I have a local AD Forest that is replicated to an AAD Tenant via AADConnect. All seems OK there, the locals users get replicated up to the Azure AD instance without issue.
I have a Win10 Desktop joined to the local domain, that is running A C# test app using MSAL and calling
app.AcquireTokenByIntegratedWindowsAuth(scopes);
This throws the exception
Microsoft.Identity.Client.MsalClientException
HResult=0x80131500
Message=Integrated Windows Auth is not supported for managed users. See https://aka.ms/msal-net-iwa for details.
From Microsoft's docs here this exception is thrown under these conditions:
This method relies on a protocol exposed by Active Directory (AD). If
a user was created in Azure Active Directory without AD backing
("managed" user), this method will fail. Users created in AD and
backed by AAD ("federated" users) can benefit from this
non-interactive method of authentication. Mitigation: Use interactive
authentication.
But my user isn't a "managed user", it's a user in AAD backed by a user in AD - just as it says is required.
Why am I getting this error if I'm not using a managed user?
Related
I am trying to get graph api access token in my c# application using GetAccessTokenForUserAsync().
It throws below error :
Error = invalid_grant
Error_description = "AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/--/'
does not exist in tenant 'ABC' and cannot access the application '--**-****'(xyz-app) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I tried to reproduce the same in my environment and got the same error as below:
The error usually occurs if the user and Application exists in the different tenants. Make sure to check the user exists in the Azure AD Application tenant. Try to sign-in and sign-out.
Check whether the sign-in URL you are making use is valid:
Multitenant applications
https://login.microsoftonline.com/organizations
Multitenant and personal accounts
https://login.microsoftonline.com/common
Personal accounts only
https://login.microsoftonline.com/consumers
Please check whether the guest user has been invited to the tenant like below:
Try clearing the browser cookies/log-in via Incognito.
You can also make use of domain_hint parameter which specifies from which domain Azure AD User should be from. You can configure from both client and server side.
If the issue still persists, please refer the below MsDoc:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
I am having difficulty logging in to a Microsoft site using my Azure AD (Work) account.
After successfully authenticating, I get the error:
AADSTS700016: Application with identifier '3075c070-b4d6-4bba-88c3-bcc51c74a2f4' was
not found in the directory '{my-directory}'. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You may have sent your
authentication request to the wrong tenant.
I have gone into my Azure AD tenant and searched for an application with that Id so I can add it, but it returns no results.
I am able to authenticate if I use an account that has a Microsoft Account, however, when I get to the Microsoft page, I get an error saying I need to log in using the same email account that the account was registered under.
Unfortunately, the work account I need to use does not have an associated Microsoft Account.
I think a solution to this would be to add the Application into my tenant, but not sure how to find the application with ID only.
I am afraid that you can not add the application into your tenant manually. When you successfully login in to this application, this application will exist in your tenant under enterprise application.
But it seems that this application only allows Microsoft account to login.
I have created a Web application in my local Azure AD which I can successfully use to authenticate members of my AD tenant with (using oAuth2 flow). Now I need to extend my supported scenarios to allow a global admin from an external Azure AD tenant to sign-up their company to use this application as well.
Based on the Microsoft Docs this scenario, Multi-Tenant, is supported...
Authentication Scenarios for Azure AD
Multi-Tenant: If you are building an application that can be used by users outside your organization, it must be registered in your company’s directory, but also must be registered in each organization’s directory that will be using the application. To make your application available in their directory, you can include a sign-up process for your customers that enables them to consent to your application. When they sign up for your application, they will be presented with a dialog that shows the permissions the application requires, and then the option to consent. Depending on the required permissions, an administrator in the other organization may be required to give consent. When the user or administrator consents, the application is registered in their directory. For more information, see Integrating Applications with Azure Active Directory.
From my reading it appears that at some point a global admin for the foreign tenant should be presented with a URL which they can follow ( login.microsoftonline.com/common/??? ) which will somehow cause the external application to precipitate like a morning dew into their Azure AD. However, if this is the correct approach I would appreciate a tokenized example of how one correctly builds the login URL for a multi-tenant external Azure AD application which a group admin can follow to allow access in their AzureAD.
Ok, through trial and failure I have found the solution. The group admin for the remote tenant needs to be provided with the following URL which will allow them to register your Azure AD application as an Enterprise Application in their tenant.
https://login.microsoftonline.com/{remoteTenantUrl.com}/adminconsent?client_id={YourAppsClientID}&redirect_uri={YourAppsCallbackPage}
We have a Web App secured with Azure AD B2C using custom Identity Experience Framework policies to allow users to register and sign in with social identities (Microsoft, Google, Facebook), or with an identity from another federated Azure AD instance, or with 'local' Email / Password accounts.
All the social accounts and the Federated AD work correctly. Sign up and sign in with Email/Password was working correctly, but we are now experiencing an error. We haven't knowingly made any changes to our Email/Password configuration since this was last known to be working, so we're not sure how this has happened.
The issue is: Sign Up with a new Email Address works correctly, and after the process completes, the user is correctly logged-in, and their account appears in the directory. If the user signs out, however, then any attempt to sign back in again fails:
(Email address shown is not the actual one. Error has been repeated by multiple users with new and old email/password combinations.)
Digging into the portal, the underlying error is revealed as:
70001 The application named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
This error appears sometimes to be related to a failure to grant permissions to an application in the portal. We have tried removing and reinstating all permissions, and re-granting permissions. This has not solved the issue.
Does anyone know what could be causing this issue, and in particular why sign up / sign in works correctly, but returning sign in does not?
UPDATE:
Just to confirm that we have the IEF and Proxy IEF apps configured in the AD directory:
And we have the login-NonInteractive technical profile configured in TrustFrameworkExtensions.xml:
Having wired up Application Insights (following these instructions https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom), we're able to get to this more detailed error:
AADSTS70001: Application with identifier
'ProxyIdentityExperienceFrameworkAppID' was not found in the directory
weapageengine.onmicrosoft.com
The only place 'ProxyIdentityExperienceFrameworkAppID' appears in any of our custom policies is shown in the XML snipped above, but this seems correct as per the documentation here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 - unless we are meant to update those 'DefaultValue' attributes as well?
Resolution:
As per the answer below, it is necessary to update both the Metadata and the default values with the relevant app ids. Worth noting that in the GitHub sample https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 the boilerplate values are differently cased, leading to our missing one in a replace-all:
The local account sign-in authenticates the end user against the Azure AD B2C directory and then reads the user object from it.
The local account sign-up and the social account sign-in do not authenticate the end user against the Azure AD B2C directory. The local account sign-up writes the user object to it. The social account sign-in delegates authentication to the social identity provider and then either writes the user object to the Azure AD B2C directory if the user object does not exist or reads the user object from the Azure AD B2C directory if the user object does exist.
To enable authentication of the end user by the local account sign-in against the Azure AD B2C directory, you must add the Identity Experience Framework applications to the Azure AD B2C directory and then configure these IEF applications with the login-NonInteractive technical profile.
The local account sign-up and the social account sign-in do not require these applications.