Testing the Deployment

In this step you will retrieve an access token and make an API call to test that the app was correctly deployed to your environment. In the test you will leverage the APIs directly, for example by using a client like Postman, or any HTTP client. The test assumes that you have registered the Yubico FIDO Pre-reg Test Client as described in Registering Apps.

To retrieve an access token, do the following:

1. Go to the previously created Yubico FIDO Pre-reg Test Client.
2. From your client, make an API call using the following request:
   • Method: POST
   • URL: https://login.microsoftonline.com/{your azure tenant domain}/oauth2/v2.0/token
   • Header: Content-Type - application/x-www-form-urlencoded
   • Body:
     • grant_type: client_credentials
     • client_id: Client ID created for the Yubico FIDO Pre-reg Test Client.
     • client_secret: Client secret from when you created the test client.
     • scope: api://fido-connector-api.{verified domain name}/.default
3. Send the request.
4. From the response, copy the access_token value.

To call the API, do the following:

1. From your client, make an API call using the following request:
   • Method: GET
   • URL: https://{url of your container app}/v1/status. For base URL, copy the Application URL from your Container App.
   • Header:
     • Authorization - Bearer {access_token from previous step} Example: Bearer eyJ0…
     • Content-Type - application/json
2. From this API call you should receive a 200 status code, with a response payload that outlines the different environment configurations that were made during setup of the components. Double-check these responses to ensure that they are correct.

Troubleshooting

The following provides basic troubleshooting steps for common deployment issues.

Where to Start?

1. What is the error message that you are getting?
2. Verify the environment variables and key vault values:
   1. Key Vault Administrator is required to view key vault entries.
   2. Verify secrets entries for the YubiEnterprise API. Must be a valid token retrieved from the YubiEnterprise Console, see Generating API Tokens.
3. Review response message from the Credential API Container App.
4. Check Container App Logs.
5. Verify Environment Variables.
6. Verify Azure Key Vault values.

Verifying Shipment Status in Storage Browser

1. Log in to the Azure portal.
2. Go to the Resource Group.
3. Go to Storage Account > Storage Browser > Tables.
4. Click the fprshipments table.
5. Find the desired shipment by shipmentId.
6. Verify that the state of the shipment is complete. A shipmentId status that is not updated to “complete” will continue to retry. Once you investigate and resolve the issue, the status can be manually updated to “complete”.
7. If a shipmentId has encountered an error during processing, it will be recorded in the fprshipments table fields error_kind and error_message.
8. Once you have investigated and resolved the issue, the shipment will be reprocessed during the next scheduled run to “complete” status. Alternatively, the status can be manually updated to “complete” if the cause of the error cannot be resolved.

Note

The shipment status and processing error recorded in the fprshipments table can also be obtained by calling the API as described in Get Shipment Request Status. You can find more details to understand the error in Checking FIDO Connector Logs.

Verifying Delivery Status of YubiKey PIN

By default Yubico FIDO Pre-reg is configured to send emails to the end user’s manager. If the manager relationship for the end user is not set up, or the manager does not have an email address configured, the PIN delivery will fail.

To verify that the PIN delivery was successful, do the following:

1. Log in to the Azure portal.
2. Go to Resource Group > Logic App.
3. In the left menu, click Development tools > Run history.
4. Verify that you have a record with Status “Succeeded”.
5. If the status is “Succeeded”:
   1. Open the history record.
   2. Select the connector for “HTTP - Get User Manager Details”.
   3. In the Parameters tab of the Outputs section, verify that Body has a field for the “mail” attribute populated with the email address of the end user’s manager.
6. If the status is “Failed”:
   1. Open the history record.
   2. Review which connector had an error and investigate the details of the error by clicking the connector.

Verifying YubiKey Registration in Microsoft Entra ID

1. Log in to the Microsoft Entra admin center.
2. Go to Users > All users.
3. Search for the desired User.
4. Go to Authentication method.
5. Verify that the new YubiKey is listed.

Checking Microsoft Entra ID Audit Log History

1. Log in to the Microsoft Entra admin center.
2. Go to Users > All users.
3. Search for the desired User.
4. Go to Audit logs.
5. Filter the Activity column for each of the following:
   1. “Get passkey creation options”.
   2. “Admin registered security info”.
   3. “User registered security info”.
6. Check if any of the events indicate that an error occurred.

Note

If an error related to Microsoft Entra ID is encountered by the FIDO Connector App, the error_message in the fprshipments table, or error entry in FIDO Connector App logs, will contain a client-request-id which is related to the “Correlation ID” in Microsoft Entra ID Audit Logs.

Checking FIDO Connector Logs

1. Log in to the Azure portal.

2. Go to the Resource Group where the FIDO Connector App is deployed.

3. Select the Container App.

4. Select Monitoring > Logs.

5. Within the open tab, if not already selected, in the drop-down, change from “Simple mode” to “KQL mode” (using Kusto Query Language).

6. Paste a KQL query similar to the following to begin identifying errors and timeframes to investigate:

   ContainerAppConsoleLogs_CL
   | where Log_s contains "WARN" or Log_s contains "ERROR" or Log_s contains "Fail"
   | project TimeGenerated, ContainerName_s, Log_s