Couldn't register application in Azure Active Directory from HCI Admin Cener

Question

Hello ,

We are trying to register to Azure from Admin Center (registration of HCI cluster completed and view it in azure portal) and following https://learn.microsoft.com/en-us/azure-stack/hci/manage/register-windows-admin-center and on step 4 to create an new application registration. When we click the 'Connect' option, we are getting below error

"
Notification details
Error
Couldn't register application in Azure Active Directory

Message
Couldn't register application 'WindowsAdminCenter-https://localhost:6516' in Azure Active Directory. Error: Response status code does not indicate success: 400 (BadRequest)."

Also, the brower setting are update to allow popup windows and added the trusted URLs (https://login.microsoftonline.com, https://login.live.com and https://localhost:6516).

Also on the azure portal, my ID have (GlobalAdmin, Application Admin and Cloud ) admins credentials.

Also, please let us know, if we are missing any permission and what is the correct steps to follow. I'm running the Admin center in the MGMT01 node as documented in the doc.

Can you help us?

Answer 1

My issue has been fixed . The steps that i followed to resolve the issue are below :

1)First i went to Azure Active directory and created a new App registration by name called Windows Admin center.
2) Then i followed the steps illustrated in the below article :

https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-integration

"The Azure AD app created is used for all points of Azure integration in Windows Admin Center, including Azure AD authentication to the gateway. Windows Admin Center automatically configures the permissions needed to create and manage Azure resources on your behalf:

Azure Active Directory Graph
Directory.AccessAsUser.All
User.Read
Azure Service Management
user_impersonation
Manual Azure AD app configuration
If you wish to configure an Azure AD app manually, rather than using the Azure AD app created automatically by Windows Admin Center during the gateway registration process, you must do the following.

Grant the Azure AD app the required API permissions listed above. You can do so by navigating to your Azure AD app in the Azure portal. Go to the Azure portal > Azure Active Directory > App registrations > select your Azure AD app you wish to use. Then to to the API permissions tab and add the API permissions listed above.

Add the Windows Admin Center gateway URL to the reply URLs (also known as the redirect URIs). Navigate to your Azure AD app, then go to Manifest. Find the "replyUrlsWithType" key in the manifest. Within the key, add an object containing two keys: "url" and "type". The key "url" should have a value of the Windows Admin Center gateway URL, appending a wildcard at the end. The key "type" key should have a value of "Web". For example:

"replyUrlsWithType": [
{
"url": "http://localhost:6516/*",
"type": "Web"
}
],

After that i made sure that "oauth2AllowImplicitFlow": true, and ID tokens checkbox is enabled .,

Answer 2

Hi @SAKTHIMURUGAN ARUMUGAM ,

Do you have a firewall or proxy between Windows Admin Center and the Internet? I have seen the outbound connection attempts get blocked by these types of devices to cause this issue. If so, you may need to configure the proxy within Windows Admin Center or configure the firewall/proxy with certain URLs bypassed. More information on these can be found here - https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-firewalls

Hope this helps!
Trent

Answer 3

We are trying to setup the HCI in Azure nested virtualization model (Created Windows 2019 VM and installed Hyper-V, created 4 mode VM for HCI deployment). Installed WAC in Management node (MGMT01) and trying to register with Azure. We did turned off firewall on MGMT (management node) and HCIHost machine. Still the same problem..

Please refer the attached erros.

Also, we don't have any proxy on this setup as it's all running in the Azure infra. Also, can you please help, where should I apply the instruction (which node) mentioned t https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-firewalls

Answer 4

Hi @SAKTHIMURUGAN ARUMUGAM ,

The first thing that comes to mind is ensuring the application has the right permissions. As a global admin, WAC should be able to do this for you automatically, but you could try manually configuring the application first, then selecting 'Use existing' from the above screen instead of 'Create new'. The permissions and steps for manually configuring the app can be found here - https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-integration.

I see that you have opened a support case with this question as well. If the above doesn't work, our support team will be glad to help dig into this error further with you.

Hope this helps!
Trent

Answer 5

Also, can you confirm that MGMT01 can active connect to the internet? With the Azure Eval Guide, there shouldn't be any internet connectivity/proxy issues, and assuming your AAD user has all the necessary permissions, you should be good to proceed.