I was trying to setup Azure Application Proxy so that it could I could publish my onprem Exchange OWA access through it and I was running into problems. Every time I tried to create the AAP on-premise application it would error and not create it. The error was not descriptive; it just said "Failed to create on premises application". This status would go into the notification but there was not more info.
I messed around and determined that it didn't like the External URL that I was using. If I used a different External URL it would work. Just not the one I wanted to use. I was confused as I did not think I was using that URL anywhere.
After repeatedly clicking "Add" (and failing) a bunch of times, with the External URL I wanted, I checked the notifications and one of them had a hyperlink that provided a little more info as to what was going on:
{"errorCode":"Request_BadRequest","localizedErrorDetails":{"errorDetail":"A conflicting object with one or more of the specified property values is present in the directory."},"operationResults":null,"timeStampUtc":"","clientRequestId":"","internalTransactionId":"","tenantId":"","userObjectId":"","exceptionType":"AADGraphException"}
This provided a little more insight. I didn't think I had anything using that URL though.
Since this looked to be directory related, I checked the Azure Active Directory Audit Logs. Under there I was seeing Update Service Principal Failure and Update Application Failure.
So I decided to search Azure AD's Service Principal Names for the URL that I was trying to use and sure enough, that URL was registered. I removed that SPN and I was then able to add the Azure Application Proxy app with the External URL I wanted. Turns out that when I was setting up SPNs for Hybrid Modern Authentication (HMA) I added an SPN that I didn't mean to.
If you're having a similar issue and you want to search your SPNs here is the PowerShell to do so:
First connect:
Connect-AzureAD
If you want to see all the data in a grid view:
Get-AzureADServicePrincipal | select * | Out-GridView
If you want to get a list of SPNs with the corresponding ObjectId and DisplayName:
Get-AzureADServicePrincipal | select -Property ObjectID, DisplayName -ExpandProperty ServicePrincipalNames | select @{Name='SPN';Expression={$_}}, ObjectID, DisplayName
You can then search this output for the URL you're looking for or you can search the SPNs with the following and return only the SPNs you're looking for:
Get-AzureADServicePrincipal | select -Property ObjectID, DisplayName -ExpandProperty ServicePrincipalNames | select @{Name='SPN';Expression={$_}}, ObjectID, DisplayName | where SPN -Like '*mail*'
No comments:
Post a Comment