Happy today because spent too much time to find out the issue happened in our Azure Tenant. The issue is very simple but took more time to reach the location.
Background:
• Our development team have registered a AAD app for automatic refresh of Azure Analysis Service model using Azure Function Apps
• The App Registered successfully in AAD and added Azure Analysis Services API Read&Write All model permission (It is bit confusing as the permission text is Read&Write All Models)
• The function App was not refreshing the model as expected.
• Then in addition the AAD App url is updated as “https:// northeurope.asazure.windows.net” (Does anybody think any thing wrong here) by development team.
• Suddenly all Azure Analysis Service authentication got broke in our tenant including production services. Unfortunately this incident happened in a long weekend(4days off 😝)
• A support ticket raised with Microsoft and Azure support team asked us to delete the newly registered AAD App, then all service got started working.
• As expected a huge escalation by customer, all appreciation got in the past is wiped off.
• Unfortunately our team did not get a chance to interact with Microsoft Support team and no error details shared.
My Involvement:
• I am beginner in Azure but a bit curios to analyze what went wrong and took the responsibility but did not aware of the pain at that time.
• Spent around a week time, created multiple scenarios and different combinations but finally ends with nothing. The error was not reproduced.
• Posted in Microsoft technical forum, but public contributors replied “I am wrong” , “We will not address the resolved issue”
• Then again digged futher and got clue from developer that AAD APP url is updated as “https:// northeurope.asazure.windows.net”
• Then narrowed the investigation towards that direction
Investigation:
• Registered a new app in AAD
• Added Azure Analysis Services API Read&Write All Model permissions
• Updated the AAD URL as “https:// northeurope.asazure.windows.net”
• Prepared following PowerShell Script
Install-Module -Name Azure.AnalysisServices
Install-Module -Name SqlServer
$UserCredential = Get-Credential
Login-AzureRmAccount -Credential $UserCredential
$Rolloutenv = "northeurope.asazure.windows.net"
Add-AzureAnalysisServicesAccount -RolloutEnvironment $Rolloutenv -Credential $UserCredential
• Tried connecting to Azure Analysis Services using common resource name as specified in the script
• Got following error
Add-AzureAnalysisServicesAccount : AADSTS65001: The user or administrator has n
ot consented to use the application with ID 'cf710c6e-dfcc-4fa8-a093-d47294e44c
66' named 'Azure Analysis Services Client'. Send an interactive authorization r
equest for this user and resource.
Trace ID: 257d729a-680e-4bea-8b43-86ac839e2f00
Correlation ID: 257d729a-680e-4bea-8b43-86ac839e2f00
Timestamp: 2018-05-09 13:09:27Z
At line:3 char:1
+ Add-AzureAnalysisServicesAccount -RolloutEnvironment $Rolloutenv -Credential
$Us ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : CloseError: (:) [Add-AzureAnalysisServicesAccoun
t], AdalServiceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.AnalysisServices.Datapl
ane.AddAzureASAccountCommand
• Understood that the AAD App Url wan the culprit which has stopped all authentication of Azure Analysis Services
• When I checked the GUID in internet I got below post where GUID used a resource in the source code.
https://www.csharpcodi.com/vs2/3376/BusinessPlatformApps/Source/Test/Microsoft.Deployment.Tests.Actions/AzureTests/ServicePrincipalTests.cs/
• The I was able to relate the GUID and Error massage.
Conclusion:
• Admin consent error thrown when accessing Azure Analysis services by any application or source code in our tenant.
o Application requested for Azure Analysis Service Access in AAD
o ADD found a AAD APP with “https:// northeurope.asazure.windows.net” as application url.
o AAD redirect the request to AAD app created by development team
o But the AAD App was neither actually requested resource nor Azure Analysis Service API Read & Write All model permission consented
o As a response from AAD, “application is not consented”
Learning:
• AAD is common instance for a tenant. All development, QA and Production resources registered and maintained in same AAD.
• So when we register a AAD app, we have to be more conscious and aware for consequences before giving permission to it.
• Do not update AAD App url with any resource URL because it will create a huge impact.
• Microsoft need to apply a additional validation on AAD app Url that “Common resource Url should not be allowed”
Background:
• Our development team have registered a AAD app for automatic refresh of Azure Analysis Service model using Azure Function Apps
• The App Registered successfully in AAD and added Azure Analysis Services API Read&Write All model permission (It is bit confusing as the permission text is Read&Write All Models)
• The function App was not refreshing the model as expected.
• Then in addition the AAD App url is updated as “https:// northeurope.asazure.windows.net” (Does anybody think any thing wrong here) by development team.
• Suddenly all Azure Analysis Service authentication got broke in our tenant including production services. Unfortunately this incident happened in a long weekend(4days off 😝)
• A support ticket raised with Microsoft and Azure support team asked us to delete the newly registered AAD App, then all service got started working.
• As expected a huge escalation by customer, all appreciation got in the past is wiped off.
• Unfortunately our team did not get a chance to interact with Microsoft Support team and no error details shared.
My Involvement:
• I am beginner in Azure but a bit curios to analyze what went wrong and took the responsibility but did not aware of the pain at that time.
• Spent around a week time, created multiple scenarios and different combinations but finally ends with nothing. The error was not reproduced.
• Posted in Microsoft technical forum, but public contributors replied “I am wrong” , “We will not address the resolved issue”
• Then again digged futher and got clue from developer that AAD APP url is updated as “https:// northeurope.asazure.windows.net”
• Then narrowed the investigation towards that direction
Investigation:
• Registered a new app in AAD
• Added Azure Analysis Services API Read&Write All Model permissions
• Updated the AAD URL as “https:// northeurope.asazure.windows.net”
• Prepared following PowerShell Script
Install-Module -Name Azure.AnalysisServices
Install-Module -Name SqlServer
$UserCredential = Get-Credential
Login-AzureRmAccount -Credential $UserCredential
$Rolloutenv = "northeurope.asazure.windows.net"
Add-AzureAnalysisServicesAccount -RolloutEnvironment $Rolloutenv -Credential $UserCredential
• Tried connecting to Azure Analysis Services using common resource name as specified in the script
• Got following error
Add-AzureAnalysisServicesAccount : AADSTS65001: The user or administrator has n
ot consented to use the application with ID 'cf710c6e-dfcc-4fa8-a093-d47294e44c
66' named 'Azure Analysis Services Client'. Send an interactive authorization r
equest for this user and resource.
Trace ID: 257d729a-680e-4bea-8b43-86ac839e2f00
Correlation ID: 257d729a-680e-4bea-8b43-86ac839e2f00
Timestamp: 2018-05-09 13:09:27Z
At line:3 char:1
+ Add-AzureAnalysisServicesAccount -RolloutEnvironment $Rolloutenv -Credential
$Us ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : CloseError: (:) [Add-AzureAnalysisServicesAccoun
t], AdalServiceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.AnalysisServices.Datapl
ane.AddAzureASAccountCommand
• Understood that the AAD App Url wan the culprit which has stopped all authentication of Azure Analysis Services
• When I checked the GUID in internet I got below post where GUID used a resource in the source code.
https://www.csharpcodi.com/vs2/3376/BusinessPlatformApps/Source/Test/Microsoft.Deployment.Tests.Actions/AzureTests/ServicePrincipalTests.cs/
• The I was able to relate the GUID and Error massage.
Conclusion:
• Admin consent error thrown when accessing Azure Analysis services by any application or source code in our tenant.
o Application requested for Azure Analysis Service Access in AAD
o ADD found a AAD APP with “https:// northeurope.asazure.windows.net” as application url.
o AAD redirect the request to AAD app created by development team
o But the AAD App was neither actually requested resource nor Azure Analysis Service API Read & Write All model permission consented
o As a response from AAD, “application is not consented”
Learning:
• AAD is common instance for a tenant. All development, QA and Production resources registered and maintained in same AAD.
• So when we register a AAD app, we have to be more conscious and aware for consequences before giving permission to it.
• Do not update AAD App url with any resource URL because it will create a huge impact.
• Microsoft need to apply a additional validation on AAD app Url that “Common resource Url should not be allowed”