Used Zammad version: 6.1.0-1697105813.b8ceb098.bookworm
Used Zammad installation type: package
Operating system: Debian
Browser + version: Firefox 118
I have installed a brand new instance of Zammad on a brand new server. The application works fine with local users and passwords. I have then set up the login integration with Office 365 / Microsoft.
When I try to login through Microsoft, I get the following error page:
422: The change you wanted was rejected. Message from microsoft_office365: invalid_request
In /var/log/zammad/production.log, I see the following messages:
E, [2023-10-12T15:55:32.445369#6443-64640] ERROR -- : Message from microsoft_office365: invalid_request (Exceptions::UnprocessableEntity)
app/controllers/sessions_controller.rb:138:in `failure_omniauth'
app/controllers/application_controller/has_download.rb:17:in `block (4 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:16:in `block (3 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:15:in `block (2 levels) in <module:HasDownload>'
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction'
I double-checked the application id and so on, and everything is according to the documentation.
I made progress here, by selecting Multitenant instead of Single tenant in Azure:
Who can use this application or access this API?
Accounts in this organizational directory only (mycorp only - Single tenant)
Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
Supported account types:
Please note that Zammad only supports these account types (App dependent):
Accounts in this organizational directory only (Default Directory only - Single tenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
I am new to all this, but “Single tenant” sounds more like what I need, since I want only the users directly maintained by “mycorp” to be able to log in in Zammad.
Never mind, I had actually overseen that it is required to enter the tenant ID even for a single tenant configuration. I expected to be implicit, but it is not.
So the actual solution was to copy& paste the tenant ID from Azure into the “App tenant ID” field in Zammad.
Still, I think the documentation could be a bit more verbose about the single/multi tenant configurations, and what fields are relevant in which case, especially for people with no or little experience with the topic.
You could create a pull request on the admin-documentation to reflect and and give back to the community, if you believe that the documentation is not explicit enough at certain points.
Please keep in mind that this is a free community without any guarantee of timely responses. If you require commercial grade support and responses, consider getting a support contract. This helps you in case you have issues with mission critical environments. No obligation to do so of course!
