I'm trying to wrap my head around the limitations of the ROPC authentication flow.
If I set up an Azure app, can I then sign in any user that has an Office 365 account using the ROPC flow, or do I need to add the user to my Azure app first?
In this documentation, Microsoft says that
ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook.
I'm not sure what they mean by "local accounts"? Is that an account that has already been added as a user to my Azure app?
A local account is an account that was originally created in that AAD tenant.
Any invited guest user does not count.
Though I have heard ROPC sometimes working with AD users who have been synced (which are technically not local users), but that depended on the setup.
Related
I have a requirement where we want the users to use their social accounts to login into our application (i.e. get an ID Token) through Azure B2C. I configured the Identity Provider and create a user flow for Sign in only. We don't want Users to Sign Up because that through Invitation only. When I use the "Invite User" to the live.com account and the user accepts the invitation and tries to login into the application, I get the below error.
AADB2C99002 User does not exist. Please sign up before you can sign in.
But the user is existing as a Guest User.
When I allow Sign up and the user actually does the Sign-up and then login in, it works.
Questions:
Why isn't the Guest User allowed to access the application? What needs to be done for the same to work?
If it's not possible, I don't want the user to be a "member" to avoid maintaining their credentials. I want the users to use their social accounts only.
As I don't have the requirement of self sign-up and the only invitation-based, how do I achieve my requirement?
Thanks,
Neel
Please see the Overview of user accounts in Azure Active Directory B2C.
Guest account - A guest account can only be a Microsoft account or an Azure Active Directory user that can be used to access applications
or manage tenants.
Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts
can be created by:
The user going through a sign-up user flow in an Azure AD B2C application
Using Microsoft Graph API
Using the Azure portal
Guest account is specifically distinguished from Consumer account. So Guest user can't sign into B2C application directly.
Your three questions are actually the same question: How to log in a social account without managing its credentials?
Please refer to Add an identity provider to your Azure Active Directory B2C tenant.
In order to let live.com account sign in, you need to Set up sign-in with a Microsoft account using Azure Active Directory B2C. Choose the policy type (User flow or Custom policy) you want to find the corresponding steps.
If you need your customers from other social idps such as Facebook, Google and so on, you can find the corresponding article on the left.
I want to allow people to use some deployments tools to perform actions in their Azure environments.
We currently have a working MSAL.js solution for supporting work accounts to be able to login and acquire the scope https://management.azure.com/user_impersonation using an AAD app.
To move to supporting non-work accounts we:
Verified our application is set to allow all types of accounts
Changed the endpoint used for logins from /organizations to /common
Unfortunately despite the /common it says we need to use a work or school account when we provide something like an #gmail account.
Without being able to acquire a permission scoped to this API we can't list tenants someone has access to so that we can proceed. It seems really backward & poor UX to have a workaround of needing their tenant ID to be manually provided and changing the our login endpoint. Prior we simply made the assumption that it's whatever tenant their AAD account is part of but a default login acquisition only returns the tenant id of the app.
Reproducible example
You can see this behaviour with a Microsoft demo application.
OpenID works with a personal email
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=openid&state=12345
Azure scope does not work
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=https://management.azure.com/user_impersonation&state=12345
What is the right combination of login endpoints and scopes (or multiple steps!) needed to be able to support user impersonation of non-work accounts for acting in Azure?
PS Older Q in a similar vein indicates this may not be possible which is exceedingly frustrating.
Make sure that your AAD application (6731de76-14a6-49ae-97bc-6eba6914391e) is registered as "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
You can also switch the existing AAD application to this type by modifying the manifest file: set "signInAudience": "AzureADandPersonalMicrosoftAccount".
This will allow personal account to sign in.
UPDATE:
Sorry my bad. Azure resources should be only available to work account. Personal account cannot access Azure resources because it doesn't have Azure subscription. When a personal account is added into a tenant as the guest, it will be treated as work account.
If you click on the Try it -> Sign in in this page, you will be redirected to this url: https://login.microsoftonline.com/common/oauth2/authorize?client_id=7f59a773-2eaf-429c-a059-50fc5bb28b44&redirect_uri=https%3a%2f%2ftoken.learn.microsoft.com%2fsignin-oidc&resource=https%3a%2f%2fmanagement.core.windows.net%2f&response_type=code+id_token&******************.
This is v1.0 endpoint which doesn't support personal account.
So for v2.0 endpoint, if you set AAD application type as Accounts in any organizational directory (Any Azure AD directory - Multitenant) or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and use organizations or common endpoint, it will treat your account as a personal account by default, thus preventing you from logging in.
Currently the only way to implement it is to use v1.0 endpoint like this:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=19xxxxxx-68ed-433c-a2c5-5f5cxxxxxx05&response_type=code&redirect_uri=https://localhost/&response_mode=query&resource=https://management.azure.com/&state=12345
Remember to specify the AAD application as Accounts in any organizational directory (Any Azure AD directory - Multitenant) to avoid the account being recognized as a personal account.
I have set up an Azure B2C tenant using this tutorial.
This creates a new AD for B2C that is separate to our company AAD (If I try to add B2C on the companys' main Azure AD, it states it is 'not a B2C tenancy', so I went with the tutorial and created a new B2C Tenancy).
When I (the creator of the B2C tenant) log in, I can access the company AAD and the B2C Tenant (details obfuscated). My standard Office365 shows both.
However, other developers in the team can't see the B2C Tenant.
I want them to be able to access it via their Office365 credentials.
Looking online, I found this and this, but they both seem to be about logging people from your company AAD into your app, rather than inviting other devs as administrators. I tried the former to get a developers records in the User table, but after giving them rights, they still cannot see the B2C Tenant.
I then tried to Add A Connected Organisation, but I still can't access people from the main tenant to give them access.
The Invite users from the Portal doesn't seem to offer the choice of a Microsoft Login. If I try 'Create User', the domain doesn't show and 'Invite User' seems to make them Guests with non-work logins.
I don't want to set the devs up with 'non-work' logins, as that seems a bit messy.
How do I add other developers from the company AAD to my B2C Tenant using their work credentials (Office365/Azure AD) so they too can also administer the application?
You Need to choose the Guest User and choose Invite User and after providing the User information assign the role as Application administrator or Global Administarator. Once you invite the user will recive a invitation to access the B2C tenant. They can Access the B2C Tenant with there own credentials.
I saw a post today on linkedIN to say Azure B2B now accepts Google IDs (e.g. people with a Gmail account)
It said this is achieved via Federation, (using google as the identity provider)
As far as I am aware you have been able to do this for a while (or was that because it was in public preview), whereby someone could enter their gmail account but in the background (after the simple on boarding process was completed) this gmail account is linked to a place holder Azure AD account (represented by a GUID).
So in the announcement of Azure AD now accepts google IDs, is this the case where a preview service is now main stream ? or is this something new?
My main question is below
As far as I understand federation (please correct me if I am wrong) although your own Identity provider together with your own STS (secure token service, which is trusted by the replying party) provides you with a token (signed SAML/JWT) with is then presented to the replying parties STS (which then creates is own token from the information in the token you provided), you still need an instance of an object (user/group etc) in the Replaying parties system to check if said instance is allowed access to a resource based on the token (looking at the ACL on the resource and the information in the token). So although the replying party does not need to maintain the users password to authenticate them (done by the trusted Identity Provider) an instance of an object still needs to be created/exists on the Relaying Party system (to match the token information e.g. group membership for example) to the ACL on the actual object trying to be accessed
is the above correct?
Thanks very much
A User is always created in Azure AD, as it is in this case as well.
This applies to users created in Azure AD, synced from on-prem AD, invited from other AAD tenants, personal MS accounts, and now Gmail accounts.
Before Google B2B, if you invited a Gmail user, a personal Microsoft account would be created for them in the background, which would then be added as a Guest in the AAD tenant.
Now if you enable Google B2B, when you invite a Gmail user, they'll log in on the Google login page instead of the AAD login page.
So now instead of creating an MS account invisibly, the Google account itself is added as a Guest User, and AAD relies on Google to authenticate the user.
I try login to Azure AD web app and when i do it with user inside my tenant its ok,
but when login other user i get
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'a1eda862-65fb-4f90-8482-06151f5c7abc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Login Url :
https://login.microsoftonline.com/common/oauth2/authorize?client_id=a1eda862-65fb-4f90-8482-06151f5c7abc&response_type=id_token+code&redirect_uri=http://localhost:44302/&response_mode=form_post&scope=openid+profile&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&resource=https://management.azure.com/
Tenant settings
Few things to check -
Based on the error you shared, it seems you're logged in with some Microsoft account like live.com/hotmail etc. Are you doing that intentionally or just happened to be logged in and getting confused by that? If you do want to login with a Microsoft account other than a usual organizational account, then as the error says, you need to add that account to your AzureAD tenant as an external user.
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant
For any other organizational user, i.e. user from a different AzureAD tenant than the one where this application is registered, you will first need to go through the consent process. You may have done it already or not.
More details on that process here - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent
Issue:
You wanted to use a personal account within a multi-tenant application to get a token for the "https://management.core.windows.net" API
Scope:
We will focus on this issue and consider it as resolved once we provide you with the reason that Personal accounts cannot be used against a v1 multi-tenant application.
Alternatively, we will consider this case resolved if we confirm that the problem is caused by a third-party application or is by-design.
This agreed resolution statement describes the specific conditions where we will close this case. Please let me know if you do not agree with this scope.
Cause:
For multi-tenant applications in v1 you can only use an organizational account and not a personal one. That happens because for personal ones you will be logged authenticated by the “Live” endpoints and not by Azure endpoints, also because we are sending the user to the “common” endpoint and in there we do not know in which directory you want to sign in.
Resolution:
Having a multi-tenant application and sign-in users with personal and organizational accounts can be covered by the Azure AD V2 endpoints, nevertheless the v2 has some limitations right now and one of them is that you could only get a token for Microsoft Graph API and not for https://management.core.windows.net. We plan to implement all APIs that are available in v1 also in v2, but as for now cannot be used to acquire a token for such API.