[Azure AD] Custom extension feature

Author: yoelhor

articles/active-directory/develop/custom-extension-troubleshoot.md

@@ -0,0 +1,186 @@
+---
+title: Troubleshoot a custom claims provider
+titleSuffix: Microsoft identity platform
+description: Troubleshoot and monitor your custom claims provider API.  Learn how to use logging and Azure AD sign-in logs to find errors and issues in your custom claims provider API.
+services: active-directory
+author: yoelhor
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.topic: how-to
+ms.workload: identity
+ms.date: 03/06/2023
+ms.author: ryanwi
+ms.custom: aaddev
+ms.reviewer: JasSuri
+#Customer intent: As an application developer, I want to find errors and issues in my custom claims provider API.
+---
+
+# Troubleshoot your custom claims provider API (preview)
+
+Authentication events and [custom claims providers](custom-claims-provider-overview.md) allow you to customize the Azure Active Directory (Azure AD) authentication experience by integrating with external systems.  For example, you can create a custom claims provider API and configure an [OpenID Connect app](./custom-extension-get-started.md) or [SAML app](custom-extension-configure-saml-app.md) to receive tokens with claims from an external store.
+
+## Error behavior
+
+When an API call fails, the error behavior is as follows:
+
+- For OpenId Connect apps - Azure AD redirects the user back to the client application with an error. A token isn't minted.
+- For SAML apps -  Azure AD shows the user an error screen in the authentication experience. The user isn't redirected back to the client application.
+
+The error code sent back to the application or the user is generic. To troubleshoot, check the [sign-in logs](#azure-ad-sign-in-logs) for the [error codes](#error-codes-reference).
+
+## Logging
+
+In order to troubleshoot issues with your custom claims provider REST API endpoint, the REST API must handle logging. Azure Functions and other API-development platforms provide in-depth logging solutions. Use those solutions to get detailed information on your APIs behavior and troubleshoot your API logic.
+
+## Azure AD sign-in logs
+
+You can also use [Azure AD sign-in logs](/azure/active-directory/reports-monitoring/concept-sign-ins) in addition to your REST API logs, and hosting environment diagnostics solutions. Using Azure AD sign-in logs, you can find errors, which may affect the users' sign-ins. The Azure AD sign-in logs provide  information about the HTTP status, error code, execution duration, and number of retries that occurred the API was called by Azure AD.
+
+Azure AD sign-in logs also integrate with [Azure Monitor](/azure/azure-monitor/). You can set up alerts and monitoring, visualize the data, and integrate with security information and event management (SIEM)  tools. For example, you can set up notifications if the number of errors exceed a certain threshold that you choose.
+
+To access the Azure AD sign-in logs:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. In the **Enterprise apps** experience for your given application, select on the **Sign-in** logs tab.
+1. Select the latest sign-in log.
+1. For more details, select the **Authentication Events** tab. Information related to the custom extension REST API call is displayed, including any [error codes](#error-codes-reference).
+
+    :::image type="content" source="media/custom-extension-troubleshoot/authentication-events.png" alt-text="Screenshot that shows the authentication events information." :::
+
+## Error codes reference
+
+Use the following table to diagnose an error code.
+
+|Error code |Error name |Description |
+|----|----|----|
+|1003000 | EventHandlerUnexpectedError | There was an unexpected error when processing an event handler.|
+|1003001 | CustomExtenstionUnexpectedError | There was an unexpected error while calling a custom extension API.|
+|1003002 | CustomExtensionInvalidHTTPStatus | The custom extension API returned an invalid error code. Check that the API returns an accepted status code defined for that custom extension type.|
+|1003003 | CustomExtensionInvalidResponseBody | There was a problem parsing the custom extension's response body. Check that the API response body is in an acceptable schema for that custom extension type.|
+|1003004 | CustomExtenstionThrottlingError | There are too many custom extension requests. This exception is thrown for custom extension API calls when throttling limits are reached.|
+|1003005 | CustomExtensionTimedOut | The custom extension didn't respond within the allowed timeout. Check that your API is responding within the configured timeout for the custom extension. It can also indicate that the access token is invalid. Follow the steps to [call your REST API directly](#call-your-rest-api-directly). |
+|1003006 | CustomExtensionInvalidResponseContentType | The custom extension's response content-type isn't 'application/json'.|
+|1003007 | CustomExtensionInvalidResponseEventType | The custom extension API didn't respond with the same eventType that it was called for.|
+|1003008 | CustomExtensionInvalidResponseApiSchemaVersion | The custom extension API didn't respond with the same apiSchemaVersion that it was called for.|
+|1003009 | CustomExtensionNoResponse | The custom extension API response body was null when that wasn't expected.|
+|1003010 | CustomExtensionInvalidNumberOfActions | The custom extension API response included a different number of actions than those supported for that custom extension type.|
+|1003011 | CustomExtensionNotFound | The custom extension associated with an event listener couldn't be found.|
+|1003012 | CustomExtensionInvalidActionType | The custom extension returned an invalid action type defined for that custom extension type.|
+|1003014 | IntermediateAccessTokenFQDNValidationFailed | ResourceId should be in the format of "api://{fully qualified domain name}/{appid}|
+|1003015 | IntermediateAccessTokenFQDNValidationFailed | The fully qualified domain name in resourceId should match that of the targetUrl|
+|1003016 | PrincipalNotFoundWithIdSpecified | The appId of the resourceId should correspond to a real service principal in the tenant.|
+|1003019 | PrincipalNotFoundWithIdSpecified | The resourceId isn't found in the IdentifierUris property of the app or is disabled.|
+|1003021 | CustomExtensionPermissionNotGrantedToServicePrincipal | The service principal doesn't have admin consent for the Microsoft Graph CustomAuthenticationExtensions.Receive.Payload app role (also known as application permission) which is required for the app to receive custom authentication extension HTTP requests.|
+|1003017 | PrincipalNotFoundWithIdSpecified | The Azure Active Directory Authentication Extensions service principal not found in tenant|
+|1003018 | InvalidResourceServicePrincipalDisabled | The Azure Active Directory Authentication Extensions service principal is disabled in this tenant|
+|1003022 | CustomExtensionMsGraphServicePrincipalNotFoundOrDisabled | The MS Graph service principal isn't found or is disabled in this tenant.|
+
+## Call your REST API directly
+
+Your REST API is protected by Azure AD access token. You can test your API by obtaining an access token with the [application registration](custom-extension-get-started.md#22-grant-admin-consent-and-copy-the-ids) associated with the custom extensions. After you acquire an access token, pass it the HTTP `Authorization` header. To obtain an access token, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) with your Azure administrator account.
+1. Select **Azure Active Directory** > **App registrations**.
+1. Select the *Azure Functions authentication events API* app registration [you created previously](custom-extension-get-started.md#step-2-register-a-custom-extension). 
+1. Copy the [application ID](custom-extension-get-started.md#22-grant-admin-consent-and-copy-the-ids).
+1. If you haven't created an app secret, follow these steps:
+    1. Select **Certificates & secrets** > **Client secrets** > **New client secret**.
+    1. Add a description for your client secret.
+    1. Select an expiration for the secret or specify a custom lifetime.
+    1. Select **Add**.
+    1. Record the **secret's value** for use in your client application code. This secret value is never displayed again after you leave this page.
+1. From the menu, select **Expose an API** and copy the value of the **Application ID URI**. For example, `api://contoso.azurewebsites.net/11111111-0000-0000-0000-000000000000`.
+1. Open Postman and create a new HTTP query.
+1. Change the **HTTP method** to `POST`.
+1. Enter the following URL. Replace the `{tenantID}` with your tenant ID.
+
+    ```http
+    https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token
+    ```
+
+1. Under the **Body**, select **form-data** and add the following keys:
+
+    |Key  |Value  |
+    |---------|---------|
+    |`grant_type`| `client_credentials`|
+    |`client_id`| The **Client ID** of your application.|
+    |`client_secret`|The **Client Secret** of your application.|
+    |`scope`| The **Application ID URI** of your application, then add `.default`. For example, `api://contoso.azurewebsites.net/11111111-0000-0000-0000-000000000000/.default`|
+
+1. Run the HTTP query and copy the `access_token` into the <https://jwt.ms> web app.
+1. Compare the `iss` with the issuer name you [configured in your API](custom-extension-get-started.md#step-5-protect-your-azure-function).
+1. Compare the `aud` with the client ID you [configured in your API](custom-extension-get-started.md#step-5-protect-your-azure-function).
+
+To test your API directly from the Postman, follow these steps:
+
+1. In your REST API, disable the `appid` or `azp` [claim validation](custom-extension-overview.md#protect-your-rest-api). Check out how to [edit the function API](custom-extension-get-started.md#12-edit-the-function) you created earlier.
+1. In Postman, create new HTTP request
+1. Set the **HTTP method** to `POST`
+1. In the **Body**, select **Raw** and then select **JSON**.
+1. Pase the following JSON that imitates the request Azure AD sends to your REST API.
+
+    ```json
+    {
+        "type": "microsoft.graph.authenticationEvent.tokenIssuanceStart",
+        "source": "/tenants/<Your tenant GUID>/applications/<Your Test Application App Id>",
+        "data": {
+            "@odata.type": "microsoft.graph.onTokenIssuanceStartCalloutData",
+            "tenantId": "<Your tenant GUID>",
+            "authenticationEventListenerId": "<GUID>",
+            "customAuthenticationExtensionId": "<Your custom extension ID>",
+            "authenticationContext": {
+                "correlationId": "fcef74ef-29ea-42ca-b150-8f45c8f31ee6",
+                "client": {
+                    "ip": "127.0.0.1",
+                    "locale": "en-us",
+                    "market": "en-us"
+                },
+                "protocol": "OAUTH2.0",
+                "clientServicePrincipal": {
+                    "id": "<Your Test Applications servicePrincipal objectId>",
+                    "appId": "<Your Test Application App Id>",
+                    "appDisplayName": "My Test application",
+                    "displayName": "My Test application"
+                },
+                "resourceServicePrincipal": {
+                    "id": "<Your Test Applications servicePrincipal objectId>",
+                    "appId": "<Your Test Application App Id>",
+                    "appDisplayName": "My Test application",
+                    "displayName": "My Test application"
+                },
+                "user": {
+                    "createdDateTime": "2016-03-01T15:23:40Z",
+                    "displayName": "John Smith",
+                    "givenName": "John",
+                    "id": "90847c2a-e29d-4d2f-9f54-c5b4d3f26471",
+                    "mail": "[email protected]",
+                    "preferredLanguage": "en-us",
+                    "surname": "Smith",
+                    "userPrincipalName": "[email protected]",
+                    "userType": "Member"
+                }
+            }
+        }
+    }
+    ```
+
+1. Select **Authorization** and then select **Bearer token**.
+1. Paste the access token you received from Azure AD, and run the query.
+
+
+## Common performance improvements
+
+One of the most common issues is that your custom claims provider API doesn't respond within the two-seconds timeout. If your REST API doesn't respond in subsequent retries, then the authentication fails and the token won't be issued. To improve the performance of your REST  API, follow the below suggestions:
+
+1. If your API accesses any downstream APIs, cache the access token used to call these APIs, so a new token doesn't have to be acquired on every execution.
+1. Performance issues will often be in a downstream service. Add logging, which records the process time to call to any downstream services. 
+1. If you use a cloud provider to host your API, use a hosting plan that keeps the API always "warm". For Azure Functions, it can be either [the Premium plan or Dedicated plan](../../azure-functions/functions-scale.md).
+1. [Run automated integration tests](test-automate-integration-testing.md) for your authentications. You can also use Postman or other tools to test just your API performance.
+
+## Next steps
+
+- Learn how to [create and register a custom claims provider](custom-extension-get-started.md) with a sample Open ID Connect application.
+- If you already have a custom claims provider registered, you can configure a [SAML application](custom-extension-configure-saml-app.md) to receive tokens with claims sourced from an external store.
+- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.