I want to access the outlook API with a Python application. I followed this guide but quickly ran into authentication issues. Tried it with my existing private Microsoft account and with a new created account, but ran into authentication issues quickly. Whenever I try to do anything in the portal, I get this message:
Already checked in with the general Microsoft support. They directed me towards Azure support, but I can't reach anybody there.
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the Microsoft personal account is not added as an external/guest user to an Azure AD tenant.
To resolve the error, contact the Global admin to invite the account as a guest user like below:
Once the admin invites, you will get an email notification to accept the invitation like below:
After accepting the invite, the Personal Microsoft account will be added to the tenant successfully like below:
And now you will be able to access the Azure Portal without any issue and you can also create your own tenant to have admin access.
If still the issue persists, try the below:
Sign out from the active session and sign in incognito window or any different browser.
Clear browser cache and cookies and try.
Confirm whether the admin has set any External user settings that is restricting the access:
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
When looking into the Build Python apps with Microsoft Graph tutorial that you followed, one of the pre-requisites mentioned signing up for the Microsoft 365 Developer Program to get a free Microsoft 365 subscription. After you sign-up, you'll need to use the Microsoft 365 developer sandbox credentials in order to continue following the tutorial without having to leverage your own Azure AD tenant or subscription (pay-as-you-go).
Build Python apps with Microsoft Graph:
Join the Microsoft 365 Developer Program
Deploy the Developer Sandbox
Using the Microsoft 365 Developer subscription(s) info you'll be able to login to the Azure Portal or Azure Active Directory admin center.
Note: You can navigate to your developer tenant using - https://aad.portal.azure.com/<<SandboxTenantName>>.onmicrosoft.com, or when prompted to sign in use your sandboxes' admin account.
If you only signed up for a new personal Microsoft account (Outlook), you'll notice that once you sign into the Azure AD Admin Center, your Outlook.com user isn't associated with any Azure tenants, and you'll run into the authentication issue error message that you referenced, so you'll have to create your own Azure AD tenant by signing up for an Azure Free Trial or Pay-as-you-go.
I hope this helps!
Related
I am trying to set up a new Web Application in Visual Studio using Microsoft authentication.
I have created a new Tenant in portal.azure.com. My issue is, every page I visit in the Azure Portal, including my profile, I receive a 403 error.
The only function I am able to perform is creating a new App Registration.
When I try to authentication in the Web Application, I receive the error "Selected user account does not exist in tenant".
I am confused with how to add the account that created the Tenant to it without the required permissions.
Does anybody know how I can go about resolving this issue?
TIA.
Error means that the logged in email address you are trying to use to link to is not yet added to your new tenant. Please make sure that the work email address is added in that tenant, if it is not admin.
If you have added the account to tenant or you are the admin itself , please refresh and try again.
Sign out and clear all cookies .
Try using a Microsoft Edge "InPrivate"/ Incognito browser and check if you are signing into correct tenant and switch the tenant and try to access the app.
If you have the same account with matching your personal account ,try to change it and add as Microsoft account .
Try to login with common endpoint https://login.microsoftonline.com/common, if it is personal account and app is multitenant.
If above doesn’t solve the issue see This document which lists several causes to find yours.
References:
azure active directory - Selected user account does not exist in tenant 'UserVoice, Inc.' - Stack Overflow
azure - Microsoft Graph Identity Java - Selected user account does not exist in tenant 'Microsoft Services' - Stack Overflow
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I have followed this walkthrough to create a multi-tenant web application that can connect to Dynamics 365 CE Online. Walkthrough: Multi-tenant server-to-server authentication.
When I ran the app for the first time and tried to sign in to the Dynamics CRM, it asked me to provide a consent that I accepted. And then it returned the below error:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException HResult=0x80131500 Message=AADSTS65001: The user or administrator
has not consented to use the application with ID
'XXX' named 'MvcCrmStsWalkthrough'.
Send an interactive authorization request for this user and resource.
For subsequent tries, it didn't ask for consent. However, kept returning the aforementioned error.
What I have used for this POC
Dynamics CRM Online trial
Azure Active Directory service that was included by default with the CRM
trial and was enough to perform application registration on Azure AD
Visual Studio 2017 community edition
What I have tried so far
In Azure AD I already have granted permission using the 'Grant Permission' button on the registered app Settings > Required Permissions (Seems accepting user consent through my custom app does the same)
Setting oauth2AllowImplicitFlow to true in the Azure AD app manifest
I verified that the O365 account that I am using to log in through the app has Global Administrator directory role in the AD
Sample code
Exactly the same as mentioned in the walkthrough
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!
I'm trying to enable the Multi-Factor Authentication on my Azure account, (To secure my access to the Azure portal), i am following the tutorial from here, but, unlike this picture :
I have no Enable button when I select my user:
I've tried to send a csv bulk request with only my user (the email address), but it says user does not exists.
I am trying to add MFA on the user william#[something].com when i'm logged with the william#[something].com MS account (i am the only one user, and i'm global administrator)
In the MFA management page, you can only manage/enable MFA for your own Microsoft Azure AD Accounts, including accounts creating in Azure AD or synced from your on-premise AD; not any Microsoft Account or accounts from other Microsoft Azure AD. As you said you're using a MS account, you surely can't see the enable button.
In Azure Classic Portal, you can easily see if it's a Microsoft account or a Microsoft Azure Active Directory account:
If you want to enable this for your Microsoft account, you need to use Microsoft service at here ,sign in and then click Set up two-step verification.
Follow steps afterwards, you'll enable Two-step Verification it for your Microsoft account.
Of course you can create a new account in your Microsoft Azure Active Directory (Type of User is: New user in your organization), then you can enable MFA for this new user. If you would like a Global Admin, you can click this user and assign user Global Admin role. So then later you can use this admin account for your management work.