This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 21%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Hi,
I have a .Net core web app where on a button click I an building a publicclientauthorizationbuilder and using interactive login with extra scopes to concent.
This works locally as redirect to local host on the app builder works fine but when deployed to azure app service this fails as the random port selected by the interactive login is not listening . And in the web app I can not enable port listeners as its not available.
Code:
Any ideas how to get this working .
Bacically I am trying to build a we all that gets user concent on multiple scopes in azure.
Error:
ErrorCode: http_listener_error
Microsoft.Identity.Client.MsalClientException: An HttpListenerException occurred while listening on http://localhost:49960/ for the system browser to complete the login. Possible cause and mitigation: the app is unable to listen on the specified URL; run 'netsh http add iplisten 127.0.0.1' from the Admin command prompt.
---> System.Net.HttpListenerException (5): Access is denied.
This is the code piece that is getting concent from user for multiple scopes.
publicClientApp = PublicClientApplicationBuilder.Create(clientId)
.WithRedirectUri(redirectUrl)
.Build();
return await publicClientApp
.AcquireTokenInteractive(scopes)
.WithExtraScopesToConsent(extraResourceScopesToConsent)
.WithAuthority($"https://login.microsoftonline.com/organizations")
.WithExtraHttpHeaders(he)
.ExecuteAsync();
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 63%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIJ%3C/text%3E%3C/svg%3E)
I am experiencing the same issue. I think it might have something to do with the UserInteractive property of the Environment being "false".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 33%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
I am experiencing the same problem. Could they solve the problem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
When you config the reply urls in azure ad, you must include the port in the url. If you use more than one port, you must make a reply url for each port. Only the domain localhost allows wildcard ports.
Thanks for the feedback. I have port 80 set for redirect and also in Aad aap. The port is being taken randomly by the msal interactive login. And those ports are not listening on Azure app service and there is no way to enable that as we do not have control on that.
I am experiencing the exact same issue - am thinking it might have something to do with the "Environment.UserInteractive == false"?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
If the authentication worked locally but is throwing this error now that it is published to Azure, it is likely that you need to update your application code to connect it to Azure. The error message you shared is coming from the your application and not from Azure AD.
Steps to resolve this issue:
ClientID is added in the Application settings of the deployed AppIf the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.
@Marilee Turscak-MSFT thanks for the info. Indeed this is not Aad issue but app service issue. When deployed to app service as the error indicates , the listener is prohibited from accessing ports and I can not open them. The Interactive login page is not opening while running from Azure but opens when running locally.
@Marilee Turscak-MSFT also the sample in the link is just signing . However my case is to ask for concent for multiple scopes from the user for which I amusing the public client builder and using acquire token interactive . This step launch a new browser page where user signins and is presented with the app concent for all scopes I have defined in the code. This Web page launch is working locally but not in azure.