How to get the user count for Azure AD Enterprise Application

PowerShell header

Have you ever tried to find out the number of users of an enterprise application in your Office 365 tenant? For apps with under 100 users it’s easy – just open Azure AD and check the user count. For more popular apps, it’s a lot more difficult, as Azure AD just shows “100+”. However, with some PowerShell magic, we can dig out the real user count!

Problem

When you have an “Enterprise Application” in your Azure AD, you can quite easily access its properties from the Azure Portal. However, if you want to find out the number of users using the app, that’s not as straightforward.

Continue reading

Fixing issue “AADSTS70005” by enabling the implicit authentication flow for your Azure AD app

Azure Active Directory (Azure AD)

While either developing or just trying to use an application that authenticates against Azure AD, you might get an error message that contains error code “AADSTS70005“. This means that you’re trying to use implicit authentication flow, but it isn’t allowed for your app. If you have access to the Azure AD you’re authentication against, it’s easy to fix! See more below…

Reason

You might get an error, somewhat like this:

AADSTS70005: response_type 'token' is not supported for the application Trace ID: <Guid_1> Correlation ID: <Guid_2> Timestamp...

This is returned by your Azure AD instance, as it doesn’t allow the use of implicit OAuth2 authentication flow for the application id you’re using.

Solution: Enable the Implicit Authentication Flow

Okay, luckily the fix is going to be easy. You can resolve the issue by enabling the implicit authentication flow for OAuth2. There’s actually no switch in GUI for this – you’ll have to edit the manifest of your registered Azure AD application yourself. Follow these steps: Continue reading

How to fix AADSTS50011: Reply address did not match because of case sensitivity.

AADSTS50011: The reply address ... does not match the reply addresses configured for the application.

So, you got an error with a code AADSTS50011? It’s just Azure AD’s authentication acting up because of invalid reply address! here’s a bunch of different reasons that lead to this error. This post describes the variant where the URL’s case sensitivity differns from what’s configured. For me, the most typical scenario where I run into this error is accessing the app from SharePoint.

Problem

So, you’re getting an error somewhat like this:

AADSTS50011: The reply address <...> does not match the reply addresses configured for the application: '<guid>'. More details: Reply address did not match because of case sensitivity.

This is another variation of the good old “AADSTS50011: The reply address does not match the reply addresses configured“-error.

I recently encountered this new version of the error. Normally, you don’t get any extra details – the “More details:” -section will just say “not available” or some such. But I guess a lot of people have been struggling with the case-sensitivity of the URLs (I wonder who thought that was a good idea?), and Microsoft has opted to provide this, slightly improved version of the classical reply-url error.

Continue reading

How to fix AADSTS50011: The reply address does not match the reply addresses configured… error

AADSTS50011: The reply address ... does not match the reply addresses configured for the application.

So, you got an error with a code AADSTS50011? That’s ok – it’s just Azure AD’s authentication acting up because of invalid reply URLs! Since there might be a couple of different reasons for this error, this post also describes a couple of different solutions, that might help you overcome the issues.

Error

So, you’re getting an error somewhat like this:

AADSTS50011: The reply address ... does not match the reply addresses configured for the application.

AADSTS50011: The reply address … does not match the reply addresses configured for the application.

But why? Did you mess something up? Well, if you’re the person who configured the app you’re trying to use, you probably did! Although Microsoft might still be the one to blame for that. Continue reading

How to fix AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.

SOLVE ALL THE ERRORS!

Have you run into the cryptical “AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.” error? I have. This post will tell you how to fix it.

How to fix AADSTS50059?

I encountered this error while trying to reload a page with some JavaScript that authenticates against Graph API. It completely blocks the functionality, as it redirects the user to login page. Luckily, at least in my case, this was easily fixed! Your error might look something like this:

Request Id: <guid>
Correlation Id: <guid>
Timestamp: 2018-04-27T20:58:36Z
Message: AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials.

Okay – so the error claims Azure AD fails to recognize your tenant, as the request or provided credentials didn’t provide that. But is that even true?  Continue reading

Solving error “AADSTS90013: Invalid input received from the user”

AADSTS90013: Invalid input received from the user. (header thumbnail)

I stumbled upon a customer, that complained about some pages in their intranet throwing weird errors with authentication. Those pages seemed to have one thing in common – there was a Yammer embed (or a SharePoint script webpart with Yammer embed script in it, to be precise) there. The error code they got was “AADSTS90013: Invalid input received from the user”.

Below, you can see an example of the error screen.

AADSTS90013: Invalid input received from the user.

AADSTS90013: Invalid input received from the user.

Okay – this is going to be extremely specific, and probably won’t solve the issue for all of you out there! But this is what worked for this customer: Continue reading

How to form links to Planner tasks

Office 365 Planner logo

Office 365 Planner is a neat tool for task management. However, when you, for whatever use case, need to form urls that point you towards a single task (or a bucket, or a plan for that matter), you might run into trouble with how the url is formed. Custom domains actually make it a bit complicated, but luckily there’s a workaround!

Description of the issue

If you have multiple domains in your Azure AD, your Planner might end up using your custom domain in its urls. However, if you need to develop some multi-tenant code, that works with any tenant and whatever weird custom domains, you’d have to actually either create another user-supplied property (for the custom domain), or develop some creative extra code to fetch the domains from somewhere… Since the Graph API for Planner certainly does NOT return that!

No worries – you don’t actually need to develop any complicated or smart code. It’s actually WAY easier than that!  Continue reading

Call to sites Graph API requires “owner” permissions for site collection regardless of app permissions

Okay – yet another weird issue, and a hacky workaround. I was developing an app that was calling a SharePoint site through Graph API, using jQuery $.ajax call (developed in TypeScript), and ran into surprising 401 errors. I did find a workaround, but am also working on an actual fix.

Description

To get SharePoint site ID, which is needed when accessing SharePoint lists, the calls seemed to fail for my test accounts. Everything was working fine for my developer account, which was a global admin, so the first thing I was suspecting was of course permissions…

The first offending test account was a Group member, and a restricted reader in the site collection I was trying to access via Graph. The account was also a contributor on the root site of the tenant. And all of my accounts were licensed with E3/E5.

I knew that this part of the code was supposed to get a site id for a certain SharePoint site collection with a call to Graph API, similar to this one:

https://graph.microsoft.com/v1.0/sites/<tenant>.sharepoint.com:/sites/<site>/

It worked for my developer account, but just wouldn’t work for the test accounts! This is the error I got: Continue reading

4 ways to fix error AADSTS65001 (The user or administrator has not consented to use the application)

Azure AD Login error

Fixing issues with Azure AD authentication for Enterprise applications can be tricky. This article contains multiple different fixes to an issue, where granting admin consent has somehow failed. Not all of the different solutions will work for all situations, though! That’s why I included a couple of different options to try… 🙂

Why do you even get issues with Admin Consent (like AADSTS65001)?

Imagine this: You’re trying to add or use an app, but the requires such permissions from your tenant, that only an administrator can grant. Typically to add this kind of an app, you’ll have to be a global administrator.

This is when an admin consent is required for the usage of the app – and if that hasn’t been granted, you’ll get errors about administrators not having consented to the use of the app you’re accessing.

Additionally, just to make the investigation just a bit more complicated, if it’s an enterprise application, it could also be in an invalid state after someone tried adding the app without sufficient permissions.

I’ve been investigating a lot of these issues in relation to organizations using a mobile app, which the customer has been deploying as an enterprise application. Most of the things should apply for web-based apps or console programs or whatever else you’re deploying, too – especially if they’re enterprise applications in Azure AD!

The whole error might look something like this: Continue reading

How to use the Azure AD associated with your SharePoint Online

Azure Active Directory (Azure AD)

With the usual configuration of Office 365 and Azure, there might be multiple Azure AD (AAD) instances associated with your subscription. When creating registrations to whatever SharePoint-related apps that you might be using, if you create the registration to the wrong Azure AD, it can’t access the data in your SharePoint. Or at least without further configurations, it probably won’t get any data from your Office Graph API or whatever else you might want to use. 

How to find the instance of Azure AD associated with your SharePoint Online

It’s simple, luckily!  Continue reading