question

AveryScott-8750 avatar image
0 Votes"
AveryScott-8750 asked ·

User assignment required off with common tenant gives error AADSTS50105

We have an Enterprise application configured in Azure Active Directory with "User assignment required" turned off (screenshot attached for reference).74032--azure-enterprise-props.jpg



We want Microsoft users to be able to authenticate with it using the 'common' tenant. But some users are getting the error code AADSTS50105 when they try to authenticate.

Is there something we need to adjust to allow for all users to authenticate with our app using the 'common' tenant? Or is there something users need to adjust within their own tenants to authenticate?

azure-ad-authenticationazure-ad-enterpriseapps
· 6
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AveryScott-8750 · When User assignment required is set to No, this error should not occur. Could you please share the Request ID and Timestamp that you get along with the error, I will try to track that in order to identify the issue in our backend logs.

0 Votes 0 ·
AveryScott-8750 avatar image AveryScott-8750 amanpreetsingh-msft ·

Hi,

Here are the Trace and Correlation IDs as well as the time stamp:

Trace ID: e5783048-bf01-4232-bc81-a2eb38680d00
Correlation ID: b93c608c-e641-4e77-96bb-e63c33a7dd60
Timestamp: 2021-02-09 23:29:23

0 Votes 0 ·
AveryScott-8750 avatar image AveryScott-8750 amanpreetsingh-msft ·

Hi,
I was just following up to see if there was anything else you might need from me to help diagnose the issue?
Or if you'd made any progress?

Thanks!

0 Votes 0 ·
AveryScott-8750 avatar image AveryScott-8750 amanpreetsingh-msft ·

Hi,
I was just following up again to see if there was anything else you might need from me to help diagnose the issue?
Or if you'd made any progress?

Thanks!

0 Votes 0 ·

Hi @AveryScott-8750 · Sorry for delay in response. I missed your comments on this thread. Kindly use tagging functionality so that the person the comment is intended for, gets an email notification.
I tried to track the Request and Correlation ID but unfortunately the logs are retained only for 30 days as per GDPR guidelines. Could you please reproduce the issue once again and share the latest Request and Correlation ID along with timestamp.

0 Votes 0 ·
Show more comments

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @AveryScott-8750 · Thank you for sharing required information.

I tracked the details in our backend database. Please find my findings below:

  • The application is a multi-tenant app published at reliancenetwork.

  • User Assignment Required is set to NO in the publisher tenant.

  • When this application was accessed and consented by a user of your tenant, a service principal corresponding to this application was registered in your tenant.

  • In the service principal properties, User Assignment Required is set to YES in your tenant. This is why when a user, who is not assigned a role to the application in your tenant, access the application, ends up with AADSTS50105 error.

Looking at the screenshot that you have provided, I suspect the portal is not reflecting correct settings. I would suggest you to use below PowerShell Cmdlets:

To see the setting:
Run Get-AzureADServicePrincipal -ObjectId object_id_of_service_principal | fl app* and make sure AppRoleAssignmentRequired is set False in the output.

If the value is true, run Set-AzureADServicePrincipal -ObjectId object_id_of_service_principal -AppRoleAssignmentRequired $false to set it to False.

Note: You need to use Global Admin or Application Admin account to run the above cmdlet.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 5 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft

Our IT guy got this error:

PS C:\Windows\system32> Get-AzureADServicePrincipal -ObjectId 24298ad1-4fb5-4406-8b9b-72736edcf933 | fl app*
Get-AzureADServicePrincipal : Error occurred while executing GetServicePrincipal
Code: Request_ResourceNotFound
Message: Resource '24298ad1-4fb5-4406-8b9b-72736edcf933' does not exist or one of its queried reference-property objects are not present.
RequestId: 882cdcfb-7aec-4daa-be4e-e0ef0b0c8915
DateTimeStamp: Thu, 08 Apr 2021 20:01:10 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADServicePrincipal -ObjectId 24298ad1-4fb5-4406-8b9b-72736ed ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADServicePrincipal], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetServicePrincipal

0 Votes 0 ·

Hi @AveryScott-8750 · The objectID 24298ad1-4fb5-4406-8b9b-72736edcf933 was from my lab tenant; I have updated my answer above. You need to find the "ExchangeSyncAuth" app under Azure AD > Enterprise Applications and use its object ID in the cmdlet.

0 Votes 0 ·
AveryScott-8750 avatar image AveryScott-8750 amanpreetsingh-msft ·

Hi @amanpreetsingh-msft

Our IT got this response from the cmdlet:

PS C:\Windows\system32> Get-AzureADServicePrincipal -ObjectId aa000428-9318-4408-9d8d-75ab5ecf9fed | fl app*

AppDisplayName : ExchangeSyncAuth
AppId : {Our App ID}
AppOwnerTenantId : {Our Tenant ID}
AppRoleAssignmentRequired : False
AppRoles : {}

Do you have any other suggestions or ideas about what could be happening?

Thanks!

0 Votes 0 ·
Show more comments