Open AntonT76 opened 1 year ago
AntonT76
commented
1 year ago One more addition: today we got following E-Mail from our Moodle:
"Action required: invalid Azure app secret found The Azure app secret used in your Moodle and Microsoft 365 integration seems to be invalid. This can either be caused by the secret expired, or it has been deleted. Please review the secret to ensure the integration works as expected."
The login is possible, health check is ok and user sync is ok. br, Anton
weilai-irl
commented
1 year ago Hi @AntonT76
Could you verify the endpoints please. Normally the endpoints are in the form of https://login.microsoftonline.com/[common|GUID of tenant|name of tenent]/oauth2/[authorize|token]. The values you provided doesn't seam right to me.
Regards, Lai
AntonT76
commented
1 year ago Hi @weilai-irl
I have checked the endpoints and they do not contain the GUID of tenant. I will change the endpoint links and give you feedback.
br, Anton
AntonT76
commented
1 year ago Hi @weilai-irl
I have changed the endpoints and did a new "Provide Admin Consent". Login is possible but I still get the email I already described above.
Should I delete the entries in mdl_config_plugins again? DELETE FROM mdl_config_plugins WHERE plugin = 'local_o365' AND name IN ('apptokens', 'systemtokens'); DELETE FROM mdl_config_plugins WHERE plugin = 'local_o365' AND name = 'azuresetupresult';
Or do you have an other idea?
thanks, br, Anton
weilai-irl
commented
1 year ago Hi @AntonT76
The email is triggered from a new scheduled task "Notify site admin about Azure app secret expiry" (\local_o365\task\notifysecretexpiry). By default it runs once daily at 3am, and it tries to get expiry date of the secret of the Azure app used for the integration, and notify site admin if it has already expired, or due to expire within 4 weeks. The notification that you received was about already expired secret, rather than expiring ones.
The notification is sent out in the following cases:
[List application Graph API](https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http) failed with exception. This can be caused by missing permissions, please check to ensure it has at least one of the required permissions.Could you paste the out of a task run please, as it may contain hints on where exactly the notification was triggered.
Regards, Lai
AntonT76
commented
1 year ago Dear @weilai-irl
attached you can find the log file of the runing task:
Execute scheduled task: Notify site admin about Azure app secret expiry (local_o365\task\notifysecretexpiry)
... started 03:00:06. Current memory use 26.2 MB.
Failed to get secrets
... used 10 dbqueries
... used 1.5067789554596 seconds
Scheduled task complete: Notify site admin about Azure app secret expiry (local_o365\task\notifysecretexpiry)Regarding to expiry date of our secrets: the key was generated a few years ago. I think at that time, there were no such short expiry dates as there are now. Our secret therefore does not expire until the year 2299.
best regards, Anton
weilai-irl
commented
3 months ago Hi @AntonT76
Sorry for the long delay in reply.
The message "Failed to get secrets" suggests the Graph API call that tried to get the information about the secrets didn't get expected response. Assuming the application token is still valid, e.g. all other integrations are working, this is likely related to a missing permission. The Graph API used in this feature is https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-beta&tabs=http, and the application permissions required is any of the below: Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All
Please check the permissions of the Azure app and confirm if the app has any of these, and admin consent has been given.
Regards, Lai
AntonT76
commented
3 months ago Hi @weilai-irl , thank you for your hint. We have checked the settings, all permissions were set correctly. We also ran "Provide Admin Consent" again. However, the error message still remains.
br, Anton
weilai-irl
commented
1 week ago Hi @AntonT76
Sorry for not getting back to you sooner. We just had the busiest season ever in the last while.
I suppose the only way to resolve this would be have a quick call, as I can't think of any other reason why this would happen. Please find my email in my profile and email me privately to arrange a call.
Regards, Lai
Hello, we did an update from Moodle 3.9 to Moodle 4.1 and also to the latest o365-Plugin Set (local_o365, 4.1.1 (2022112805)). After the update we changed Authorization Endpoint and Token Endpoint
from https://login.microsoftonline.com/your_tenant_id/oauth2/authorize https://login.microsoftonline.com/your_tenant_id/oauth2/token
to https://login.microsoftonline.com/oauth2/authorize https://login.microsoftonline.com/oauth2/token (Probably the change of the links is not absolutely necessary)
This step requires Admin Consent, which was done successful. But after doing step 3/3 (Verfiy Setup: Update Azure-AD Setup) we got following error message: "Could not check reply url."
We did following steps which are described in https://github.com/microsoft/o365-moodle/issues/1092 DELETE FROM mdl_config_plugins WHERE plugin = 'local_o365' AND name IN ('apptokens', 'systemtokens'); DELETE FROM mdl_config_plugins WHERE plugin = 'local_o365' AND name = 'azuresetupresult';
and new Admin Consent, but the error message still exists. We do not have any problems with login of users or user synchronisation. But the error message is confusing. The problem still exists only on one Moodle platform. On other plattforms (same version) the problem doesn't exist - but on this platforms we didn't change the endpoints link.
Maybe it is related to the change of the link?
br Anton