I have my website integrated with Live SDK applications to allow customers to login to their MSN, Hotmail, Outlook, etc. email accounts and invite friends to my website by reading the contacts. This used to work properly but now it's not working anymore.
When I use the App ID / Client ID from the old Application Registration Portal (https://apps.dev.microsoft.com) I get the following message when I try to login using my Microsoft account.
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
I see from the Application Registration Portal that I can now use Azure to manage my App Registrations, so I basically setup the same app under Azure with the following criteria.
Authentication: Selected Web and setup the same Redirect URI I was using previously when this was working.
API Permissions: I added "Microsoft Graph" with email, Contacts.Read, openid, profile, and User.Read.
And when I try to login to my Microsoft account using my Azure app Client ID / App ID I get the following message.
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Should I try making this work using Azure instead of Application Registration Portal credentials? If so, why is it saying "unauthorized_client" when I try to login?
Thank you!
Register your Azure AD app as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
Related
We are developing a multi-tenant application that is hosted in Azure. We're using IdentityServer4 for handling authentication and authorization. Recently, we enabled the SSO by registering our application in Azure AD. We enabled the multi-tenant SSO in the App registration service. The SSO works fine and client users can sign in with their Azure AD.
The users are accessing the application by providing the URL in the following format https://myapplication.com/mytenant. When a user logs in for the first time consent is required and if accepted the user can successfully log into its tenant space.
After the first successful access, our application is added to the My Apps portal in Azure.
Our problem is that the URL in My Apps is pointing to the one provided in the Branding tab in App registration but not the one that the user logged in for the first time. Since this is a multitenant application every tenant has its own URL.
Is it possible for the first sign-in URL to be saved in the My Apps portal? We can do an Azure tenant - application tenant sync based on claims but that means a lot of trouble just for accessing the My Apps portal.
An administrator of each customer could add a linked "single sign-on" app in their organization and assign it to users, but there's no way to have your single multi-tenant app present in different tenants with different URLs.
What you could do instead is to have your (only) sign-in URL be a URL that triggers a sign-in (generically, on the "common" or "organizations" endpoint, instead of a tenant-specific endpoint). Once the user has signed in, then you'll know what tenant the user belongs to, and you could redirect them to the appropriate version of your site.
I have an already deployed application on azure app service which uses azure AD for authentication and authorization.
Unfortunately the developer who worked on it is no longer available
i got access to all Azure resources and source code but i cant figure out how can i add my azure account as one of the users to the app (i can login but its an empty view for me unlike what it used to be with the developer access).
Also i find the app registered on Azure AD and i am an owner there but still with no right access.
When i try to login localy from the frontend it say
Selected user account does not exist in tenant 'Default Directory' and
cannot access the application '[some numbers] in that tenant. The
account needs to be added as an external user in the tenant first. Please use a
different account.
Would appreciate any help and many thanks in advance.
I can login but it’s an empty view for me unlike what it used to be
with the developer access
This is because your backend application is enabled with Azure AD Authentication.
After you sign in to your front-end application, you still can't access the data from the back-end app, because the back-end app now requires Azure Active Directory sign-in from the front-end app
To access the application, follow the below steps:
Grant the front-end access to the back end
Configure App Service to return a usable token
Use the token in your code
You can refer Enable authentication and authorization for front-end app in Authenticate users E2E - Azure App Service | Microsoft Docs for the detailed steps
Unable to authorize multiple users for a BOT within the same organization using Azure AD authentication
Following are the steps we tried.
1. Created an office 365 organization, so as to be the admin of the Azure AD
Registered the Azure AD app thru app registrations on Azure in the same Org, and then assigned the permissions to the app to read emails and calendar, by following the URL - https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=csharp%2Cbot-msgraph-auth
Then created the web app bot under azure
Then under [OAuth Connection Settings] settings of the bot added the Azure AD app details, first added as Azure AD V1.0 with as per the recommendation in the URL of Microsoft
Used the standard template code of the project - BotAuthenticaionMSGraph from the Github sample code repository - https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
In the sample code, we just need to edit the appsettings.json file to add the [ConnectionName, MicrosoftAppId, MicrosoftAppPassword]
Then published the local bot code to the app service of the web app bot on Azure
Tested the Bot Auth on the [Test in Web Chat] on Azure -- It works for my Azure AD
Then enabled the Directline Channel for bot and distributed bot to other users of the same organization
The issue is here - when the other user opens the bot, they can see the emails and calendar of the admin user who has already logged in initially. So when the other user logs off and logs in thru his AD credential, then only his emails and calendar data is available since then.
Issue - So, at a given point of time only one user's o365 data is visible globally on the bot chat, and not individual user's data who logs in for that session. The AD token is not per user session but instead its a universal token across for all the conversations.
When I use the Azure AD V2, I get the bad request while trying to login.
Please help. Thanks.
https://github.com/microsoft/BotBuilder-Samples/tree/master/samples/csharp_dotnetcore
used the BotAuthenticaionMSGraph project
Expected is, every user should be able to log in individually, and only his data shud be visible on the bot conversation distinctively.
I have tested the sample code and it works fine for both Azure AD V1 and V2.
I followed Azure AD v2 to configure it. Don't forget to enter Mail.Read Mail.Send openid profile User.Read User.ReadBasic.All for Scopes. It's different from Azure AD V1. Otherwise, it will return 400 bad request while trying to login.
I didn't reproduce the first issue. Could you tell where the other user opens the bot? From "Test in Web Chat"?
Update
You need to be aware that your are dealing with two user identities:
The user’s identity in a channel.
The user’s identity in an identity provider that the bot is
interested in.
See Security considerations. When a bot asks user A in a channel to sign-in to an identity provider P, the sign-in process must assure that user A is the one that signs into P. If another user B is allowed to sign-in, then user A would have access to user B’s resource through the bot.
To enable the protection, you need to configure trusted Origins and tamper-proof user IDs.
You can refer to the sample code.
And this blog Using WebChat with Azure Bot Service’s Authentication provides more detailed infomration.
I'm currently upgrading an application to enable multi-tenancy and B2B integration.
I got the following types of users working so far:
internal Azure AD users
external Azure AD users from another tenant
personal Microsoft account
users gmail users
I'm now trying to enable users from any domain to access my application by following this process:
Send invite to x#abc.com - this works
Redeem invite from x#abc.com inbox - this works and I successfully setup the associated Microsoft account
Login into my application using x#abc.com - this does NOT work and I get the following error:
AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of abc.com before the application 'My Application' can be provisioned
In this case abc.com is an external partner. The external partners are dynamic and managed through the application via a 'domain white-list'. So I can have abc.com now, and later abcd.com, xyz.com, etc. The users from these white-listed domains are self-registering via an application URL.
Interestingly enough, gmail users work so I'm assuming there's an internal Azure AD white-list for the popular domain?
UPDATE:
The reason why the Gmail accounts are working is because they are indeed created as Microsoft accounts in my Azure AD. The abc.com domain accounts on the other hand are created as 'External Azure Active Directory' accounts. (source property)
UPDATE #2:
After a bit more research I found that it wasn't working because I was using the common endpoint which doesn't support guests.
More details here:
Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?
Now I switched to using my tenant specific endpoint like below:
Tenant specific endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0
and I can login with the guest users from abc.com
However Microsoft accounts stopped working now.
AuthorizationCodeReceived = async (context) =>
{
...
var cca = new ConfidentialClientApplication(appId, redirectUri,
new ClientCredential(appSecret),
new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
},
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code) fails with the following error:
ErrorCode: invalid_grant
Message=AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
How can I make it work with both guest users from custom domains (abc.com) AND existing Microsoft accounts?
Cause:
You didn't do user or admin consent for the Multi-tenant app for the abc.com tenant. Maybe the settings for that tenant doesn't allow users do consent, only admin can do it.
For a multi-tenant app, if users from another tenant want to use it, this may needs user or admin do consent for the application. Then the service principal will be automatically created in that tenant. So that users in that tenant can use the app.
You can see more details about user or admin consent for Multi-tenant app in this documentation.
Solution:
Try to add &prompt=admin_consentin your request to force admin consent. You need to use one admin account to log in and do admin consent. If you're the admin in that tenant, you can also Enable user can do consent in Enterprise Applications>User settings.
Please let me know if this helps!
I am attempting to use the passport-azure-ad library to authenticate users for my Node.js web application.
Accessing the sign in route I have configured in the app takes me to a Microsoft Azure sign in page (which is the expected behavior). However, when I sign in, I am taken to an error page (https://login.live.com/err.srf?lc=1033#error=unauthorized_client&error_description=The+client+does+not+exist.+If+you+are+the+application+developer%2c+configure+a+new+application+through+the+application+management+site+at+https://apps.dev.microsoft.com/.&state=H08LUScEDdzg92Cq8gujjtT5LPKJ4sNJ) that says "Client does not exist." However, I have supplied the client ID and the client secret matching the application ID and application secret generated by the Microsoft Azure Active Directory app registration for my app, so the app clearly does exist. Also, the apps.dev.microsoft.com link is broken.
How exactly can this problem be fixed?
Registering an app at the Azure Portal under App Registrations will create a standard Azure AD app. This app can sign in Azure AD users in your tenant, and in any Azure AD tenant if configured to be multi-tenant.
The error you have above is for the Microsoft Account STS. These are outlook.com, hotmail.com, live.com, etc accounts. Since your app is not registered in this system, the service doesn't recognize your app. If you would like to support these as well as Azure AD sign in, you need to register a converged app at the App Registration Portal.
Use the app configs from that site instead of the ones you got from the Azure Portal and this should resolve the error you're getting.