FAQ / Troubleshooting¶
First steps¶
If something isn't quite right, these kubectl commands may be of help in diagnosing and reporting errors.
To get a summary of the status of your Azure AD client:
For additional details:
Unassigned Pre-Authorized Apps¶
Example
You might see the following status message when running kubectl describe azureapp <app>:
Status:
...
Pre Authorized Apps:
...
Unassigned:
Access Policy Rule:
Application: <other-application>
Cluster: <cluster>
Namespace: <namespace>
Reason: WARNING: Application '<cluster>:<namespace>:<other-application>' was not found in the Azure AD tenant (<tenant>) and will _NOT_ be pre-authorized.
Unassigned Count: 1
Solution / Answer
- Ensure that the application you're attempting to pre-authorize exists in Azure AD:
- Run
kubectl get azureapp <other-application>and check that theSynchronizedfield is not empty.
- Run
- If you added the application to your access policy before it existed in Azure AD, try to resynchronize your own application:
kubectl annotate azureapp <my-application> azure.nais.io/resync=true
- If all else fails, ask an adult in the
#naischannel on Slack.
"Application Alice is not assigned to a role for the application Bob"¶
Example
An application may receive the following 400 Bad Request response error when requesting a token from Azure AD:
{
"error": "invalid_grant",
"error_description": "AADSTS501051: Application '<client ID>'(<cluster>:<namespace>:<alice>) is not assigned to a role for the application 'api://<cluster>.<namespace>.<bob>'(<cluster>:<namespace>:<bob>)",
...
}
Or the other variant:
Solution / Answer
- Ensure that the scope value follows the correct format -
api://<cluster>.<namespace>.<app-name>/.default> - Ensure that Bob's access policy includes Alice.
- Run
kubectl get azureapp bobto check the current count of assigned and unassigned applications for Bob. - Run
kubectl get azureapp bob -o json | jq '.status.preAuthorizedApps'to check the detailed statuses for all of Bob's desired pre-authorized applications. - If Bob added Alice to its access policy before Alice existed in Azure AD, try to resynchronize Bob:
kubectl annotate azureapp bob azure.nais.io/resync=true
- If all else fails, ask an adult in the
#naischannel on Slack.
"The signed in user is blocked because they are not a direct member of a group with access"¶
Example
An application may receive the following 400 Bad Request response error when requesting a token from Azure AD:
{
"error": "invalid_grant",
"error_description": "AADSTS50105: Your administrator has configured the application <cluster>:<namespace>:<alice> ('<client id>') to block users unless they are specifically granted ('assigned') access to the application. The signed in user '{EmailHidden}' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application",
...
}
Solution / Answer
- Ensure that the Alice application has configured user access.
- Ensure that the given user is a direct member of any configured group.
- If all else fails, ask an adult in the
#naischannel on Slack.
"Selected user account does not exist in tenant 'some-tenant' and cannot access the application 'some-client-id' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."¶
Problem
A user may receive the above message from Azure AD when attempting to log in.
Solution / Answer
- Ensure that the user uses an account that matches your application's tenant when logging in.
- If all else fails, ask an adult in the
#naischannel on Slack.
Last update:
2023-07-03
Created: 2021-07-08
Created: 2021-07-08