I want to build an application where users can log in with their corporate Microsoft / Azure AD account.
For that, I created a Azure AD B2C incl. SignUpSignIn user flow with the "Microsoft Account" identity provider.
Now when I want to log in I get redirected to https://login.live.com/ and can successfully log in with my personal microsoft account. However, if I enter the email address of my corporate account, the error message "This microsoft account is not available" comes up.
The signInAudience of my app registration is set to AzureADandPersonalMicrosoftAccount. So I would expect that also corporate accounts should work?
"Microsoft account" there refers only to personal Microsoft accounts (Outlook/Live/Hotmail accounts).
If you want to only authenticate with one Azure AD tenant, there is guidance for adding that as an identity provider: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow.
Multi-tenant Azure AD authentication could be done with the generic OpenID Connect provider I think: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow
It can also be achieved through custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy.
Related
I am getting this error when configuring an asp.net core app to use Azure AD B2C authentication with Microsoft Account as external identity provider.
AADSTS70000121: The passed grant is from a personal Microsoft account and is required to be sent to the /consumers or /common endpoint.
As per my findings on SO and Microsoft documentation on the same, it points to use following as authority
in appsettings.json:
"Authority": "https://login.microsoftonline.com/common",
The common endpoint is suggested by Azure AD b2c
documentation when you use Microsof Account as an identity provider.
While registering an application in Azure AD b2c tenant, I use following as Supported account types:
Accounts in any identity provider or organizational directory (for authenticating users with user flows)
So seems all is configured properly but still error suggest that I am not using common endpoint which in fact I am using it.
Links I followed:
How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?
Error getting SAML Metadata for Azure AD B2C Policy - AADB2C90022
I have a web app deployed on azure app service. I have enabled google and Microsoft logins for the app using the app service built in authentication.
I have an app registration with this option:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Now I have associated the app service authentication with the app registration by entering the client id and secret.
I have a login button with href="https://app.azurewebsites.net/.auth/login/aad"
Organizational accounts (non personal accounts) from other tenants and my tenant are able to use this login. Even personal accounts in my tenant (guests) are able to use this login.
But when I try with personal accounts those are not a part of my tenant the login fails with the error AADSTS50020 : User account 'example#outlook.com'/'example#gmail.com' from identity provider 'live.com' does not exist in tenant 'My Org' and cannot access the application in that tenant.
I want personal account users and business email users to use the same Microsoft login option.
I was able to fix it by changing the issuer url in advanced setting of AAD configuration in app service authentication. I set it to https://login.microsoftonline.com/common/v2.0.
But now the logout gives cors issue. This occurs only for microsoft account. For Google login through the app service auth logout works fine.
The sample web application is using Azure AD B2C for identity and authentication. Azure AD B2C has been configured with Microsoft as an identity provider. Azure AD B2C will login a user with a personal Microsoft account, but not an Office 365 account with a custom domain name. This is also the email address for the Azure admin, and is even the only user under Home > Azure AD B2C > Users - All users. The email address was under Users by default when the Azure AD B2C resource was created.
Why can't this email address be used to login?
To answer your first question, why can't O365 users login, it's because configuring "Microsoft authentication" only allows personal MS accounts.
To allow O365, you'd need to configure B2C to allow login via Azure AD.
As for why your admin user can't login, it's because there are different types of users in B2C.
Your admin is not a B2C user, and thus cannot login as a local user.
It's confusing since the Users tab shows them all together :/
I'm building multitenant SaaS web based application. Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.
I'm having problem with login from external account (Microsoft account) in customer tenant.
I created example and tried to see what I can get from access token.
Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".
As far as I understood this should be enough to login with
Office 365 account from host tenant
Microsoft account that is registered as external user in host tenant
Office 365 account from guest tenant
Microsoft account that is registered as external user in guest tenant
Clarification:
- host tenant --> Azure AD instance in which application is registered. In error message bellow tenant A.
- guest tenant --> Azure AD instance that is only using application
I have a problem with case no. 4
I get this error message:
AADSTS50020: User account 'lovro.p365#...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.
The scenes of 2 and 4 should be the same.
I have tested both and everything is OK.
You could use OAuth 2.0 auth code grant flow to have a test with it.
Construct a request to login.microsoftonline.com with your app configurations.
This URL will look like:
https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com.
After signing in with credentials of Microsoft Account in tenant A, you will get a "code" in the address bar. Use this code to request access token:
POST /[tenant]/oauth2/v2.0/token HTTP/1.1
client_id=[client id of the Azure AD app registered in host tenant]
&scope=https://graph.microsoft.com/user.read
&code=[code got from the previous step]
&redirect_uri=[redirect uri of the Azure AD app]
&grant_type=authorization_code
Then we could get the access token for Microsoft Account as a guest user in tenant A.
My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.
I created an Azure AD multi-tenant app using a company's tenant
Then created a test ASP.NET Core Web application which goes to a such URL:
The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.
It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?
I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant):
However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.
Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?
P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.
UPDATE
To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:
Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user#live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.
Thoughts.
The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.
ANSWER
Long story short, it's not possible for general public as per Microsoft.
Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.
It works with personal account when you use v1.0 endpoint.
That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.
The v2 endpoint does not allow personal accounts for the resource
https://management.azure.com/
Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.
You must identify the tenant to login in with personal account when use v2.0 endpoint
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default
Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.
Update:
It is normal that you can't do that. You are not telling Azure AD that
the which tenant the MSA user is an external user, so Azure AD is
making a guess and checking in the tenant where the app is registered
(tenant A). If you expect external users to be able to sign in, you
must specify the tenant where the guest has previously been invited to
(e.g. tenant B).