Signup Error: AADB2C90068: The provided application with ID 'xxx' is not valid against this service.

[jhofer]

Describe the bug
After successfully deploy the application I'm not abel to signup or login.
I checked the app registrations and they are created in correclty in in the azure b2c tenant

To Reproduce
Steps to reproduce the behavior:
0. Fork Repo

1. Fresh Deployment of all Components

echo "Start of setup.sh"
# get script directory
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

# create array of folder names
echo
read -p "run Saas.IdentityProvider" -n 1 -r CONTINUE_SCRIPT
if [[ $CONTINUE_SCRIPT =~ ^[Yy]$ ]]; then
    targetDir="${SCRIPT_DIR}/src/Saas.Identity/Saas.IdentityProvider/deployment"
    echo "dir ${targetDir}"
    cd $targetDir
    # run setup script
    ./setup.sh
    ./run.sh
fi

echo
read -p "run Saas.Permissions" -n 1 -r CONTINUE_SCRIPT
if [[ $CONTINUE_SCRIPT =~ ^[Yy]$ ]]; then
    targetDir="${SCRIPT_DIR}/src/Saas.Identity/Saas.Permissions/deployment"
    echo "dir ${targetDir}"
    cd $targetDir
    # run setup script
    ./setup.sh
    ./run.sh
fi

echo
read -p "run Saas.Admin" -n 1 -r CONTINUE_SCRIPT
if [[ $CONTINUE_SCRIPT =~ ^[Yy]$ ]]; then
    targetDir="${SCRIPT_DIR}/src/Saas.Admin/deployment"
    echo "dir ${targetDir}"
    cd $targetDir
    # run setup script
    ./setup.sh
    ./run.sh
fi

echo
read -p "run Saas.SignupAdministration" -n 1 -r CONTINUE_SCRIPT
if [[ $CONTINUE_SCRIPT =~ ^[Yy]$ ]]; then
    targetDir="${SCRIPT_DIR}/src/Saas.SignupAdministration/deployment"
    echo "dir ${targetDir}"
    cd $targetDir
    # run setup script
    ./setup.sh
    ./run.sh
fi

echo
read -p "run Saas.Application" -n 1 -r CONTINUE_SCRIPT
if [[ $CONTINUE_SCRIPT =~ ^[Yy]$ ]]; then
    targetDir="${SCRIPT_DIR}/src/Saas.Application/deployment"
    echo "dir ${targetDir}"
    cd $targetDir
    # run setup script
    ./setup.sh
    ./run.sh
fi

4. Commit and Deploy gitworkflow changes
5. Run all Gitworkflows
6. Open signupadmin or saas-app webapp
7. Click on Sign Up / Sign In ==> Error

Expected behavior

• User should be abel to Sign Up or Login

Screenshots

Desktop (please complete the following information):

• OS: Windows .
• Browser Edge

[stuckydev]

Have you tried using a browser where no Microsoft Account is currently logged in? I encounter this issue in various applications as I have to use multiple accounts from different companies. One time, I also had to remove the account from Windows added company accounts in system settings... otherwise a app did always choose the wrong Microsoft Account.

[jhofer]

I tried it with an incognito window without success

[lookitskris]

I've hit this exact same issue today - fresh install of everything.

the id mentioned as part of the error does not match the id of the app registration created as part of the deploy process in the Azure portal (or indeed any id of any resource that exists as part of the SDK)

Some research seems to suggest the app registration is at fault, there are some replies here that may be helpful?

I also noticed, in the latest commit a bunch of values have been changed from 'azureAdInstance' to 'azureAdB2CInstanceURL'. Could it now be looking for a B2C app registration, but that does not exist because the bicep code hasn't been updated to create the app registration using B2C instead of regular AD?

[1iveowl]

@lookitskris I agree that it might be that the last commit from PR #270 that introduces this regression.

I’m away at the moment and won’t be back before later in August. The last commit only changed four lines of code across four files, so what I would maybe do would be to try and roll back those four changes manually by editing the files in hand and then try and re-run the installation from a blank slate. Thanks.

[lookitskris]

@1iveowl Think I have found the issue (or at least part of it)

It appears as though the app registrations the template creates are for the older Azure AD and not B2C? Or perhaps it is B2C but it's missing something?

Here are the supported account type options for the admin-api registration the template generates for example

Its missing the newer, third option which reads "Accounts in any organisational directory or any identity provider. Choose this option to authenticate with Azure AD B2C".

This uses accessTokenAcceptedVersion which should be set to 2 and signInAudience which should be set to AzureADandPersonalMicrosoftAccount.

You cant manually modify the registrations created by the template by inserting these values into the manifest unfortunately

I don't know the guts of the SDK well enough to try and update this, but if you have any pointers on where to start I'll have a go

[blinka]

I can confirm, had the same issue after clean and new deploy, but after I made these changes within the manifests directly within the Azure portal both the login and signup flows started to work.

[lookitskris]

@blinka are you able to say here what the specific changes you made on which registration? when I tried to do it it wouldn't let me save the changes, so wouldn't mind comparing with you to check I'm doing the right thing

[blinka]

These apps might have different names if you changed the prefix etc in config before deploy.
I might have changed/modified on too many places but this was working for my tests.

These app registrations:
permissions-api
saas-app
admin-api
asdk-usr-sp-pq5a
signupadmin-app

Steps to Modify the Application Manifest
Access the Application Manifest in the Azure Portal:

1 Navigate to the Azure Portal at https://portal.azure.com.
2 Switch to your Azure AD B2C directory.
3 Go to Azure AD B2C and select Applications.
4 Choose the application you want to modify.
5 Under Manage, select Manifest.

I modified these properties to these values

"signInAudience": "AzureADandPersonalMicrosoftAccount",

Under API section
"acceptMappedClaims": true,
"requestedAccessTokenVersion": 2,

Then the "save" command was enabled for me. Saved and then directly after that I was able to both signup and signin, view admin section of my account and also view the "route" page on the web app.

[lookitskris]

@blinka lovely, thanks for that - working for me now too.

The mistake I made was trying to modify the app registration manifests in "Entra ID" and not "Azure AD B2C", just in case that catches anybody else out