I want to allow people to use some deployments tools to perform actions in their Azure environments.
We currently have a working MSAL.js solution for supporting work accounts to be able to login and acquire the scope https://management.azure.com/user_impersonation using an AAD app.
To move to supporting non-work accounts we:
Verified our application is set to allow all types of accounts
Changed the endpoint used for logins from /organizations to /common
Unfortunately despite the /common it says we need to use a work or school account when we provide something like an #gmail account.
Without being able to acquire a permission scoped to this API we can't list tenants someone has access to so that we can proceed. It seems really backward & poor UX to have a workaround of needing their tenant ID to be manually provided and changing the our login endpoint. Prior we simply made the assumption that it's whatever tenant their AAD account is part of but a default login acquisition only returns the tenant id of the app.
Reproducible example
You can see this behaviour with a Microsoft demo application.
OpenID works with a personal email
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=openid&state=12345
Azure scope does not work
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=https://management.azure.com/user_impersonation&state=12345
What is the right combination of login endpoints and scopes (or multiple steps!) needed to be able to support user impersonation of non-work accounts for acting in Azure?
PS Older Q in a similar vein indicates this may not be possible which is exceedingly frustrating.
Make sure that your AAD application (6731de76-14a6-49ae-97bc-6eba6914391e) is registered as "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
You can also switch the existing AAD application to this type by modifying the manifest file: set "signInAudience": "AzureADandPersonalMicrosoftAccount".
This will allow personal account to sign in.
UPDATE:
Sorry my bad. Azure resources should be only available to work account. Personal account cannot access Azure resources because it doesn't have Azure subscription. When a personal account is added into a tenant as the guest, it will be treated as work account.
If you click on the Try it -> Sign in in this page, you will be redirected to this url: https://login.microsoftonline.com/common/oauth2/authorize?client_id=7f59a773-2eaf-429c-a059-50fc5bb28b44&redirect_uri=https%3a%2f%2ftoken.learn.microsoft.com%2fsignin-oidc&resource=https%3a%2f%2fmanagement.core.windows.net%2f&response_type=code+id_token&******************.
This is v1.0 endpoint which doesn't support personal account.
So for v2.0 endpoint, if you set AAD application type as Accounts in any organizational directory (Any Azure AD directory - Multitenant) or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and use organizations or common endpoint, it will treat your account as a personal account by default, thus preventing you from logging in.
Currently the only way to implement it is to use v1.0 endpoint like this:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=19xxxxxx-68ed-433c-a2c5-5f5cxxxxxx05&response_type=code&redirect_uri=https://localhost/&response_mode=query&resource=https://management.azure.com/&state=12345
Remember to specify the AAD application as Accounts in any organizational directory (Any Azure AD directory - Multitenant) to avoid the account being recognized as a personal account.
Related
I have created a webapp on Azure and have set the authentication mode to;
"Accounts in any organizational directory (Any Azure AD directory -
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use
your application or API. This includes Office 365 subscribers."
It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.
I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.
Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
This error usually occurs for many reasons. Please check if below are helpful:
Case1:
Please check if your sign-in URL is something like this:
https://login.microsoftonline.com/<tenant_id>/
If it is like that, you may get error as you selected this option: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)” and users from other organizations can't access the application.
To resolve that error, try to change the sign-in URL as
https://login.microsoftonline.com/common
Apply this URL value in Authority Setting in your application code.
To know how to do that in detail, go through this link.
Case2:
There is also a possibility where the user has active session already signed in using different personal account other than Microsoft. To confirm this scenario, check User Account and Identity Provider values in error message.
To resolve that error, inform the user to sign out from their active session and sign in again from different browser or private browser session. Otherwise ask them to clear the cookies and cache, sign in as new.
If still the error won’t resolve means, please go through below reference if it is helpful.
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I am new to Azure AD B2B, I created an Application in Azure Active Directory.
Home -> Default Directory -> App registrations -> New Registration and selected an audience as **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) **
the problem is all school or personal accounts(whether assigned or not to the application) are autenticated using Microsoft.Identity.Client liberary and token is generated, but I wanted to restrict the users from accessing it. All the assigned users can only access the application. But its not happening even I set user assignment required option to YES. Any iser who is not even assign to the applpication is getting authenticated and token is generated insted and error message should be thrown that permission is not granted.
Note: I am using Xamarin.Forms as a client application
The result sounds logical.
You said any Azure AD tenant / personal account can access the app.
So any account is allowed access.
User assignment required only applies to your AAD tenant.
When a personal account signs in, they sign in with their personal account and your AAD tenant is never involved.
If you want control over who accesses the app,
you need to change the app to single-tenant (i.e. only allow accounts from this directory).
I try login to Azure AD web app and when i do it with user inside my tenant its ok,
but when login other user i get
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'a1eda862-65fb-4f90-8482-06151f5c7abc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Login Url :
https://login.microsoftonline.com/common/oauth2/authorize?client_id=a1eda862-65fb-4f90-8482-06151f5c7abc&response_type=id_token+code&redirect_uri=http://localhost:44302/&response_mode=form_post&scope=openid+profile&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&resource=https://management.azure.com/
Tenant settings
Few things to check -
Based on the error you shared, it seems you're logged in with some Microsoft account like live.com/hotmail etc. Are you doing that intentionally or just happened to be logged in and getting confused by that? If you do want to login with a Microsoft account other than a usual organizational account, then as the error says, you need to add that account to your AzureAD tenant as an external user.
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant
For any other organizational user, i.e. user from a different AzureAD tenant than the one where this application is registered, you will first need to go through the consent process. You may have done it already or not.
More details on that process here - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent
Issue:
You wanted to use a personal account within a multi-tenant application to get a token for the "https://management.core.windows.net" API
Scope:
We will focus on this issue and consider it as resolved once we provide you with the reason that Personal accounts cannot be used against a v1 multi-tenant application.
Alternatively, we will consider this case resolved if we confirm that the problem is caused by a third-party application or is by-design.
This agreed resolution statement describes the specific conditions where we will close this case. Please let me know if you do not agree with this scope.
Cause:
For multi-tenant applications in v1 you can only use an organizational account and not a personal one. That happens because for personal ones you will be logged authenticated by the “Live” endpoints and not by Azure endpoints, also because we are sending the user to the “common” endpoint and in there we do not know in which directory you want to sign in.
Resolution:
Having a multi-tenant application and sign-in users with personal and organizational accounts can be covered by the Azure AD V2 endpoints, nevertheless the v2 has some limitations right now and one of them is that you could only get a token for Microsoft Graph API and not for https://management.core.windows.net. We plan to implement all APIs that are available in v1 also in v2, but as for now cannot be used to acquire a token for such API.
I am trying to create a multi-tenant application in Azure AD, which can login all users like Microsoft live/hotmail and also get the access permissions to access their management resource apis. I can get work accounts from other domain login but not live account. I get this error-
User account 'mitesh_***#live.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '382dfccb-33af-4567-90cd********' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have heard of MSAL v2 endpoint to login both type of accounts, but I heard that this endpoint doesnt support permissions to access Resource management libraries yet.
Is there any way to achieve this with ADAL or any other way?
Thanks,
Mitesh
The azure ad v2.0 endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory . But the v2.0 endpoint issues access tokens only for:
-The app that requested the token. An app can acquire an access token for itself, if the logical app is composed of several different components or tiers.
-The Outlook Mail, Calendar, and Contacts REST APIs, all of which are located at https://outlook.office.com.
-Microsoft Graph APIs. You can learn more about Microsoft Graph and the data that is available to you.
v2.0 endpoint doesn't support management apis .And azure ad v1.0 endpoint it supports work accounts unless Microsoft accounts are added as an external user in the tenant first . In my opinion , currently there is no other ways or workaround to achieve your requirement .