I am not able to authenticate the Azure API's though my application with the email id registered under different domain name. It works for me company email address.
Steps I followed to register the application in AD:
Registered an app in Azure Active Directory.
Set permission requests to allow the client to access the Azure Resource Manager API.
Also, enabled the Multi tenanted option.
Followed URL Azure Authentication
Authorize URL:
/common/oauth2/authorize?
client_id=XXXXXXXXXXXXXXXXXXXXX
&response_type=code
&redirect_uri=calBackURL
&response_mode=query
&resource=https%3a%2f%2fmanagement.azure.com
&state=12345&prompt=consent
Token URL:
/common/oauth2/token?
grant_type=authorization_code
&client_id=xxxxxxxxxx
&code={Code}
&redirect_uri={calBackURL}
&client_secret=xxxxxxxxxx
Error Message:
AADSTS50020: User account 'xxxxxx#hotmail.com' from identity provider
'live.com' does not exist in tenant 'xxxx' and cannot access the
application 'xxxx xxxx xxxx xxxx xxxx'(Azure Demo Builder Dev) in that
tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active
Directory user account.
Having look on your request code it seems that you are trying to authenticate your application using azure active directory V1.0
Point To Remember
If you look into Microsoft official document you would get to know that azure AD V1.0 does't not support personal account integration for authentication. See the screen shot below:
To make it workable you could use Azure Active Directory V2.0 Or you have to change your personal email either.
For V2.0 Token Request endpoint you could hit following URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
The code grant flow you had used on your request you could prepare it for V2.0 by having look here
Note: The v2.0 endpoint and platform has been in preview and continually enhanced. Its not recommended for production version.
Related
I'm building multitenant SaaS web based application. Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.
I'm having problem with login from external account (Microsoft account) in customer tenant.
I created example and tried to see what I can get from access token.
Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".
As far as I understood this should be enough to login with
Office 365 account from host tenant
Microsoft account that is registered as external user in host tenant
Office 365 account from guest tenant
Microsoft account that is registered as external user in guest tenant
Clarification:
- host tenant --> Azure AD instance in which application is registered. In error message bellow tenant A.
- guest tenant --> Azure AD instance that is only using application
I have a problem with case no. 4
I get this error message:
AADSTS50020: User account 'lovro.p365#...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.
The scenes of 2 and 4 should be the same.
I have tested both and everything is OK.
You could use OAuth 2.0 auth code grant flow to have a test with it.
Construct a request to login.microsoftonline.com with your app configurations.
This URL will look like:
https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com.
After signing in with credentials of Microsoft Account in tenant A, you will get a "code" in the address bar. Use this code to request access token:
POST /[tenant]/oauth2/v2.0/token HTTP/1.1
client_id=[client id of the Azure AD app registered in host tenant]
&scope=https://graph.microsoft.com/user.read
&code=[code got from the previous step]
&redirect_uri=[redirect uri of the Azure AD app]
&grant_type=authorization_code
Then we could get the access token for Microsoft Account as a guest user in tenant A.
My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.
I created an Azure AD multi-tenant app using a company's tenant
Then created a test ASP.NET Core Web application which goes to a such URL:
The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.
It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?
I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant):
However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.
Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?
P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.
UPDATE
To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:
Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user#live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.
Thoughts.
The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.
ANSWER
Long story short, it's not possible for general public as per Microsoft.
Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.
It works with personal account when you use v1.0 endpoint.
That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.
The v2 endpoint does not allow personal accounts for the resource
https://management.azure.com/
Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.
You must identify the tenant to login in with personal account when use v2.0 endpoint
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default
Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.
Update:
It is normal that you can't do that. You are not telling Azure AD that
the which tenant the MSA user is an external user, so Azure AD is
making a guess and checking in the tenant where the app is registered
(tenant A). If you expect external users to be able to sign in, you
must specify the tenant where the guest has previously been invited to
(e.g. tenant B).
I've been using the Azure fluent management APIs (https://github.com/Azure/azure-libraries-for-net) with some success in .NET Core.
However, I want to prompt the user to enter some credentials for a Microsoft account. Those credentials would have access to one or more Azure tenants / subscriptions, so I'd like to be able to use the result to browse and manage resources there.
This is something very close to what I would believe Azure Data Studio does: you can enter some Azure creds, and your resources will appear in the app.
I'm trying to understand the best approach for this. There seem to be a billion sites out there when you talk about Azure AD app registrations, but I haven't found a fruitful specific search query yet. I know I can register an app, get a client ID and client secret. I know I can set it to be usable by organisational accounts in the current tenant, or all tenants.
I can add the "Azure Service Management (delegated permissions : user_impersonation)" permission to my API permissions section for the app, but what's next?
If I use Microsoft.Identity.Client (as in https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon), I run into some questions:
AcquireTokenForClientAsync doesn't prompt the user - I guess because it's getting a token for the app to act with its own permissions?
AcquireTokenOnBehalfOfAsync wants a JWT.. great! I'll pass the one I got from AcquireTokenForClientAsync! Nope, AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint.
I don't know what scope I want. https://management.azure.com/user_impersonation is apparently invalid.. https://management.azure.com/.default works, but is that right? It's a guess, combo of the former and a .default suffix I found for Graph API scopes online. Any docs on this?
I ultimately get a JWT and tenant ID back. I can't find a way to use a JWT with the Fluent management APIs.. and my account (for instance) is associated with 3 tenants or 5 different tenants / directories - so how do I choose?
That's just what I've tried, the appropriate route might be a different one. In summary: I want a .NET Core Console app to request user credentials, and then get access to the Azure resources they have access to, in order to perform some resource management.
AcquireTokenForClientAsync doesn't prompt the user - I guess because it's getting a token for the app to act with its own permissions?
You are using the OAuth 2.0 client credentials grant to access web-hosted resources by using the identity of an application. This type of grant commonly is used for server-to-server interactions that must run in the background, without immediate interaction with a user .
AADSTS70002: Error validating credentials. AADSTS500137: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint.
Azure AD provide two service : Azure AD V1.0 and Azure AD V2.0 . Please refer to Comparing the Azure AD v2.0 endpoint with the v1.0 endpoint . You can't use v1 token to acquire v2's token in a on-behalf-of flow .
AcquireTokenOnBehalfOfAsync wants a JWT.. great! I'll pass the one I got from AcquireTokenForClientAsync
AS pointed above , That function is used to acquire an access token for this application (usually a Web API) from the authority configured in the application, in order to access another downstream protected Web API on behalf of a user using the OAuth 2.0 On-Behalf-Of flow. So you can't use app token which acquire using Client Credential flow .
https://management.azure.com/.default works, but is that right? It's a guess, combo of the former and a .default suffix I found for Graph API scopes online. Any docs on this?
You are using the Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow , when sending a POST request to the /token v2.0 endpoint ,the scope should be :
The value passed for the scope parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value informs the v2.0 endpoint that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use.
Please check the Get a tokensection in above document .
I ultimately get a JWT and tenant ID back. I can't find a way to use a JWT with the Fluent management APIs..
AFAIK , currently Azure AD V2.0 apps can use:
Its own API
Microsoft Outlook APIs
Microsoft Graph API
Azure AD V2.0 currently doesn't support Azure management APIs .
So you problem is you need to allows work and school accounts from Azure AD and personal Microsoft accounts (MSA) which works with Azure AD V2.0 , but you can't use Azure management APIs . You can use Azure management APIs in Azure AD V1.0 but it allows only work and school accounts to sign in to your application , unless you invite Microsoft accounts as guest user in Azure AD V1.0 ,but you need to configure to point to the tenant-specific endpoint :https://login.microsoftonline.com/{TenantId_or_Name}). during authentication if you want to login with MSA in v1.0 apps.
Update:
You can use Code flow and azure ad v1.0 endpoint , user will be redirect to AAD's login page and enter their credential. Here is code sample for .net Core .
With Azure AD V1.0 endpoint , requests are sent to an endpoint that multiplexes across all Azure AD tenants: https://login.microsoftonline.com/common . When Azure AD receives a request on the /common endpoint, it signs the user in and, as a consequence, discovers which tenant the user is from. See document here . But in this scenerio ,you can only use work and school accounts(AAD) account to login .
The code sample in your link is using Azure Service Principal for Authentication , no interactive user login . You can use OpenID Connect Owin Middleware for authentication in .net Core applications as shown here .
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!
I am working on an app that manages azure resources for customers (provision VMs, create VNets).
We have created a multi-tenant application in the azure portal that is configured for Delegated permissions of Windows Azure Service Management API and Windows Azure Active Directory.
We are able to login AAD based account without a problem. But when a live.com based account logs in, the user gets a AADSTS50020 error.
We for the login, we are navigating to https://login.microsoftonline.com/common/OAuth2/Authorize
with the following parameters:
client_id=XXX&response_mode=query&response_type=code&redirect_uri=XXX&prompt=consent
Here is the full error message:
AADSTS50020: User account 'xxx#hotmail.com' from identity provider
'live.com' does not exist in tenant 'XXX' and cannot access the
application 'xxx' in that tenant. The account needs to be added as an
external user in the tenant first. Sign out and sign in again with a
different Azure Active Directory user account.
You need to use V2 endpoints in order to allow access from personal microsoft accounts. I run into the same problems by using the v1 endpoint.
Use this endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
For example:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=ffffff-1111-2222-3333-37fd4f8c20ee
&response_type=id_token
&redirect_uri=http://localhost:8080/login/microsoft/callback
&response_mode=form_post
&prompt=consent
&scope=openid
&state=12345
&nonce=RandomGUI
Good luck