Following accidental deletion of Azure resources our Azure SQL server (hosting Synapse SQL Pool database) has been successfully restored. So far, so good. We got back all data and security objects (users, roles, permissions), however some users experience issues with access to database and getting 18456 (login failed for user '<token-identified principal>') or 10060 (network related or instance-specific) SQL errors. Moreover, when trying to reestablish the user (by removing and adding again) with 'create user [xyz] from external provider' we are getting the following error:
Principal 'xyz' could not be resolved. Error message: 'AADSTS500133: Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: 2021-08-02T12:22:23.8369779Z, expiry time of assertion 2021-08-02T09:09:57.0000000Z.
This is happening when being logged with an original (created prior the incident) Azure Active Directory admin account. Assigning the admin to another AAD account enable us to create new users from external provider, but we would like to know what has actually happened and why we are getting this token-related error with the initial admin account. Error code (reference) doesn't help much. Appreciating some hints.
InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion is not a primary refresh token.