On Thursday 27 June, I started to see errors with the Graph SDK in a number of our web apps where it was throwing a Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException error. No changes were made to either application, so this was an error that started Thursday morning.
The web apps were using a client credential flow with a single tenant application registration. I could replicate the issue across a number of subscriptions in the same tenant, but not in another tenant where the web apps continued to work using a client credential flow.
There have not been any internal network or conditional access policy changes and could not see anything in the logs. I raised a ticket with Microsoft who confirmed that they couldn't see anything either.
I'm using Node v16.16.0 and microsoft-graph-client v3.0.4 (also tested v3.0.7, got the same error). To mitigate this, I expedited an internal roadmap item and moved them from client credential to managed identity which fixed the issue.
However, I have discovered a fix for what appears to be a Graph CAE issue with the client credential flow which can be traced to this query from a couple years ago (https://github.com/Azure/azure-cli/issues/24684) and involved adding the following AZURE_IDENTITY_DISABLE_CP1=1 environment variable to the settings in the Web App service. When I done this, the web app sprung back into life again.
I'm hoping someone advise on a couple queries please:
Why did I only start seeing this on Thursday when this issue seemingly has been around for a couple years?
Will it likely affect the managed identity flow in the same way?
On Thursday 27 June, I started to see errors with the Graph SDK in a number of our web apps where it was throwing a Microsoft.Graph.AGS.Contracts.ClaimsChallengeRequiredException error. No changes were made to either application, so this was an error that started Thursday morning.
The web apps were using a client credential flow with a single tenant application registration. I could replicate the issue across a number of subscriptions in the same tenant, but not in another tenant where the web apps continued to work using a client credential flow.
There have not been any internal network or conditional access policy changes and could not see anything in the logs. I raised a ticket with Microsoft who confirmed that they couldn't see anything either.
I'm using Node v16.16.0 and microsoft-graph-client v3.0.4 (also tested v3.0.7, got the same error). To mitigate this, I expedited an internal roadmap item and moved them from client credential to managed identity which fixed the issue.
However, I have discovered a fix for what appears to be a Graph CAE issue with the client credential flow which can be traced to this query from a couple years ago (https://github.com/Azure/azure-cli/issues/24684) and involved adding the following AZURE_IDENTITY_DISABLE_CP1=1 environment variable to the settings in the Web App service. When I done this, the web app sprung back into life again.
I'm hoping someone advise on a couple queries please: