Merge pull request #7987 from MicrosoftDocs/main

Auto push to live 2025-01-07 02:00:02

Author: Deland-Han

support/entra/entra-id/app-integration/404-not-found-error-manage-objects-microsoft-graph.md

@@ -0,0 +1,29 @@
+---
+title: 404 Error When Managing Objects Using Microsoft Graph
+description: Provides a solution to a 404 error when you try to manage a Microsoft Entra object that was just created using Microsoft Graph.
+ms.date: 01/07/2025
+ms.reviewer: kakapans, v-weizhu
+ms.service: entra-id
+ms.custom: sap:Problem with querying or provisioning resources
+---
+# 404 error when managing objects using Microsoft Graph
+
+This article provides a solution to a 404 (object not found) error that occurs when you try to manage a Microsoft Entra object that was just created using Microsoft Graph.
+
+## Symptoms
+
+Suppose you create an object, such as a user, group, or application, in Microsoft Entra ID using Microsoft Graph. When trying to manage the object, such as getting, updating, or patching it, shortly after its creation, you receive a 404 (object not found) error. 
+
+## Cause
+
+The [Microsoft Entra ID architecture](/entra/architecture/architecture) ensures that all data is replicated across geographically distributed data centers. This issue occurs due to a replication delay in propagating the newly created object across all data centers. This replication process might take several minutes to complete.
+
+As shown in the following diagram, when your application makes a request via Microsoft Graph to create a user in Microsoft Entra ID, the service begins the replication process and returns an object for that user, which includes the user's ID and other relevant data used in your request. If your application immediately tries to update this user, it might connect to a replica that hasn't yet been updated with the new user object. So, you receive a 404 error because the user isn't found on that replica.
+
+ :::image type="content" source="media/404-not-found-error-manage-objects-microsoft-graph/404-not-found-error-diagram.png" alt-text="Diagram that explains the cause of the 404 error." border="false":::
+
+## Solution
+
+To resolve this issue, wait some time and retry the update request. If the 404 error still occurs after retrying, double your waiting time and try again. By allowing sufficient time for replication, you can prevent this error from happening again.
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/app-integration/media/404-not-found-error-manage-objects-microsoft-graph/404-not-found-error-diagram.png

@@ -0,0 +1,132 @@
+---
+title: Resolving nonce validation errors in ASP.NET MVC with OpenID Connect
+description: This article provides solutions to the common nonce validation errors that are encountered in ASP.NET MVC apps by using OpenID Connect middleware.
+ms.date: 01/02/2025
+ms.author: bachoang
+ms.service: entra-id
+ms.custom: sap:Developing or Registering apps with Microsoft identity platform
+---
+
+# "ValidationContext.Nonce is null" errors in ASP.NET MVC apps
+
+This article provides solutions to the common nonce validation errors that you might encounter in ASP.NET MVC apps by using OpenID Connect (OIDC)  middleware.
+
+## Common error messages
+
+Depending on the version of Open Web Interface for .NET (OWIN) that you use, you might receive one of the following error messages:
+
+- IDX21323: RequireNonce is '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you do not need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false.
+
+- IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you do not need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to false.
+
+## Understanding nonce cookies
+
+The ASP.NET OIDC middleware uses a nonce cookie to prevent [replay attacks](/dotnet/framework/wcf/feature-details/replay-attacks). The app throws the exception if it can't find the nonce cookie in the authenticated request. Cookies are domain-based. This means that if the cookies are set for a specific domain, all subsequent requests to that domain will include the cookies until they expire or are deleted.
+
+The following Fiddler traces describe how these cookies are set and used in a working flow:
+
+- In Frame 116, the browser sends a request to the OIDC app that's protected by Microsoft Entra ID. After receiving the request, the app detects that it isn't authenticated. It then redirects the request to Microsoft Entra ID (`login.microsoftonline.com`) for authentication. Additionally, the app sets the `OpenIdConnect.nonce` cookie in the "302" redirect response.
+
+    :::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-start-auth.png" alt-text="Screenshot of Frame 116 in Fiddler Trace." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-start-auth.png":::
+
+- After successful authentication (Frame 120-228), Microsoft Entra ID redirects the request back to the web app (Frame 229) together with the authenticated ID token. The nonce cookie that was previously set for this domain is also included in the POST request. The OIDC middleware validates the authenticated token and the nonce cookie before it continues to load the page (through another redirect). At this point, the nonce cookie's purpose is finished, and the app invalidates it by setting the expiration attribute to expire.
+
+    :::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png" alt-text="Screenshot of Fiddler Trace Frames related to authentication." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png":::
+
+## Solution
+
+### Cause 1: Multiple domains are used for the same website
+
+The browser originally navigates to the app on Domain A (Frame 9), and the nonce cookie is set for this domain. Later, Microsoft Entra ID sends the authenticated token to Domain B (Frame 91). Because the redirection to Domain B doesn't include the nonce cookie, the web app throws the `validationContext.Nonce is null` error.
+
+:::image type="content" source="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-multiple-domains.png" alt-text="Screenshot of Fiddler Trace Frames related to Cause 1." lightbox="media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-multiple-domains.png":::
+
+### Solution 1
+
+To resolve this issue, follow these steps:
+
+1. Redirect the request back to the same domain that was originally used after authentication. To control where Azure AD sent the authenticated request back to the app, set the `OpenIdConnectAuthentications.RedirectUri` property in the `ConfigureAuth` method.
+
+1. Configure the redirect URI (reply URL) in App Registration. Otherwise you might receive the following error: AADSTS50011: The reply URL that's specified in the request doesn't  match the reply URLs that Azure configured for the app. For more information, see [Error AADSTS50011 with OpenID authentication](error-code-aadsts50011-redirect-uri-mismatch.md).
+
+### Cause 2: Missing SameSite attributes
+
+Because of the [SameSite cookie security updates](/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser?tabs=dotnet), all cookies that are involved in the authentication process (including Nonce cookies) should contain the following attributes:
+
+- SameSite=None
+- Secure
+
+For more information, see [SameSite cookies and the Open Web Interface for .NET](/aspnet/samesite/owin-samesite).
+
+![Screenshot of missing SameSite attributes Fiddler trace.](./media//troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-misisng-samesite.png)
+
+### Solution 2
+
+To make sure that both the required attributes are included, follow these steps:
+
+1. Use the HTTPS protocol to navigate to the web app.
+1. Update .NET Framework and NuGet packages:
+    - For .NET Framework apps: Upgrade .NET Framework to version 4.7.2+ and relevant NuGet packages (Microsoft.Owin.Security.OpenIdConnect, Microsoft.Owin) to version 4.1.0+.
+    - For .NET Core apps:
+        - Version 2._x_ apps should use .NET Core 2.1+.
+        - Version 3._x_ apps should use .NET Core 3.1+.
+
+Example configuration code for Startup.Auth.cs:
+
+```csharp
+using System.Configuration;
+using Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Cookies;
+using Microsoft.Owin.Security.OpenIdConnect;
+using System.Threading.Tasks;
+using Microsoft.Owin.Security.Notifications;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+
+namespace NetWebAppOIDC2
+{
+    public partial class Startup
+    {
+        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
+        private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
+        private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
+        private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
+        private static string authority = aadInstance + tenantId;
+
+        public void ConfigureAuth(IAppBuilder app)
+        {
+            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
+
+            app.UseCookieAuthentication(new CookieAuthenticationOptions());
+            app.UseOpenIdConnectAuthentication(
+                new OpenIdConnectAuthenticationOptions
+                {
+                    ClientId = clientId,
+                    Authority = authority,
+                    PostLogoutRedirectUri = postLogoutRedirectUri,
+                    RedirectUri = "https://localhost:44313",
+                    
+                    Notifications = new OpenIdConnectAuthenticationNotifications
+                    {
+                        AuthenticationFailed = OnAuthenticationFailed
+                    }
+
+                    // Don't use SystemwebCookieManager class here to override the default CookieManager because that seems to negate the SameSite cookie attribute that's being set.
+                    // CookieManager = new SystemWebCookieManager()
+
+                });
+        }
+
+        private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
+        {
+            context.HandleResponse();
+            context.Response.Redirect("/?errormessage=" + context.Exception.Message);
+            return Task.FromResult(0);
+        }
+    }
+}
+```
+
+[!INCLUDE [Third-party disclaimer](../../../includes/third-party-disclaimer.md)]
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/app-integration/media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-after-auth.png

@@ -98,6 +98,8 @@
         href: app-integration/troubleshoot-oidc-http-infinite-redirection.md
       - name: User redirected to incorrect reply URL or localhost
         href: app-integration/reply-url-redirected-to-localhost.md
+      - name: Nonce is null error in ASP.NET MVC with OpenID Connect
+        href: app-integration/troubleshoot-validation-context-nonce-null-mvc.md
 
 - name: Business To Consumer (B2C) Tenants
   items:
@@ -238,6 +240,8 @@
      href: app-integration/graph-api-error-handling-invoke-restmethod.md
    - name: Troubleshoot Authorization RequestDenied error
      href: app-integration/troubleshoot-authorization-requestdenied-graph-api.md
+   - name: 404 error when managing objects
+     href: app-integration/404-not-found-error-manage-objects-microsoft-graph.md
 - name: Microsoft Entra User Provisioning and Synchronization
   items:
   - name: User Sign-in or password Problems
@@ -374,3 +378,4 @@
       href: user-prov-sync/exclude-user-primary-group.md
     - name: Yellow exclamation mark in Office 2013
       href: user-prov-sync/yellow-exclamation-mark-office2013.md
+

support/entra/entra-id/app-integration/media/troubleshoot-validation-context-nonce-null-mvc/fiddler-trace-misisng-samesite.png

@@ -1,7 +1,7 @@
 ---
 title: How to clean up inherited access
 description: Introduces how to remove inherited access to records when the cascade configuration of a table changes in Microsoft Dataverse.
-ms.date: 09/08/2023
+ms.date: 01/07/2025
 author: paulliew
 ms.author: paulliew
 ms.reviewer: jdaly
@@ -114,7 +114,7 @@ OData-Version: 4.0
 
 ---
 
-The `CreateAsyncJobToRevokeInheritedAccess` action creates a new asynchronous job named `RevokeInheritedAccess`. You can monitor the success of this job. For more information, see [monitoring system jobs](/power-platform/admin/manage-dataverse-auditing#monitoring-system-jobs) or [managing system jobs with code](/power-apps/developer/data-platform/asynchronous-service#managing-system-jobs).
+The `CreateAsyncJobToRevokeInheritedAccess` action creates a new asynchronous job named `RevokeInheritedAccess`. You can monitor the success of this job, but there isn't any way to preview the records that will be affected. For more information, see [monitoring system jobs](/power-platform/admin/manage-dataverse-auditing#monitoring-system-jobs) or [managing system jobs with code](/power-apps/developer/data-platform/asynchronous-service#managing-system-jobs).
 
 ### Reset inherited access