Issue setting up auth functionality manually

[codevladdo]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Any log messages given by the failure

SUCCESS: Your application was packaged for Azure in 18 seconds. Checking if authentication should be setup... Loading azd .env file from current environment... AZURE_USE_AUTHENTICATION is set, proceeding with authentication setup... Creating Python virtual environment "scripts/.venv"... Installing dependencies from "requirements.txt" into virtual environment (in quiet mode)... Setting up authentication... Checking if application 48427c9d-99a........... exists Application already exists, not creating new one Traceback (most recent call last): File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 209, in asyncio.run(main()) File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run return runner.run(main) ^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run return self._loop.run_until_complete(task) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete return future.result() ^^^^^^^^^^^^^^^ File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 184, in main server_object_id, server_appid, = await create_or_update_application_with_secret( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 64, in create_or_update_application_with_secret await update_application(auth_headers, object_id, app_payload) File "/workspaces/azure-search-openai-demo/scripts/auth_common.py", line 32, in update_application raise Exception(response_json) Exception: {'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2024-03-20T21:42:30', 'request-id': '45d0a377..............', 'client-request-id': '45d0a...............'}}}

ERROR: failed running pre hooks: 'preprovision' hook failed with exit code: '1', Path: './scripts/auth_init.sh'. : exit code: 1

ERROR: error executing step command 'provision': failed running pre hooks: 'preprovision' hook failed with exit code: '1', Path: './scripts/auth_init.sh'. : exit code: 1

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

azd version?

run azd version and copy paste here.

Versions

Mention any other details that might be useful

I'm trying to set up the auth functionality, but dont have access / permissions to Azure AD for my organization. I had somebody with permissions configure the two apps as outlined in the loginAndAclSetup.md file. I then set the environment variables with the app ids on my end but get the error outlined above.

Any thoughts what might be causing this /how to solve?

Thanks in advance!

---

Thanks! We'll be in touch soon.

[TaylorN15]

Exception: {'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2024-03-20T21:42:30', 'request-id': '45d0a377..............', 'client-request-id': '45d0a...............'}}}

It seems you don't have the permissions required to create the App Registration and Service Principal required for the authentication setup.

[codevladdo]

Yep - i see the permission error, i guess I'm wondering what is the minimum permission I'd need to get this working. Can these apps be set up by an administrator manually ?

[TaylorN15]

Yep - i see the permission error, i guess I'm wondering what is the minimum permission I'd need to get this working. Can these apps be set up by an administrator manually ?

Yes, there are instructions here.

As for permissions required, you will require an Entra role, like Application Administrator.

[codevladdo]

Thanks, just wanted to make sure: Is there a way to create the apps separately by an administrator and run the authentication functionality on my script? I can't have application administrator for my organization, what would be the workaround ?

[TaylorN15]

Thanks, just wanted to make sure: Is there a way to create the apps separately by an administrator and run the authentication functionality on my script? I can't have application administrator for my organization, what would be the workaround ?

Not easily. You would have to make some code changes in both the front and back end. If you can’t get the application registration created then perhaps you could continue without the authentication component?

just to clarify, you don’t need Application Administrator etc. Someone else can create the applications and service principals and just provide the client IDs and secrets to you.

[codevladdo]

Yep - that's what they did and i was running into the above error. Took a slightly different approach:

Set up authentication with my administrator by going to the app service, and having them create the app vis that wizzard. That effectively added a login page for the application. However, does this mean that the blob storage resource is also secure? I'm taking a look at it , it says it is accessible through public domain. Any thoughts here would be helpful. Sorry if this is a noob question.

[TaylorN15]

By default the storage account is public as in, accessible to the internet. But it still requires a key or SAS to access the blobs.

Unfortunately, this really isn’t the place to get technical support, sorry.