Specific users no longer able to use SSO - 403 forbidden error message

James Earl 0 Reputation points
2024-01-17T11:00:40.26+00:00

We have two separate instances of the exact same issue. We have built two bespoke applications for two different companies. Each of the applications uses Microsoft graph and Azure for SSO.

Both of these were set up years ago and have been working without issue.

In the last two months one user for each of the companies can now no longer sign into the application with SSO. The sign in is successful but when trying to get their profile, we get a 403 forbidden error from graph and access is denied. Everyone else at both companies can log in without issue.

Nothing has been changed for either of the user accounts prior to the issue occurring.

Has anyone else experienced something similar?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,052 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,258 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shashank Kumar Srivastava 0 Reputation points Student Ambassador
    2024-01-17T11:11:43.7166667+00:00

    Review User Permissions:

    • Meticulously examine the affected users' permissions in both Azure AD and the application itself.
      • Ensure they have the necessary permissions to access their profiles.
        • Verify if any conditional access policies or security restrictions might be blocking access.
          • Compare their permissions with those of users who can access successfully.
          Check Admin Consent: - Confirm that administrator consent has been granted for the application to access user profiles.
             - If consent hasn't been granted or has expired, re-grant consent for the application.
          
             **Inspect Token Permissions:**
                - Analyze the access tokens being used for the affected users.
          
                   - Ensure they contain the correct scopes for accessing user profiles.
          
                      - Use tools like the Microsoft Graph Explorer or Postman to test token validity.
          
                      **Verify Audience Claims:**
                         - Ensure the audience claims (aud) in the access tokens match the Microsoft Graph API endpoints being called.
          
                            - Mismatches can lead to 403 errors.
          
                            **Test with Graph Explorer:**
                               - Use the Graph Explorer ([https://developer.microsoft.com/graph/graph-explorer](https://developer.microsoft.com/graph/graph-explorer)) to try accessing the affected users' profiles with their access tokens.
          
                                  - This can help isolate whether the issue is with the application or with the Graph API itself.
          
                                  **Review Recent Changes:**
                                     - Scrutinize any recent changes to Azure AD policies, conditional access rules, or application configurations that might have inadvertently impacted access.
          
                                     **Engage Microsoft Support:**
                                        - If none of the above steps resolve the issue, engage Microsoft support for further assistance.
          
                                           - They have access to more detailed logs and diagnostic tools to pinpoint the root cause.
          
                                           **Additional Considerations:**
                                           - **Conditional Access Policies:** Double-check for any conditional access policies that might be affecting specific users or devices.
          
                                           - **Azure AD Security Defaults:** If enabled, ensure the application is explicitly allowed to bypass security defaults.
          
                                           - **Application Permissions:** Verify that the application has the necessary permissions to access user profiles in Microsoft Graph.
          
                                           - **Recent Updates:** Review any recent updates to Microsoft Graph or Azure AD that might have introduced changes related to permissions or access control.
          
                                           **Seek Community Insights:**
          
    • Share your experiences in relevant forums or communities for further assistance and potential workarounds from other developers.

    @James Earl

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.