Merge pull request #8866 from MicrosoftDocs/main

Auto push to live 2025-05-06 02:31:38

Author: Deland-Han

support/entra/entra-id/app-integration/error-code-aadsts7500514-supported-type-saml-response-not-found.md

@@ -0,0 +1,109 @@
+---
+title: AADSTS7500514 - A Supported Type of SAML Response was not Found with PingFederate
+description: Describes error code `AADSTS7500514` that's returned if a federated account tries to authenticate by using Microsoft Entra ID.
+ms.date: 04/17/2025
+ms.author: bachoang
+ms.service: entra-id
+ms.custom: sap:Issues Signing In to Applications, has-azure-ad-ps-ref
+keywords: AADSTS50020
+---
+
+# AADSTS7500514 - A supported type of SAML response was not found with PingFederate
+
+This article helps you troubleshoot error code `AADSTS7500514` that's returned if a PingFederate federated account tries to authenticate by using Microsoft Entra ID (formerly Azure Active Directory).
+
+## Symptoms
+
+When a federated account tries to authenticate by using Microsoft Entra ID from a Microsoft Authentication Library (MSAL)-based or Active Directory Authentication Library (ADAL)-based application, the sign-in fails. The following error message is displayed:
+
+```output
+{
+     error: "invalid_request",
+     error_description: "AADSTS7500514: A supported type of SAML response was not found. The supported response types are 'Response' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol') or 'Assertion' (in XML namespace 'urn:oasis:names:tc:SAML:2.0:assertion').
+     ....
+     error_uri: "https://login.microsoftonline.com/error?code=7500514"
+}
+```
+
+The error typically occurs in the following environment:
+
+- A federated account that uses [PingFederate](https://www.pingidentity.com/) as the identity provider.  
+- The identity provider is configured to issue a SAML 1.1 token by using the WS-Trust protocol.
+- The application uses one of the following APIs for authentication:
+    - MSAL `AcquireTokenByUserNamePassword` method.  
+    - ADAL `AcquireToken`(string resource, string clientId, UserCredential userCredential) method.  
+    - Any PowerShell module that uses these MSAL or ADAL methods.
+
+## Cause
+
+Because [ADAL is now deprecated](/entra/identity/monitoring-health/recommendation-migrate-from-adal-to-msal), this article focuses on the MSAL.
+
+This issue occurs if the SAML response from PingFederate doesn't contain the SAML version or uses a format that MSAL can't recognize. Typically, this situation is caused by a misconfiguration on the PingFederate side for Microsoft Entra ID.
+
+### Root cause analysis: SAML token version detection
+
+When MASL authenticates a federated account, it determines whether the account is a managed account or a federated account.
+
+For managed accounts, MSAL uses the [Resource Owner Password Credentials grant flow](/entra/identity-platform/v2-oauth-ropc). For federated accounts, it uses the [SAML Assertion Grant flow](/azure/active-directory/develop/v2-saml-bearer-assertion).
+
+The SAML Assertion Grant flow has two steps:
+
+- The client application authenticates to the federated identity provider to obtain a SAML token.  
+- The client uses the obtained SAML token to get an OAuth 2.0 JWT token from Microsoft Entra ID.
+
+The authentication error typically occurs in step 1, in which the client application has to parse the SAML response from the identity provider to determine the version of the SAML token. MSAL looks for the following attributes in the identity provider's SAML response:
+
+- `saml:Assertion` 
+- `TokenType`
+
+The following is an example AD FS SAML response from the `/UserNameMixed` endpoint:
+
+- `saml:Assertion`: major version = 1, minor version = 1  
+- `TokenType`: `urn:oasis:names:tc:SAML:1.0:assertion`
+
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/adfs-saml-response.png" alt-text="Screenshot of ADFS SAML Response." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/adfs-saml-response.png":::
+
+Example of a PingFederate SAML response (SAML Assertion Grant flow step 1):
+
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png" alt-text="Screenshot of PingFederate SAML Response for SAML Assertion Grant flow step 1." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png":::
+
+When you compare these responses, you find that PingFederate returns a different TokenType value (`http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1`) for the same SAML 1.1 token. However, MSAL doesn't support any TokenType value other than `urn:oasis:names:tc:SAML:1.0:assertion`.
+
+If the identity provider returns a different or unexpected value in the SAML response, MSAL might incorrectly interpret the token as SAML 2.0. In this case, it uses the corresponding `grant_type` value during step 2 of the SAML Assertion Grant flow.
+
+Example of the request sent from MSAL application by using PingFederate (SAML Assertion Grant flow step 2):
+
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png" alt-text="Screenshot of request sent from MSAL application with PingFederate in SAML Assertion Grant flow step 2." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png":::
+
+Example of the request that's sent from the MSAL application by using AD FS:
+
+:::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png" alt-text="Screenshot of request sent from MSAL application by using AD FS in SAML Assertion Grant flow step 2." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png":::
+
+In this step, the value of the `grant_type` parameter must align with the actual version of the SAML token. One of the following values is used by the MSAL application:
+
+- urn:ietf:params:oauth:grant-type:saml2-bearer - for SAML 2.0 tokens
+- urn:ietf:params:oauth:grant-type:saml1_1-bearer - for SAML 1.1 tokens
+
+In the PingFederate example, MSAL uses the `saml2-bearer` as the `grant_type` based on its misinterpretation of the SAML version. This causes a version mismatch between the `grant_type` parameter and the SAML token that's included in the assertion that causes the authentication error.
+
+## Solution
+
+To resolve this issue, make sure that PingFederate is configured to align with Microsoft Entra ID requirements. For step-by-step instructions, review the following articles:
+
+- [Creating a connection to Microsoft Entra ID](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_creating_a_connection_to_azure_active_directory.html).
+
+    During Microsoft Entra ID connection setup, pay special attention to the settings in the following steps:
+
+    1. Configure the connection protocols.
+    2. On the **Connection Template** tab, select **Do not use a template for this connection**, and then select **Next**.
+    3. On the **Connection Type** tab, select **Browser SSO Profiles**.
+    4. In the Protocol list, select **WS-Federation**.
+    5. In the **WS-Federation Token Type** list, select **SAML 1.1**.
+    6. If you want to support active federation, select the **WS-Trust STS** checkbox.
+
+- [Configuring WS-Trust STS](https://docs.pingidentity.com/integrations/azure/azure_ad_and_office_365_integration_guide/pf_azuread_office365_integration_configuring_ws_trust_sts.html)
+
+    When you configure WS-Trust STS, make sure that you select **SAML 1.1 for Office 365** as the Default Token Type.
+
+[!INCLUDE [Third-party disclaimer](../../../includes/third-party-disclaimer.md)]
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/app-integration/media/error-code-aadsts7500514-supported-type-saml-response-not-found/adfs-saml-response.png

@@ -81,6 +81,9 @@
         href: app-integration/send-notification-details.md
   - name: Troubleshoot sign-in to apps
     items:
+      - name: AADSTS7500514 - A supported type of SAML response was not found
+        href: app-integration/error-code-aadsts7500514-supported-type-saml-response-not-found.md
+      - name: Error AADSTS220501 - Unable to download Certificate Revocation List
       - name: Error code AADSTS50173 - The provided grant has expired due to it being revoked
         href: app-integration/error-code-aadsts50173-grant-expired-revoked.md
       - name: Error AADSTS220501 - Unable to download Certificate Revocation List
@@ -280,6 +283,8 @@
      href: app-integration/graph-api-error-handling-invoke-restmethod.md
    - name: Troubleshoot Authorization RequestDenied error
      href: app-integration/troubleshoot-authorization-requestdenied-graph-api.md
+   - name: 403 error when adding a user to a group
+     href: users-groups-entra-apis/authorization-requestdenied-403-error-add-user-group.md
    - name: 404 error when managing objects
      href: app-integration/404-not-found-error-manage-objects-microsoft-graph.md
    - name: Use managed identities to call Graph APIs in VB.Net and C#

support/entra/entra-id/app-integration/media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-2.png

@@ -0,0 +1,111 @@
+---
+title: Troubleshoot Error 403 When Adding a User to a Group By Using Microsoft Graph API
+description: Provides solutions for the 403 Authorization_RequestDenied error that occurs when you add a user to a group by using Microsoft Graph API.
+ms.date: 04/21/2025
+ms.service: entra-id
+ms.author: bachoang
+ms.custom: sap:Getting access denied errors (Authorization)
+---
+
+# Troubleshoot 403 error when adding a user to a group by using Microsoft Graph API
+
+This article provides guidance for troubleshooting a "403 Authorization_RequestDenied" error that occurs when you try to add a user to a group by using the Microsoft Graph API.
+
+## Symptoms
+
+When you try to add a user to a group by using Microsoft Graph API, you receive the following "403" error message:
+
+```output
+{
+"error": {
+"code": "Authorization_RequestDenied",
+"message": "Insufficient privileges to complete the operation.",
+"innerError": {
+"date": "2024-05-07T15:39:39",
+"request-id": "aa324f0f-b4a3-4af6-9c4f-996e195xxxx",
+"client-request-id": "aa324f0f-b4a3-4af6-9c4f-996e1959074e"
+}
+}
+}
+```
+
+## Cause
+
+This issue occurs if the group that you tried to add the user to can't be managed by Microsoft Graph. Microsoft Graph supports only Microsoft 365 groups and Security groups.
+
+## Solution
+
+### Step 1: Check the group type
+
+Make sure that the group you trying to modify is supported by Microsoft Graph.
+
+1. In Microsoft Graph, the group type can be determined by the settings of its `groupTypes`, `mailEnabled`, and `securityEnabled` properties. Use the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to check the group's attributes:
+
+    ```http
+    https://graph.microsoft.com/v1.0/groups/<Group Object ID>?$select=displayName,groupTypes,mailEnabled,securityEnable
+    ```
+
+    Example response:
+
+    ```output
+        {
+         "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(displayName,groupTypes,mailEnabled,securityEnabled)/$entity",
+        "displayName": "Test group A",
+        "groupTypes": [],
+        "mailEnabled": true,
+        "securityEnabled": false
+        }
+    
+   ```
+
+2. Review the following table to verify that the group type is supported by Microsoft Graph API. In the example response, the "Test group A" group is a Distribution group that can't be supported by Microsoft Graph. For more information, see [Working with groups in Microsoft Graph](/graph/api/resources/groups-overview).
+
+    | Type |groupTypes | mailEnabled | securityEnabled | Can be managed by using Microsoft Graph APIs |
+    |--|--|--|--|--|
+    | [Microsoft 365 groups](/graph/api/resources/groups-overview#microsoft-365-groups) | `["Unified"]` | `true` | `true` or `false` | Yes |
+    | [Security groups](/graph/api/resources/groups-overview#security-groups-and-mail-enabled-security-groups) | `[]` | `false` | `true` | Yes |
+    | [Mail-enabled security groups](/graph/api/resources/groups-overview#security-groups-and-mail-enabled-security-groups) | `[]` | `true` | `true` | No; read-only through Microsoft Graph |
+    | Distribution groups | `[]` | `true` | `false` | No; read-only through Microsoft Graph |
+
+    > [!NOTE]
+    > - Group type can't be changed after creation. For more information, see [Edit group settings](/entra/fundamentals/how-to-manage-groups#edit-group-settings).
+    > - The membership of a dynamic group (**groupTypes** contains "DynamicMembership") can't be managed through Microsoft Graph.
+
+### Step 2: Verify required permissions
+
+Different group member types require specific permissions. For user-type membership, make sure that the application or account that performs the operation has the `GroupMember.ReadWrite.All` permission.
+
+For detailed permission requirements, see [Add members documentation](/graph/api/group-post-members).
+
+### Step 3: Check whether the group is a role-assignable group
+
+1. Role-assignable groups require extra permissions to manage their members. You can verify that the group is role-assignable by using Azure portal or Microsoft Graph Explorer:
+
+    **Azure portal**
+    
+    1. In the [Azure portal](https://portal.azure.com), go to **Microsoft Entra ID**, select **Groups**, and then select **All groups**.
+    1. Locate the target group, select **Properties**, and then check whether **Microsoft Entra role can be assigned to the group** is set to **Yes**.
+     
+    **Microsoft Graph Explorer**
+    
+    To check the `isAssignableToRoles` value, run the following request:
+    
+    ```http
+    GET https://graph.microsoft.com/v1.0/groups/<group object="" id="">?$select=displayName,groupTypes,mailEnabled,securityEnabled,isAssignableToRole
+    ```
+    Example response:
+
+    ```output
+     {
+         "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(displayName,groupTypes,mailEnabled,securityEnabled,isAssignableToRole)/$entity",
+        "displayName": "Test group B",
+        "groupTypes": [],
+        "mailEnabled": false,
+        "securityEnabled": true,
+        "isAssignableToRole": true
+        }
+    ```
+  
+2. If the group is role-assignable, you need the `RoleManagement.ReadWrite.Directory` permission in addition to `GroupMember.ReadWrite.All`. For more information, see [Add members documentation](/graph/api/group-post-members).
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/app-integration/media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png

@@ -1,7 +1,7 @@
 ---
 title: Active Directory domain join troubleshooting guidance
 description: Provides guidance to troubleshoot domain join issues.
-ms.date: 01/15/2025
+ms.date: 05/06/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
@@ -51,41 +51,17 @@ The following table lists the ports required to be open between the client compu
 
 ## Common issues and solutions
 
-### Error code 0x569
-
-For more information, see [Error code 0x569: The user has not been granted the requested logon type at this computer](error-0x569-not-granted-logon-type.md).
-
-### Error code 0x6BF or 0xC002001C
-
-For more information, see [Status code 0x6bf or 0xc002001c: The remote procedure call failed and did not execute](status-code-0x6bf-0xc002001c.md).
-
-### Error code 0x6D9
-
-See [Domain join error 0x6D9 "There are no more endpoints available from the endpoint mapper"](./domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md) for troubleshooting guide.
-
-### Error code 0xa8b
-
-For more information, see [Error code 0xa8b: An attempt to resolve the DNS name of a DC in the domain being joined has failed](error-0xa8b-resolve-dns-fail.md).
-
-### Error code 0x40
-
-For more information, see [Domain join error 0x40 "The specified network name is no longer available"](domain-join-error-0x40-the-specified-network-name-is-no-longer-available.md).
-
-### Error code 0x54b
-
-For more information, see [Domain join error code 0x54b](error-code-0x54b.md).
-
-### Error code 0x0000232A
-
-See [Domain join error code 0x0000232A](error-code-0x0000232a.md) for troubleshooting guide.
-
-### Error code 0x3a
-
-For more information, see [Status code 0x3a: The specified server cannot perform the requested operation](status-code-0x3a-server-not-perform-operation.md).
-
-### Error code 0x216d
-
-For more information, see [Status code 0x216d: Your computer could not be joined to the domain](status-code-0x216d-not-joined-domain.md).
+|Domain join error code|Cause|Related article|
+|---|---|---|
+|0x569|This error occurs because the domain join user account lacks the **Access this computer from the network** user right at the domain controller (DC) servicing the domain join operation.|[Troubleshooting error code 0x569: The user has not been granted the requested logon type at this computer](error-0x569-not-granted-logon-type.md) |
+|0x6BF or 0xC002001C|This error occurs when a network device (router, firewall, or virtual private network (VPN) device) rejects network packets between the client being joined and the domain controller (DC).|[Troubleshooting status code 0x6bf or 0xc002001c: The remote procedure call failed and did not execute](status-code-0x6bf-0xc002001c.md) |
+|0x6D9|This error occurs when network connectivity is blocked between the joining client and the Domain Controller (DC).|[Troubleshooting error code 0x6D9 "There are no more endpoints available from the endpoint mapper"](./domain-join-error-0x6d9-there-are-no-more-endpoints-available-from-the-endpoint-mapper.md) |
+|0xa8b|This error occurs when you join a workgroup computer to a domain.|[Troubleshooting error code 0xa8b: An attempt to resolve the DNS name of a DC in the domain being joined has failed](error-0xa8b-resolve-dns-fail.md) |
+|0x40|The issue is related to getting Kerberos Tickets for a Server Message Block (SMB) session.|[Troubleshooting error code 0x40 "The specified network name is no longer available"](domain-join-error-0x40-the-specified-network-name-is-no-longer-available.md) |
+|0x54b|This error occurs because the specified domain can't be contacted, pointing to issues locating domain controllers (DCs).|[Troubleshooting error code 0x54b](error-code-0x54b.md) |
+|0x0000232A|This error indicates that the Domain Name System (DNS) name can't be resolved.|[Troubleshooting error code 0x0000232A](error-code-0x0000232a.md) |
+|0x3a|This error occurs when the client computer lacks reliable network connectivity on Transmission Control Protocol (TCP) 389 port between the client computer and the domain controller (DC).|[Troubleshooting status code 0x3a: The specified server cannot perform the requested operation](status-code-0x3a-server-not-perform-operation.md) |
+|0x216d|This error occurs when the user account has exceeded the limit of 10 computers that can be joined to the domain, or when a Group Policy restricts users from joining computers to the domain.|[Troubleshooting status code 0x216d: Your computer could not be joined to the domain](status-code-0x216d-not-joined-domain.md) |
 
 ### Other errors that occur when you join Windows-based computers to a domain