Thursday, May 10, 2018

The user or administrator has not consented to use Azure Analysis Service Client

Happy today because spent too much time to find out the issue happened in our Azure Tenant. The issue is very simple but took more time to reach the location.

Background:
Our development team have registered a AAD app for automatic refresh of Azure Analysis Service model using Azure Function Apps
The App Registered successfully in AAD and added Azure Analysis Services API Read&Write All model permission (It is bit confusing as the permission text is  Read&Write All Models)
The function App was not refreshing the model as expected.
Then  in addition the AAD App url is updated as “https:// northeurope.asazure.windows.net” (Does anybody think any thing wrong here) by development team.
Suddenly all Azure Analysis Service authentication got broke in our tenant including production services.  Unfortunately this incident happened in a long weekend(4days off 😝)
A support ticket raised with Microsoft and Azure support team asked us to delete the newly registered AAD App, then all service got started working.
As expected a huge escalation by customer, all appreciation got in the past is wiped off.
Unfortunately our team did not get  a chance to interact with Microsoft Support team and no error details shared.

My Involvement:
I am beginner in Azure but a bit curios to analyze what went wrong and took the responsibility but did not aware of the  pain at that time.
Spent around a week time, created multiple scenarios and different combinations but finally ends with nothing. The error was not reproduced.
Posted in Microsoft technical forum, but public contributors replied “I am wrong” , “We will not address the resolved issue”
Then again digged futher and got  clue from developer that  AAD APP url is updated  as “https:// northeurope.asazure.windows.net”
Then narrowed the investigation towards that direction

Investigation:
Registered a new app in AAD
Added Azure Analysis Services API Read&Write All Model  permissions
Updated the AAD URL as “https:// northeurope.asazure.windows.net”
Prepared following PowerShell Script

Install-Module -Name Azure.AnalysisServices
Install-Module -Name SqlServer
$UserCredential = Get-Credential
Login-AzureRmAccount -Credential $UserCredential
$Rolloutenv = "northeurope.asazure.windows.net"
Add-AzureAnalysisServicesAccount -RolloutEnvironment $Rolloutenv -Credential $UserCredential

Tried connecting to Azure Analysis Services using common resource name as specified in the script
Got following error

Add-AzureAnalysisServicesAccount : AADSTS65001: The user or administrator has n
ot consented to use the application with ID 'cf710c6e-dfcc-4fa8-a093-d47294e44c
66' named 'Azure Analysis Services Client'. Send an interactive authorization r
equest for this user and resource.
Trace ID: 257d729a-680e-4bea-8b43-86ac839e2f00
Correlation ID: 257d729a-680e-4bea-8b43-86ac839e2f00
Timestamp: 2018-05-09 13:09:27Z
At line:3 char:1
+ Add-AzureAnalysisServicesAccount -RolloutEnvironment $Rolloutenv -Credential
$Us ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
    + CategoryInfo          : CloseError: (:) [Add-AzureAnalysisServicesAccoun
   t], AdalServiceException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.AnalysisServices.Datapl
   ane.AddAzureASAccountCommand


Understood that the AAD App Url wan the culprit which has stopped all authentication of Azure Analysis Services
When I checked the GUID in internet I got below post where GUID used a resource in the source code.

https://www.csharpcodi.com/vs2/3376/BusinessPlatformApps/Source/Test/Microsoft.Deployment.Tests.Actions/AzureTests/ServicePrincipalTests.cs/

The I was able to relate the GUID and Error massage.

Conclusion:
Admin consent error thrown when accessing Azure Analysis services by any application or source code in our tenant.
o Application requested for Azure Analysis Service Access in AAD
o ADD found a AAD APP with “https:// northeurope.asazure.windows.net” as application url.
o AAD redirect the request to AAD app created by development team
o But the AAD App was neither actually requested resource nor Azure Analysis Service API Read & Write All model permission consented
o As a response from AAD, “application is not consented”

Learning:
AAD is common  instance for a tenant. All development, QA and Production resources registered and maintained in same AAD.
So when we register a AAD app, we have to be more conscious and aware for consequences before giving permission to it.
Do not update AAD App url with any resource URL because it will create a huge impact.
Microsoft need to apply a additional validation on AAD app Url that “Common resource Url should not be allowed”

3 comments: