I am getting a "Requests from this IP are not allowed" when trying to signin/signup to Entra ID for external providers

Srinath Nanduri 5 Reputation points
2024-05-27T02:42:10.6966667+00:00

I am trying to follow the tutorial in the link https://learn.microsoft.com/en-us/entra/external-id/customers/tutorial-mobile-app-maui-sign-in-sign-out ... I have created the UserFlows ., but when running the app , I get a "Requests from this IP are not allowed" .. How do I fix that ? The url link where this issue happens is at " https://login.microsoftonline.com/extservice/cpim?dc=ests-pub-wus2-az1-test1 " Screenshot 2024-05-26 at 10.39.30 PM.png

.NET MAUI
.NET MAUI
A Microsoft open-source framework for building native device applications spanning mobile, tablet, and desktop.
3,081 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,185 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. James Hamil 22,891 Reputation points Microsoft Employee
    2024-05-28T19:58:22.39+00:00

    Hi @Srinath Nanduri , this indicates that the IP address from which the request is being made is not allowed to access the resource. This could be due to a number of reasons, such as a firewall blocking the IP address or the resource being protected by an access control list (ACL).

    In the context of the tutorial you are following, it's possible that the IP address from which you are making the request is not included in the list of allowed IP addresses for the UserFlow. To fix this, you can try adding the IP address to the list of allowed IP addresses for the UserFlow.

    To do this, follow these steps:

    1. Go to the Azure portal and navigate to the UserFlow that you created.
    2. Click on the "Properties" tab.
    3. Under "IP address restrictions", click on "Add".
    4. Enter the IP address that you want to allow access from.
    5. Click on "Save" to save the changes.

    Once you have added the IP address to the list of allowed IP addresses, try running the app again and see if the issue is resolved. If you are still having issues, you may need to check if there are any other restrictions in place that could be blocking the request.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James


  2. Jason Keimig 0 Reputation points
    2024-06-06T15:52:42.58+00:00

    I'm seeing this issue as well with a web-based Entra External ID-based setup, when trying to use Google as a sign-in option. The "Requests from this IP are not allowed" error appears to be just a catch-all message... the actual error is hidden.

    A couple of things I've found:

    • My user auth flow errors at the exact same POST request to: https://login.microsoftonline.com/extservice/cpim?dc=ests-pub-wus2-az1-test1 with the same error message
    • Looking at the payload of the POST, we can see the actual error:
    property value
    error redirect_uri_mismatch
    error_description AADB2C90006: The redirect URI 'https://{tenant_id}.ciamlogin.com/{tenant_id}/federation/oauth2iefpassthrough' provided in the request is not registered for the client id '4829629c-4ae8-42a5-9def-bd28fbfd6992'.
    • Note that client id 4829629c-4ae8-42a5-9def-bd28fbfd6992 is not the client id of the app registered to my flow. In fact, I found a post from a couple of years ago that referenced this same client id in conjunction with trying to add Google as an auth provider, so I assume it is some internal Entra association w/Google.

    Looking at the previous call that ultimately generated this error: https://login.microsoftonline.com/tfp/{tenant_id}/B2X_1_SignInOnlyUserFlowWM/oauth2/v2.0/authorize?scope=..

    query param value
    scope openid offline_access
    response_type code
    client_id 4829629c-4ae8-42a5-9def-bd28fbfd6992
    response_mode form_post
    domain_hint google.com
    redirect_uri https://{tenant_id}.ciamlogin.com/{tenant_id}/federation/oauth2iefpassthrough
    ..various.. ..various..

    We can see this is the offending call using some internal client_id whose list of valid_redirect_uri URLs cannot be modified.

    The interesting thing here is that it used to work when Google auth with initially set up. After 12-24hrs however, this issue surfaced and I can no longer try to sign in to Google.

    Any help on getting a reliable Google Auth set up for Entra External Id usage?