User Account Not Linked to IDP
-
Hello,
My application uses the API to create user accounts and link the account to the registered IDP. I've noticed an issue where I have user accounts being created properly in fusion auth, but the account is not being linked to the Active Directory account. When the user tries logging on, they get an error from Microsoft statin that the user needs admin approval.
Do you know what this means? Is there a step we have to do at the Azure AD level?
Thanks,
Tom Wojeck
-
@thomas-wojeck When using the API to create an account and a link, the linking in FusionAuth only occurs within FusionAuth, not within the remote Azure AD.
The easiest way to have the Azure AD account set up correctly is to use an OIDC identity provider and have the user log in to Azure AD first, and then have an account created in FusionAuth.
If that won't work, then you need to make sure that the link data in FusionAuth matches the account data in Azure AD, including the
identityProviderUserIdand thetoken(as documented here: https://fusionauth.io/docs/apis/identity-providers/links#request ). I think that will work, but you'd need to test it. -
@dan Thanks for your quick reply. Part of my confusion might be that I don't fully understand the sequence of events when the linking occurs. I can attest to this:
-
We are using Azure AD's OIDC identity provider.
-
The user in question already has an active AD account that they've logged into for years.
-
This process has worked in the past and now mysteriously doesn't work.
I'm wondering if something has changed on the Azure side that is preventing communication between Azure AD and FA.
-
-
Have you turned on the debug logs and looked in the event log? That's what I'd start doing to troubleshoot.
More here: https://fusionauth.io/docs/operate/troubleshooting/troubleshooting#enabling-debugging