search

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.
https://github.com/Microsoft/botframework
MIT License
864 stars 480 forks source link

Posting back response to bot - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. #6759

Open brijshah2709 opened 4 months ago

brijshah2709 commented 4 months ago

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Version

4.21.0

Describe the bug

When bot is created with single tenant config and call is made to following

await turnContext.TurnState.Get<UserTokenClient>().GetSignInResourceAsync(ssoConnectionName,
                turnContext.Activity as Activity,
                finalRedirect: null,
                cancellationToken
           ).ConfigureAwait(false);

It throws error Failed to acquire token for client credentials. (AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 4d3115e2-773f-413d-ac57-9a69025d2e00 Correlation ID: 37810be3-b3dd-4f6a-9e87-5bab1e14d910 Timestamp: 2024-03-07 23:05:36Z)

To Reproduce

Create a bot with single tenant config

image

Make a call to GetSignInResourceAsync with SSO connection, test this call on external tenant not on the same tenant where bot is registered. The AAD app backed by BOT is also AzureADMyOrg

Expected behavior

Should return sign in link

Screenshots

Exception added above

Additional context

Bot is created in MSFT tenant and trying to test on external test tenant.

brijshah2709 commented 3 months ago

Can not repro anymore, maybe it was delay from multi-tenant to single tenant migration.

brijshah2709 commented 3 months ago

@ceciliaavila we are seeing this issue again. It is intermittent but now it is happening on various flows when service try to post back response to the bot.

From latest repro:

(AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: efe17f44-1a9c-487f-9db5-d906af054800 Correlation ID: c5de5c5f-1a54-4338-974b-c8cb9bd91133 Timestamp: 2024-03-19 00:50:09Z)

On just using happy path scenarios like ME search, LU and at motioned commands. [Updated title to reflect same]

sw-joelmut commented 2 months ago

Hi @brijshah2709,

We investigated about this issue and found that it is related to how the AAD have the Conditional Access policies configured. We found the following information that could be helpful for this case:

Additionally, we tried reproducing the issue by using two different tenants, but we couldn't reproduce the error, both Bot and UserTokenClient.GetSignInResourceAsync method worked fine, the Bot responding to messages, and the method returning the URL with the sign in code.

brijshah2709 commented 1 month ago

@sw-joelmut thank you for your response. I understand the issue is from CA but how can I use claims from CA to populate user to go through auth challenge for successful token acquisition? this is coming from common bot SSO code which is required to trigger SSO on initial flow