I'm trying to create an app hosted in Azure that (should) allow public login, as long as you have a Microsoft account. I don't care if it's a business or personal account. You just need to be able to log in. I'm creating a SPA and an API.
So I went to the Azure portal and created an app registration and configured the app reg to allow all users from within, or outside the organization with a valid personal or business Microsoft account.
Now the SPA is an Angular app and I use Damien Bod's OpenId library to log in. When I point the stsServer to my login endpoint (https://login.microsoftonline.com/{my-tenant-id}/v2.0) and log in, all works fine, except when I log in using an account outside the organization (for example my personal account).
I get receive the following error:
AADSTS50020: User account 'xxxx#xxxx.xxx' from identity provider 'https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/' does not exist in tenant 'Default Directory' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(App Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Now the problem is that I simply don't want to add all these users, but allow them access to this app. How can I do that?
Thanks a bunch!
If you want to allow any account to sign in, you can't use your tenant-specific login endpoint.
You need to use the "common" endpoint: https://login.microsoftonline.com/common/v2.0.
This allows login with any Azure AD / Personal Microsoft account.
Related
I am trying to setup Azure AD integration with our partner identities. I have few providers that I need to support and they support SAML and WS-Fed. I am trying to use Azure AD External Identities to add these providers to my Azure AD tenant.
However, reading through this article, it seems like SAML integrations are invitation based.
I want users to be able to login without an invitation. How can I do this with Azure AD?
Here are my needs:
After adding the external idp, users should be able to login using their own credentails via their idp. No additional information needed to use an app.
I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Choose what idp's are allowed per app? (if possible)
Thanks in advance.
Question 1: After adding the external idp, users should be able to login using their own credentials via their idp. No additional information needed to use an app.
Answer:
We can implement Guest users redemption using direct link or a common endpoint instead of email invitation. A guest user clicks the app link, reviews and accepts the privacy terms, and then seamlessly accesses the app.
Using Common endpoint : Guest users can now sign in to your multi-tenant or Microsoft first-party apps through a common endpoint (URL), for example https://myapps.microsoft.com. Previously, a common URL would redirect a guest user to their home tenant instead of your resource tenant for authentication, so a tenant-specific link was required (for example https://myapps.microsoft.com/?tenantid=). Now the guest user can go to the application's common URL, choose Sign-in options, and then select Sign in to an organization. The user then types the name of your organization.
Using Direct Link: As an alternative to the invitation email or an application's common URL, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Azure Portal or Powershell Then you can use any of the customizable ways to deploy applications to users, including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.
Reference:
Add B2B guests without an invitation link or email - Azure AD
Invitation redemption in B2B collaboration - Azure AD
Question 2 : I should be able to grant them access to custom apps (mandatory) and azure resources (optional)
Answer: Add the Users as Guest to Azure active Directory but by default they will be sent an invitation even if they don’t open it you can assign an app in your enterprise application for them to use .
Most federated applications that support SAML 2.0, WS-Federation, or OpenID connect also support the ability for users to start at the application, and then get signed in through Azure AD either by automatic redirection or by clicking on a link to sign in. This is known as service provider-initiated sign-on, and most federated applications in the Azure AD application gallery
Reference:
End-user experiences for applications - Azure Active Directory
Quickstart: Add guest users in the Azure portal - Azure AD
To Provide the Guest user access to azure resources you can manually add a role to the users.
Question 3: Choose what idp's are allowed per app?
Answer: Create different user flows and add desired IDPs to the user flows and then assign applications registered in Azure AD to the user flows depending on which IDPs are needed for given application.
Reference:
Add a self-service sign-up user flow - Azure AD
Question 4: I added Okta as an External Identity using SAML in my Azure AD. Created an "App Registration" as multi-tenant. But I am getting this error.
AADSTS50020: User account 'xxx' from identity provider 'http://www.okta.com/xxxxx' does not exist in tenant '' and cannot access the application '0000000c-0000-0000-c000-000000000000'(Microsoft App Access Panel) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Solution: Please Ensure User is added to one of the Partner Admin Groups i.e. AdminAgents in the Partner tenant.
Reference:
Manage Auth access for cloud solution providers.
Question 5: Steps for setting self service signup for an application.
Test Scenario in my Lab
Azure AD with an application registered in application registrations blade.
Another AD tenant with users.
Step 1: In the above external identities collaboration settings please make sure to have enable guest user self service enabled.
If it is not enabled then you can’t create a self service flow and you will get the below error when a user from other tenant is trying to access the app.
Step 2: Create a user flow by going to the user flow blade and creating a new flow.
Step 3: After you have created the user flow , click on the User flow and go to application blade and click add application.
Now search for the application you want to provide the self service signup to and click on select and you will have now enable the self service sign up for users when they try to access your application.
Output:
Once the above settings are done you can access the url to your app. Provide the user of the different ad tenant and you will get output as below .Click on create a new one .
Once the user from other AD tenant have accepted it they are successfully registered as guest users in your tenant.
If they accept the above then they will be able to access the app from now as a guest.
My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.
I created an Azure AD multi-tenant app using a company's tenant
Then created a test ASP.NET Core Web application which goes to a such URL:
The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.
It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?
I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant):
However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.
Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?
P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.
UPDATE
To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:
Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user#live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.
Thoughts.
The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.
ANSWER
Long story short, it's not possible for general public as per Microsoft.
Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.
It works with personal account when you use v1.0 endpoint.
That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.
The v2 endpoint does not allow personal accounts for the resource
https://management.azure.com/
Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.
You must identify the tenant to login in with personal account when use v2.0 endpoint
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default
Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.
Update:
It is normal that you can't do that. You are not telling Azure AD that
the which tenant the MSA user is an external user, so Azure AD is
making a guess and checking in the tenant where the app is registered
(tenant A). If you expect external users to be able to sign in, you
must specify the tenant where the guest has previously been invited to
(e.g. tenant B).
I thougt this toggle in Azure would enable for external users to log in:
But when I log in from an external account, I get:
AADSTS50020: User account 'xx#xx.se' from identity provider 'https://sts.windows.net/123123/' does not exist in tenant 'YY' and cannot access the application 'sdfsdfs'(asdasd) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Do I have to manually add single accounts to let them login with Azure? Can't I open up for specific domains or all?
If you want users from the other organizations to login your application. There are four simple steps.
1.Update your application registration to be multi-tenant
2.Update your code to send requests to the /common endpoint
3.Update your code to handle multiple issuer values
4.Understand user and admin consent and make appropriate code changes
For more details, you can refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant
I'm currently upgrading an application to enable multi-tenancy and B2B integration.
I got the following types of users working so far:
internal Azure AD users
external Azure AD users from another tenant
personal Microsoft account
users gmail users
I'm now trying to enable users from any domain to access my application by following this process:
Send invite to x#abc.com - this works
Redeem invite from x#abc.com inbox - this works and I successfully setup the associated Microsoft account
Login into my application using x#abc.com - this does NOT work and I get the following error:
AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of abc.com before the application 'My Application' can be provisioned
In this case abc.com is an external partner. The external partners are dynamic and managed through the application via a 'domain white-list'. So I can have abc.com now, and later abcd.com, xyz.com, etc. The users from these white-listed domains are self-registering via an application URL.
Interestingly enough, gmail users work so I'm assuming there's an internal Azure AD white-list for the popular domain?
UPDATE:
The reason why the Gmail accounts are working is because they are indeed created as Microsoft accounts in my Azure AD. The abc.com domain accounts on the other hand are created as 'External Azure Active Directory' accounts. (source property)
UPDATE #2:
After a bit more research I found that it wasn't working because I was using the common endpoint which doesn't support guests.
More details here:
Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?
Now I switched to using my tenant specific endpoint like below:
Tenant specific endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0
and I can login with the guest users from abc.com
However Microsoft accounts stopped working now.
AuthorizationCodeReceived = async (context) =>
{
...
var cca = new ConfidentialClientApplication(appId, redirectUri,
new ClientCredential(appSecret),
new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
},
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code) fails with the following error:
ErrorCode: invalid_grant
Message=AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
How can I make it work with both guest users from custom domains (abc.com) AND existing Microsoft accounts?
Cause:
You didn't do user or admin consent for the Multi-tenant app for the abc.com tenant. Maybe the settings for that tenant doesn't allow users do consent, only admin can do it.
For a multi-tenant app, if users from another tenant want to use it, this may needs user or admin do consent for the application. Then the service principal will be automatically created in that tenant. So that users in that tenant can use the app.
You can see more details about user or admin consent for Multi-tenant app in this documentation.
Solution:
Try to add &prompt=admin_consentin your request to force admin consent. You need to use one admin account to log in and do admin consent. If you're the admin in that tenant, you can also Enable user can do consent in Enterprise Applications>User settings.
Please let me know if this helps!
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!