a token from Azure AD, your application may receive a 400 Bad Request
with an invalid_grant
error response and the following message:
AADSTS501051:
Application
'<client ID>'
(<cluster>:<namespace>:<A>
) is not assigned to a role for the application 'api://<cluster>.<namespace>.<B>
' (<cluster>:<namespace>:<B>
)"
Or the other variant:
AADSTS65001:
The user or administrator has not consented to use the application with ID '
<client ID>
' named '<cluster>:<namespace>:<A>
'.Send an interactive authorization request for this user and resource.
Solution / Answer
-
Ensure that the scope value in your application's request follows the correct format:
api://<cluster>.<namespace>.<application>/.default>
-
Ensure that application
B
's access policy includes applicationA
. - If all else fails, request assistance in the
#nais
channel on Slack.
Missing User Access Policy¶
When attempting to sign-in or perform the on-behalf-of flow, an application may receive a 400 Bad Request
with an invalid_grant
error response and the following message:
AADSTS50105:
Your administrator has configured the application
<cluster>:<namespace>:<A>
('<client id>
') to block users unless they are specifically granted ('assigned') access to the application.The signed in user '{EmailHidden}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator.
Please contact your administrator to assign access to this application
Solution / Answer
- Ensure that application
A
has configured user access. - Ensure that the given user is a direct member of any configured group.
- If all else fails, request assistance in the
#nais
channel on Slack.
Tenant Mismatch for Signed-in User¶
While attempting to log in, you may receive the following error message from Azure AD:
Selected user account does not exist in tenant '
some-tenant
' and cannot access the application '<client-id>
' in that tenant.The account needs to be added as an external user in the tenant first.
Please use a different account.
Solution / Answer
- Ensure that the user uses an account that matches your application's tenant when logging in.
- If all else fails, request assistance in the
#nais
channel on Slack.
Created: 2021-07-08