We have a Drupal site setup to login with Azure AD via a third party OpenID connect module.
This is linked to an Azure AD app registration in single tenant mode.
When a user visits the site whilst logged-in to an account that isn't in our tenant, they see an error message similar to this:
Message:AADSTS50020: User account 'XXXXX#example.com' from identity provider 'https://sts.windows.net/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/' does not exist in tenant 'TENANT NAME' and cannot access the application 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'(SITE NAME) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This message is completely incomprehensible to most of our users. I'd like to change it to something more meaningful such as
Please login with an INSTITUTION NAME account to access this site e.g.: username#ourdomain.com
Is this something that can be configured within the Azure AD app registration? Or elsewhere in our tenancy configuration?
In case of azure ad B2C you can create a custom error page using a technical profile based on localization or a custom policy error page. But in case of regular Azure AD (B2B), there is no way to specify custom error messages or error pages.
If there is any case where the error message is passed back to your application. there may be a possibility to deal with it as you can configure through code as required but there isn't any guidance regarding error passed to backend .
Related
I am trying to setup Azure AD integration with our partner identities. I have few providers that I need to support and they support SAML and WS-Fed. I am trying to use Azure AD External Identities to add these providers to my Azure AD tenant.
However, reading through this article, it seems like SAML integrations are invitation based.
I want users to be able to login without an invitation. How can I do this with Azure AD?
Here are my needs:
After adding the external idp, users should be able to login using their own credentails via their idp. No additional information needed to use an app.
I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Choose what idp's are allowed per app? (if possible)
Thanks in advance.
Question 1: After adding the external idp, users should be able to login using their own credentials via their idp. No additional information needed to use an app.
Answer:
We can implement Guest users redemption using direct link or a common endpoint instead of email invitation. A guest user clicks the app link, reviews and accepts the privacy terms, and then seamlessly accesses the app.
Using Common endpoint : Guest users can now sign in to your multi-tenant or Microsoft first-party apps through a common endpoint (URL), for example https://myapps.microsoft.com. Previously, a common URL would redirect a guest user to their home tenant instead of your resource tenant for authentication, so a tenant-specific link was required (for example https://myapps.microsoft.com/?tenantid=). Now the guest user can go to the application's common URL, choose Sign-in options, and then select Sign in to an organization. The user then types the name of your organization.
Using Direct Link: As an alternative to the invitation email or an application's common URL, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Azure Portal or Powershell Then you can use any of the customizable ways to deploy applications to users, including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.
Reference:
Add B2B guests without an invitation link or email - Azure AD
Invitation redemption in B2B collaboration - Azure AD
Question 2 : I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Answer: Add the Users as Guest to Azure active Directory but by default they will be sent an invitation even if they don’t open it you can assign an app in your enterprise application for them to use .
Most federated applications that support SAML 2.0, WS-Federation, or OpenID connect also support the ability for users to start at the application, and then get signed in through Azure AD either by automatic redirection or by clicking on a link to sign in. This is known as service provider-initiated sign-on, and most federated applications in the Azure AD application gallery
Reference:
End-user experiences for applications - Azure Active Directory
Quickstart: Add guest users in the Azure portal - Azure AD
To Provide the Guest user access to azure resources you can manually add a role to the users.
Question 3: Choose what idp's are allowed per app?
Answer: Create different user flows and add desired IDPs to the user flows and then assign applications registered in Azure AD to the user flows depending on which IDPs are needed for given application.
Reference:
Add a self-service sign-up user flow - Azure AD
Question 4: I added Okta as an External Identity using SAML in my Azure AD. Created an "App Registration" as multi-tenant. But I am getting this error.
AADSTS50020: User account 'xxx' from identity provider 'http://www.okta.com/xxxxx' does not exist in tenant '' and cannot access the application '0000000c-0000-0000-c000-000000000000'(Microsoft App Access Panel) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Solution: Please Ensure User is added to one of the Partner Admin Groups i.e. AdminAgents in the Partner tenant.
Reference:
Manage Auth access for cloud solution providers.
Question 5: Steps for setting self service signup for an application.
Test Scenario in my Lab
Azure AD with an application registered in application registrations blade.
Another AD tenant with users.
Step 1: In the above external identities collaboration settings please make sure to have enable guest user self service enabled.
If it is not enabled then you can’t create a self service flow and you will get the below error when a user from other tenant is trying to access the app.
Step 2: Create a user flow by going to the user flow blade and creating a new flow.
Step 3: After you have created the user flow , click on the User flow and go to application blade and click add application.
Now search for the application you want to provide the self service signup to and click on select and you will have now enable the self service sign up for users when they try to access your application.
Output:
Once the above settings are done you can access the url to your app. Provide the user of the different ad tenant and you will get output as below .Click on create a new one .
Once the user from other AD tenant have accepted it they are successfully registered as guest users in your tenant.
If they accept the above then they will be able to access the app from now as a guest.
I'd like to use Microsoft Graph Explorer to work with my Azure AD B2C Tenant.
Initially, all I want to do is retrieve a Custom Attribute that I've assigned to an application registration. The custom attribute will store the UserAppPermission value, a 'role' replacement for B2C since it doesn't natively support them.
Can I get a second set of eyes on my process? I'd like to make sure I'm reading this properly.
First goal: Get a list of applications registered to my B2C Tenant. Reasoning is... if the app registration doesn't appear then future queries are unlikely to be successful.
Resource#1 "Manage Azure AD B2C with Microsoft Graph" (Note B2C in the title)
(1) I registered an application in my B2C tenant with permissions in excess of the minimum, checked this process twice: Register a Microsoft Graph application (Note B2C in the opening paragraph, and throughout the document).
(1a) Uncertain if the Azure portal was being buggy, I also registered this application with the 'Global Administrator Role' ... absolute overkill & insecure ..
(1b) I am certain that I assigned the appropriate Microsoft Graph API permissions in the app registration tab
(1c) As described in the doc, I also granted the application the user administrator role, although that is contained within the global administrator role.
(1d) Per the doc, "Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API."
When I run "https://graph.microsoft.com/beta/applications" to get a list of registered applications, all I see is the single App Registration our 'root' Azure account has for our Azure Functions App. Since this was an article on managing azure ad B2C with Microsoft Graph, I was expecting to see the applications registered to my B2C Tenant.
? Does anyone read (1d) to mean that I should not be able to use https://developer.microsoft.com/en-us/graph/graph-explorer, logged in as the B2C global administrator, and granting all permissions the endpoint requires, to make Microsoft Graph API queries?
Next goal: Get a list of users registered to my B2C Tenant
Resource#2 "List Users" - the link to this resource was provided by Resource #1, link provided above.
(1) There only mention of B2C in this article is: "The $count and $search parameters are currently not available in Azure AD B2C tenants."
(2) The request to get all users is GET "https://graph.microsoft.com/v1.0/users"
(2a) The request returns a list of users for the MyOrg's root AD tenant, not the application's B2C tenant. Not surprising since there's nothing in the request to specify the B2C tenant.
(3) Another resource provides this request format: https://graph.microsoft.com/beta/.onmicrosoft.com/users, which specifies the b2c tenant.
(3a) This executes without error in Graph-Explorer but does not return any of the users that registered for the application using the sign-up/sign-in policy (Consumer B2C Users). It still returns a list of users for the 'root' Azure account.
Update re:specifying tenant in graph-explorer:
While logged in to Graph Explorer us my work MS email which is registered as a global admin for our Azure account and owner of the B2C tenant I specified:
This returns a list of applications for the root Azure account, not app registrations for the B2C Tenant I specified. Perhaps I misunderstood the intent of this Graph API call.
I optimistically ran 'https://graph.microsoft.com/beta/identity/b2cUserFlows' with the tenant specified in the URL (as in screenshot). Result:
"error": {
"code": "AADB2C",
"message": "'4fba2ea8-XXXX-XXXX-964e-99f48b79d925' is not an Azure AD B2C directory...
I'm still not certain what the UUID returned in the message represents. The UUID has no correlation, that I can find, with the tenant I specified in the URL.
The reason is that you are using an Azure account which is from your root AAD tenant.
You have two options to resolve it.
Specify the tenant in the Graph Explorer URL:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant={Your b2c tenant}.onmicrosoft.com. Still use that Azure account from root
AAD tenant to sign in and you can get a list of applications and
users of your B2C Tenant now.
Another method is creating a new user in your B2C tenant and assign
Global admin role to it. And then sign into
https://developer.microsoft.com/en-us/graph/graph-explorer with
this new user. Now you can list applications and users of your B2C
Tenant as well.
Update:
Don't use a Consumer account (local account) for the second suggestion. You should create an AAD user (work account, format: mytenantname.onmicrosoft.com ) in Azure portal in B2C tenant and assign it global admin role.
Overview of user accounts in Azure Active Directory B2C for your reference.
#AllenWu's second solution was, in effect, correct but not explicit enough for me.
The New user interface in the B2C Tenant offers three options for creating users: Create user, Invite user and Create Azure AD B2C user. Most of my work has revolved around B2C users so I did that and gave the user Global Admin rights and my Graph Explorer results were unchanged.
Another user provided this suggestion and made it clear that I needed to create a user w/an email address of #my-tenant-name.onmicrosoft.com. I created such a user, assigned it Global Admin rights, and I was able to use Graph Explorer as I expected.
Note that users with an email of "SomeTestUser_gmail.com**#EXT#**#my-tenant-name.onmicrosoft.com do not behave in the same way.
Thanks for the suggestions & feedback & I hope this helps if you ended up here with the same question.
I am having difficulty logging in to a Microsoft site using my Azure AD (Work) account.
After successfully authenticating, I get the error:
AADSTS700016: Application with identifier '3075c070-b4d6-4bba-88c3-bcc51c74a2f4' was
not found in the directory '{my-directory}'. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You may have sent your
authentication request to the wrong tenant.
I have gone into my Azure AD tenant and searched for an application with that Id so I can add it, but it returns no results.
I am able to authenticate if I use an account that has a Microsoft Account, however, when I get to the Microsoft page, I get an error saying I need to log in using the same email account that the account was registered under.
Unfortunately, the work account I need to use does not have an associated Microsoft Account.
I think a solution to this would be to add the Application into my tenant, but not sure how to find the application with ID only.
I am afraid that you can not add the application into your tenant manually. When you successfully login in to this application, this application will exist in your tenant under enterprise application.
But it seems that this application only allows Microsoft account to login.
I try login to Azure AD web app and when i do it with user inside my tenant its ok,
but when login other user i get
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'a1eda862-65fb-4f90-8482-06151f5c7abc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Login Url :
https://login.microsoftonline.com/common/oauth2/authorize?client_id=a1eda862-65fb-4f90-8482-06151f5c7abc&response_type=id_token+code&redirect_uri=http://localhost:44302/&response_mode=form_post&scope=openid+profile&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&resource=https://management.azure.com/
Tenant settings
Few things to check -
Based on the error you shared, it seems you're logged in with some Microsoft account like live.com/hotmail etc. Are you doing that intentionally or just happened to be logged in and getting confused by that? If you do want to login with a Microsoft account other than a usual organizational account, then as the error says, you need to add that account to your AzureAD tenant as an external user.
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant
For any other organizational user, i.e. user from a different AzureAD tenant than the one where this application is registered, you will first need to go through the consent process. You may have done it already or not.
More details on that process here - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent
Issue:
You wanted to use a personal account within a multi-tenant application to get a token for the "https://management.core.windows.net" API
Scope:
We will focus on this issue and consider it as resolved once we provide you with the reason that Personal accounts cannot be used against a v1 multi-tenant application.
Alternatively, we will consider this case resolved if we confirm that the problem is caused by a third-party application or is by-design.
This agreed resolution statement describes the specific conditions where we will close this case. Please let me know if you do not agree with this scope.
Cause:
For multi-tenant applications in v1 you can only use an organizational account and not a personal one. That happens because for personal ones you will be logged authenticated by the “Live” endpoints and not by Azure endpoints, also because we are sending the user to the “common” endpoint and in there we do not know in which directory you want to sign in.
Resolution:
Having a multi-tenant application and sign-in users with personal and organizational accounts can be covered by the Azure AD V2 endpoints, nevertheless the v2 has some limitations right now and one of them is that you could only get a token for Microsoft Graph API and not for https://management.core.windows.net. We plan to implement all APIs that are available in v1 also in v2, but as for now cannot be used to acquire a token for such API.
We have a Web App secured with Azure AD B2C using custom Identity Experience Framework policies to allow users to register and sign in with social identities (Microsoft, Google, Facebook), or with an identity from another federated Azure AD instance, or with 'local' Email / Password accounts.
All the social accounts and the Federated AD work correctly. Sign up and sign in with Email/Password was working correctly, but we are now experiencing an error. We haven't knowingly made any changes to our Email/Password configuration since this was last known to be working, so we're not sure how this has happened.
The issue is: Sign Up with a new Email Address works correctly, and after the process completes, the user is correctly logged-in, and their account appears in the directory. If the user signs out, however, then any attempt to sign back in again fails:
(Email address shown is not the actual one. Error has been repeated by multiple users with new and old email/password combinations.)
Digging into the portal, the underlying error is revealed as:
70001 The application named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
This error appears sometimes to be related to a failure to grant permissions to an application in the portal. We have tried removing and reinstating all permissions, and re-granting permissions. This has not solved the issue.
Does anyone know what could be causing this issue, and in particular why sign up / sign in works correctly, but returning sign in does not?
UPDATE:
Just to confirm that we have the IEF and Proxy IEF apps configured in the AD directory:
And we have the login-NonInteractive technical profile configured in TrustFrameworkExtensions.xml:
Having wired up Application Insights (following these instructions https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom), we're able to get to this more detailed error:
AADSTS70001: Application with identifier
'ProxyIdentityExperienceFrameworkAppID' was not found in the directory
weapageengine.onmicrosoft.com
The only place 'ProxyIdentityExperienceFrameworkAppID' appears in any of our custom policies is shown in the XML snipped above, but this seems correct as per the documentation here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 - unless we are meant to update those 'DefaultValue' attributes as well?
Resolution:
As per the answer below, it is necessary to update both the Metadata and the default values with the relevant app ids. Worth noting that in the GitHub sample https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 the boilerplate values are differently cased, leading to our missing one in a replace-all:
The local account sign-in authenticates the end user against the Azure AD B2C directory and then reads the user object from it.
The local account sign-up and the social account sign-in do not authenticate the end user against the Azure AD B2C directory. The local account sign-up writes the user object to it. The social account sign-in delegates authentication to the social identity provider and then either writes the user object to the Azure AD B2C directory if the user object does not exist or reads the user object from the Azure AD B2C directory if the user object does exist.
To enable authentication of the end user by the local account sign-in against the Azure AD B2C directory, you must add the Identity Experience Framework applications to the Azure AD B2C directory and then configure these IEF applications with the login-NonInteractive technical profile.
The local account sign-up and the social account sign-in do not require these applications.