Posting back response to bot - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

[brijshah2709]

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Version

4.21.0

Describe the bug

When bot is created with single tenant config and call is made to following

await turnContext.TurnState.Get<UserTokenClient>().GetSignInResourceAsync(ssoConnectionName,
                turnContext.Activity as Activity,
                finalRedirect: null,
                cancellationToken
           ).ConfigureAwait(false);

It throws error Failed to acquire token for client credentials. (AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 4d3115e2-773f-413d-ac57-9a69025d2e00 Correlation ID: 37810be3-b3dd-4f6a-9e87-5bab1e14d910 Timestamp: 2024-03-07 23:05:36Z)

To Reproduce

Create a bot with single tenant config

Make a call to GetSignInResourceAsync with SSO connection, test this call on external tenant not on the same tenant where bot is registered. The AAD app backed by BOT is also AzureADMyOrg

Expected behavior

Should return sign in link

Screenshots

Exception added above

Additional context

Bot is created in MSFT tenant and trying to test on external test tenant.

[brijshah2709]

Can not repro anymore, maybe it was delay from multi-tenant to single tenant migration.

[brijshah2709]

@ceciliaavila we are seeing this issue again. It is intermittent but now it is happening on various flows when service try to post back response to the bot.

From latest repro:

(AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: efe17f44-1a9c-487f-9db5-d906af054800 Correlation ID: c5de5c5f-1a54-4338-974b-c8cb9bd91133 Timestamp: 2024-03-19 00:50:09Z)

On just using happy path scenarios like ME search, LU and at motioned commands. [Updated title to reflect same]

[sw-joelmut]

Hi @brijshah2709,

We investigated about this issue and found that it is related to how the AAD have the Conditional Access policies configured.
We found the following information that could be helpful for this case:

• Similar issue (link)
• Troubleshot sign-in with Conditional Access (link)
• List of AADSTS error codes (link)
  

Additionally, we tried reproducing the issue by using two different tenants, but we couldn't reproduce the error, both Bot and UserTokenClient.GetSignInResourceAsync method worked fine, the Bot responding to messages, and the method returning the URL with the sign in code.

[brijshah2709]

@sw-joelmut thank you for your response. I understand the issue is from CA but how can I use claims from CA to populate user to go through auth challenge for successful token acquisition? this is coming from common bot SSO code which is required to trigger SSO on initial flow

[tracyboehrer]

This is old, but is this with Teams or on the MS Tenant?

[brijshah2709]

@tracyboehrer yes, MSFT tenant.

[tracyboehrer]

Just when running locally, or on Azure?

[brijshah2709]

@tracyboehrer just locally in VS

[tracyboehrer]

This is specific to MS tenants. I have the same issue when using Single Tenant. Start your AzureVPN when running locally.

[brijshah2709]

@tracyboehrer the same issue repro on cloud service too, we have seen this flakiness in our production services too.
we have scheduled an internal call with you on Monday. Hopefully we can get to the bottom of this.