I am getting a "Requests from this IP are not allowed" when trying to signin/signup to Entra ID for external providers

Question

I am trying to follow the tutorial in the link https://video2.skills-academy.com/en-us/entra/external-id/customers/tutorial-mobile-app-maui-sign-in-sign-out ... I have created the UserFlows ., but when running the app , I get a "Requests from this IP are not allowed" .. How do I fix that ? The url link where this issue happens is at " https://login.microsoftonline.com/extservice/cpim?dc=ests-pub-wus2-az1-test1 " Screenshot 2024-05-26 at 10.39.30 PM.png

Answer

Hi @Srinath Nanduri , this indicates that the IP address from which the request is being made is not allowed to access the resource. This could be due to a number of reasons, such as a firewall blocking the IP address or the resource being protected by an access control list (ACL).

In the context of the tutorial you are following, it's possible that the IP address from which you are making the request is not included in the list of allowed IP addresses for the UserFlow. To fix this, you can try adding the IP address to the list of allowed IP addresses for the UserFlow.

To do this, follow these steps:

Go to the Azure portal and navigate to the UserFlow that you created.
Click on the "Properties" tab.
Under "IP address restrictions", click on "Add".
Enter the IP address that you want to allow access from.
Click on "Save" to save the changes.

Once you have added the IP address to the list of allowed IP addresses, try running the app again and see if the issue is resolved. If you are still having issues, you may need to check if there are any other restrictions in place that could be blocking the request.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Answer

I'm seeing this issue as well with a web-based Entra External ID-based setup, when trying to use Google as a sign-in option. The "Requests from this IP are not allowed" error appears to be just a catch-all message... the actual error is hidden.

A couple of things I've found:

My user auth flow errors at the exact same POST request to: https://login.microsoftonline.com/extservice/cpim?dc=ests-pub-wus2-az1-test1 with the same error message
Looking at the payload of the POST, we can see the actual error:

property	value
error	redirect_uri_mismatch
error_description	AADB2C90006: The redirect URI 'https://{tenant_id}.ciamlogin.com/{tenant_id}/federation/oauth2iefpassthrough' provided in the request is not registered for the client id '4829629c-4ae8-42a5-9def-bd28fbfd6992'.

Note that client id 4829629c-4ae8-42a5-9def-bd28fbfd6992 is not the client id of the app registered to my flow. In fact, I found a post from a couple of years ago that referenced this same client id in conjunction with trying to add Google as an auth provider, so I assume it is some internal Entra association w/Google.

Looking at the previous call that ultimately generated this error: https://login.microsoftonline.com/tfp/{tenant_id}/B2X_1_SignInOnlyUserFlowWM/oauth2/v2.0/authorize?scope=..

query param	value
`scope`	openid offline_access
`response_type`	code
`client_id`	4829629c-4ae8-42a5-9def-bd28fbfd6992
`response_mode`	form_post
`domain_hint`	google.com
`redirect_uri`	https://{tenant_id}.ciamlogin.com/{tenant_id}/federation/oauth2iefpassthrough
..various..	..various..

We can see this is the offending call using some internal client_id whose list of valid_redirect_uri URLs cannot be modified.

The interesting thing here is that it used to work when Google auth with initially set up. After 12-24hrs however, this issue surfaced and I can no longer try to sign in to Google.

Any help on getting a reliable Google Auth set up for Entra External Id usage?

Share via

I am getting a "Requests from this IP are not allowed" when trying to signin/signup to Entra ID for external providers

2 answers