Bug 50739 – [O365] Setup wizard can currently not be completed

Bug 50739 - [O365] Setup wizard can currently not be completed


Summary:	[O365] Setup wizard can currently not be completed

Status:	CLOSED WORKSFORME

Product:	UCS
Classification:	Unclassified
Component:	Office 365
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-3-errata
Assigned To:	Erik Damrose
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-01-24 16:27 CET by Erik Damrose
Modified:	2020-09-03 11:47 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:	Yes
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020012221000513, 2020012921000742, 2020020521000722
Bug group (optional):
Max CVSS v3 score:

Attachments
Screenshot of authorization page (36.65 KB, image/png) 2020-01-24 16:27 CET, Erik Damrose	Details
Patch to use a shared secret for o365 app setup (1.07 KB, patch) 2020-02-10 10:03 CET, Erik Damrose	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2020-01-24 16:27:25 CET

Created attachment 10283 [details]
Screenshot of authorization page

One step in the O365 Setup wizard is to explicitly confirm the permissions requested by the app. This is done at the Azure webinterface and requires a user logged into the azure portal with permissions to authorize the app permissions.

The browser should be redirected to the reply URL given to the Azure App setup in an earlier step, e.g. https://FQDN/univention/command/office365/authorize. However, the browser never gets redirected (i inspected the browser network requests), but the azure authorization form reappears, see example screenshot.

The o365 connector never gets the required information how to start the synchronization, which would be in the POST request to the reply URL. Initialization of a new connection can not be completed.

Comment 1 Erik Damrose

2020-01-24 16:52:47 CET

Maybe additional permissions have to be set in Azure or given to the admin user, the azure logs show the following error when trying to authorize the app.

Sign-in error code:
65001

Failure reason:
Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.

Comment 2 Christina Scheinig

2020-01-29 15:58:07 CET

Reported again

Comment 3 Ingo Steuwer

2020-01-30 11:57:55 CET

This is sort of an "API change" by Microsoft. I suggest any user who faces this issue to open an support ticket at Microsoft.

Comment 4 Ingo Steuwer

2020-02-06 14:21:37 CET

see also https://help.univention.com/t/14258

Comment 5 Erik Damrose

2020-02-07 14:42:05 CET

We received a report from one customer that the setup of an Azure AD connection could be completed successfully today. We could verify this in internally, we could also setup a new connection in our test environment. Users currently facing this issue are encouraged to try it in their environment as well. We are waiting for an official reponse from Microsoft before considering this issue as resolved.

Comment 6 Erik Damrose

2020-02-10 10:00:56 CET

Microsoft support confirmed that an issue with the granting permissions when setting up Azure apps has been resolved. The issue is considered resolved. If there are still issues please contact Univention support.

Comment 7 Erik Damrose

2020-02-10 10:03:14 CET

Created attachment 10291 [details]
Patch to use a shared secret for o365 app setup

Attached patch was a first step to complete the app setup with a shared secret instead of a certificate. This would need more cleanup of deprecated functions. In addition, the wizard would have to be adapted.

Comment 8 Sönke Schwardt-Krummrich

2020-02-13 18:14:57 CET

Issue has been fixed by Microsoft. Nothing to do on our side.
→ VERIFIED