I have Angular 9 client calling Azure Functions. I started off with msal-angular package using "implicit grant flow" for authentication, and that worked fine.
My client app registration in Azure has its Authentication set to "Accounts in this organizational directory only (Default Directory only - Single tenant)". I can't change this setting as the app will only be available to company users.
I'm using my personal Microsoft account with Gmail username (e.g.: user#gmail.com). This account is a "Guest" in Azure AD, so far, so good.
I'm moving away from msal-angular and implementing PKCE authentication flow.
I'm using angular-auth-oidc-client package. My stsServer and authWellknownEndpoint are set to https://login.microsoftonline.com/[tenant-id]/v2.0 (turned out to be the problem, see update at the bottom)
Here are the login scenarios I'm having issues with:
When I use my user#gmail.com, I get "unauthotized_client ..." error right after I enter my username
When I use my UPN (e.g.: user#gmail.com#EXT##our_ad_owner.onmicrosoft.com) I get to the password prompt, but my Microsoft password doesn't work. I understand why it doesn't work (that password has nothing to do with AD), but I can't figure out how to set AD password for that account.
When I try to reset my password in AD, it tells me that "user#gmail.com is a Microsoft account that is managed by the user. Only user#gmail.com can reset their password for this account."
Any help with setting AD password for my UPN would be appreciated. I would also like to know if it's possible to login with my actual email address, and not UPN.
UPDATE: The problem was with angular-auth-oidc-client setup, authWellknownEndpoint was set to https://login.microsoftonline.com/common/v2.0, after I changed it to https://login.microsoftonline.com/[tenant-id]/v2.0 it worked!
You get the first error because you are using https://login.microsoftonline.com/common/v2.0 as the authority. It treats your account as personal account rather than the guest account in your tenant. But your Azure AD app is configured as Accounts in this organizational directory only (Default Directory only - Single tenant), which is not supported for consumers (personal account). See the reference here.
So you should use https://login.microsoftonline.com/{your tenant id}/v2.0 as the authority. Then it will allow your user#gmail.com to sign in.
Related
We have an existing Azure subscription where we run our processing infrastructure. We are setting up a new app to run in the same space, but with a Azure Active Directory B2C. We have the setup working and can create new customer users that can sign in.
We have been unable to determine how to have our own users in the existing company subscription sign in to the new app (powered by the AD B2C) with the same user/email/password.
We think the answer lies somewhere between single sign on and proxy user principal names?
We should also point out that when setting up the AD B2C, an administrator user was set up for the person that set it up. Their account has an issuer of ExternalAzureAD and their user principal name is pretty much their email as a suffix on the active directory domain. Although this user is "linked" (?) to the original user in our original AD, it has a different password, etc. So also not quite what we are looking for. Ideally this user would sign into the B2C with their actual email and password (the same one used in the non B2C original AD).
I tried to reproduce the same in my environment like below:
To allow the users to login with Azure AD credentials, make sure to register the Azure AD B2C application by selecting Accounts in any organizational directory (Any Azure AD directory - Multitenant)
To sign-in to the Azure AD B2C application, try using below authorize and token endpoints accordingly:
Note that, organizations endpoint will allow tenant-level login.
I created an Azure AD user like below:
When I tried to login to the Azure AD B2C Application through Azure AD user credentials, I am able to login successfully.
And the decoded access token contains Azure AD user information like below:
I have created a webapp on Azure and have set the authentication mode to;
"Accounts in any organizational directory (Any Azure AD directory -
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use
your application or API. This includes Office 365 subscribers."
It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.
I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.
Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.
User account '{email}' from identity provider '{idp}' does not exist
in tenant '{tenant}' and cannot access the application
'{appId}'({appName}) in that tenant. The account needs to be added as
an external user in the tenant first. Sign out and sign in again with
a different Azure Active Directory user account.
This error usually occurs for many reasons. Please check if below are helpful:
Case1:
Please check if your sign-in URL is something like this:
https://login.microsoftonline.com/<tenant_id>/
If it is like that, you may get error as you selected this option: “Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)” and users from other organizations can't access the application.
To resolve that error, try to change the sign-in URL as
https://login.microsoftonline.com/common
Apply this URL value in Authority Setting in your application code.
To know how to do that in detail, go through this link.
Case2:
There is also a possibility where the user has active session already signed in using different personal account other than Microsoft. To confirm this scenario, check User Account and Identity Provider values in error message.
To resolve that error, inform the user to sign out from their active session and sign in again from different browser or private browser session. Otherwise ask them to clear the cookies and cache, sign in as new.
If still the error won’t resolve means, please go through below reference if it is helpful.
Reference:
Error AADSTS50020 - User account from identity provider does not exist in tenant - Active Directory | Microsoft Docs
I'm trying to wrap my head around the limitations of the ROPC authentication flow.
If I set up an Azure app, can I then sign in any user that has an Office 365 account using the ROPC flow, or do I need to add the user to my Azure app first?
In this documentation, Microsoft says that
ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook.
I'm not sure what they mean by "local accounts"? Is that an account that has already been added as a user to my Azure app?
A local account is an account that was originally created in that AAD tenant.
Any invited guest user does not count.
Though I have heard ROPC sometimes working with AD users who have been synced (which are technically not local users), but that depended on the setup.
We have a Web App secured with Azure AD B2C using custom Identity Experience Framework policies to allow users to register and sign in with social identities (Microsoft, Google, Facebook), or with an identity from another federated Azure AD instance, or with 'local' Email / Password accounts.
All the social accounts and the Federated AD work correctly. Sign up and sign in with Email/Password was working correctly, but we are now experiencing an error. We haven't knowingly made any changes to our Email/Password configuration since this was last known to be working, so we're not sure how this has happened.
The issue is: Sign Up with a new Email Address works correctly, and after the process completes, the user is correctly logged-in, and their account appears in the directory. If the user signs out, however, then any attempt to sign back in again fails:
(Email address shown is not the actual one. Error has been repeated by multiple users with new and old email/password combinations.)
Digging into the portal, the underlying error is revealed as:
70001 The application named X was not found in the tenant named Y. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
This error appears sometimes to be related to a failure to grant permissions to an application in the portal. We have tried removing and reinstating all permissions, and re-granting permissions. This has not solved the issue.
Does anyone know what could be causing this issue, and in particular why sign up / sign in works correctly, but returning sign in does not?
UPDATE:
Just to confirm that we have the IEF and Proxy IEF apps configured in the AD directory:
And we have the login-NonInteractive technical profile configured in TrustFrameworkExtensions.xml:
Having wired up Application Insights (following these instructions https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-troubleshoot-custom), we're able to get to this more detailed error:
AADSTS70001: Application with identifier
'ProxyIdentityExperienceFrameworkAppID' was not found in the directory
weapageengine.onmicrosoft.com
The only place 'ProxyIdentityExperienceFrameworkAppID' appears in any of our custom policies is shown in the XML snipped above, but this seems correct as per the documentation here: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 - unless we are meant to update those 'DefaultValue' attributes as well?
Resolution:
As per the answer below, it is necessary to update both the Metadata and the default values with the relevant app ids. Worth noting that in the GitHub sample https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/3b4898fec3bf0014b320beffa6eb52ad68eb6111/SocialAndLocalAccounts/TrustFrameworkExtensions.xml#L38 the boilerplate values are differently cased, leading to our missing one in a replace-all:
The local account sign-in authenticates the end user against the Azure AD B2C directory and then reads the user object from it.
The local account sign-up and the social account sign-in do not authenticate the end user against the Azure AD B2C directory. The local account sign-up writes the user object to it. The social account sign-in delegates authentication to the social identity provider and then either writes the user object to the Azure AD B2C directory if the user object does not exist or reads the user object from the Azure AD B2C directory if the user object does exist.
To enable authentication of the end user by the local account sign-in against the Azure AD B2C directory, you must add the Identity Experience Framework applications to the Azure AD B2C directory and then configure these IEF applications with the login-NonInteractive technical profile.
The local account sign-up and the social account sign-in do not require these applications.
I am having an issue authenticating users for a external, non-cloud ASP.NET application that is going to be secured via our B2C tenant using a simple username (i.e. not email address).
I have imported the usernames to B2C using the Graph API and set the SignInName type to be "userName" on each account. The Azure AD B2C Identity Provider is set to "Username" and I have created a sign-in policy where the identity provider is set to "Local Account SignIn" and tied it to my B2C application. If I click the "Run Now" button on the policy, it takes me to the Azure login screen and I can enter one of the imported usernames/passwords and it authenticates and routes me to the application URL. This is the desired behavior.
HOWEVER, if when I execute my external app I get transferred to the Azure B2C login screen as expected, but it requires me to enter either a valid email address or telephone number. It will not allow the local B2C username. Seems something is disconnected in the sign-in policy for the application.
Can anyone offer a suggestion why the login page will not accept the simple username?
I guees this is a bit late? perhas other are looking for this.
Azure AD B2C can be use email OR localAccount for authentication. You need to set the "identity providers" to localAccounts:
Note: in odrer to create local accounts you need to set "creationType": "LocalAccount" in the JSON to create local account users.