Reputation: 1301
Error when trying to consent Azure VPN application
I am trying to setup a p2s VPN using Azure Active Directory authentication. I am following the steps described here https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant. In the section Authorize the application, it's mentioned that we need to grant admin consent, so that Azure VPN application can sign in and read user profiles. I am logged in as GlobalAdmin, but when I paste the required URL (https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent) I am redirected to the portal with url:
What am I doing incorrectly ?
Upvotes: 0
Views: 759
Answers (1)
Reputation: 905
The above behavior was a code bug which was fixed by the Azure VPN and Azure AD Product Groups team and below is the RCA (Root Cause Analysis) for same:
Issue: When setting up a P2S VPN using Azure Active Directory authentication following the steps described in our public doc tutorial and trying to grant admin consent to the Azure VPN application using GlobalAdmin account, the public URL redirects to "https://portal.azure.com/?error=access_denied&error_description=AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor" and doesn't give the prompt to accept the requested permissions.
Root Cause: Admin Consent was failing for new customers as Azure VPN was trying to get access to Azure AD Graph and this is deprecated. Refer : https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-configure-permissions?tabs=http%2Cupdatepermissions-azureadgraph-powershell This impacted only new Tenants who want to onboard to VPN and not existing customers. Some code was updated in the backend which broke the admin consent flow. The app access has been changed to Microsoft Graph now and the newly added code was removed from the Azure VPN client app from the backend which has fixed the issue.
Solution: Now if you follow the documentation/guide Configure Azure AD tenant and settings for P2S VPN connections: Azure AD authentication: OpenVPN - Azure VPN Gateway | Microsoft Learn, the public URL at Step 2 should work without any issues.
Upvotes: 1
Related Questions
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- Azure vpn error A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)
- Azure VPN P2S Azure AD Authentication Connection Problem: The operation was canceled by the user
- Azure AD Powershell : Grant consent failed with error: Application is requesting permissions that are either invalid or out of date
- Grant consent failed with error on Active Directory
- Azure registered app error: The user or administrator has not consented to use the application with ID
- The application has not been granted consent and is unable to be used for local accounts
- How to configure consenting for an Azure app (AADSTS65005 error)
- Azure AD: Failed to grant permission for application
- Azure Active Directory: Consent Framework has stopped granting consent