-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Posting back response to bot - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. #6759
Comments
Can not repro anymore, maybe it was delay from multi-tenant to single tenant migration. |
@ceciliaavila we are seeing this issue again. It is intermittent but now it is happening on various flows when service try to post back response to the bot. From latest repro: (AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: efe17f44-1a9c-487f-9db5-d906af054800 Correlation ID: c5de5c5f-1a54-4338-974b-c8cb9bd91133 Timestamp: 2024-03-19 00:50:09Z) On just using happy path scenarios like ME search, LU and at motioned commands. [Updated title to reflect same] |
Hi @brijshah2709, We investigated about this issue and found that it is related to how the AAD have the Conditional Access policies configured.
Additionally, we tried reproducing the issue by using two different tenants, but we couldn't reproduce the error, both Bot and UserTokenClient.GetSignInResourceAsync method worked fine, the Bot responding to messages, and the method returning the URL with the sign in code. |
@sw-joelmut thank you for your response. I understand the issue is from CA but how can I use claims from CA to populate user to go through auth challenge for successful token acquisition? this is coming from common bot SSO code which is required to trigger SSO on initial flow |
This is old, but is this with Teams or on the MS Tenant? |
@tracyboehrer yes, MSFT tenant. |
Just when running locally, or on Azure? |
@tracyboehrer just locally in VS |
This is specific to MS tenants. I have the same issue when using Single Tenant. Start your AzureVPN when running locally. |
@tracyboehrer the same issue repro on cloud service too, we have seen this flakiness in our production services too. |
Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.
Version
4.21.0
Describe the bug
When bot is created with single tenant config and call is made to following
It throws error Failed to acquire token for client credentials. (AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 4d3115e2-773f-413d-ac57-9a69025d2e00 Correlation ID: 37810be3-b3dd-4f6a-9e87-5bab1e14d910 Timestamp: 2024-03-07 23:05:36Z)
To Reproduce
Create a bot with single tenant config
Make a call to GetSignInResourceAsync with SSO connection, test this call on external tenant not on the same tenant where bot is registered. The AAD app backed by BOT is also
AzureADMyOrg
Expected behavior
Should return sign in link
Screenshots
Exception added above
Additional context
Bot is created in MSFT tenant and trying to test on external test tenant.
The text was updated successfully, but these errors were encountered: