I am making my first steps with Azure, trying to figure out how difficult it would be to spin up a mISV business where I would sell subscriptions to my app running in Azure (SaaS model).
To that end, I am trying to run the
Tailspin sample application
following instructions described
here.
To run the application, at least two Azure Active directories are needed. One AD belongs to the fictitious Tailspin software provider (in this case, me). The Tailspin Web application and the accompanying WebAPI are registered in this directory. Other AD belongs to a customer (in this case, again me). Customers sign up for the application.
I have a single Azure subscription, so I was forced to set things up like this:
I have registered Tailspin Web application and WebAPI in my Default AD. (I guess I could have created a specific AD for this purpose, but it was not strictly necessary.). The app and the API had to be created in this AD because they consume resources, and resources require a subscription. Putting the app and the API in a separate AD would require a separate Azure subscription.
I have marked both the Web app and the API as Multi-tenant (so that they can appear in other ADs after customer sign-up).
I have created another AD called TaiispinClient1 (the name is not important), with the idea to use it as a "customer" AD.
In TailspinClient1 AD I have created a guest user using one of my external email addresses. I could not create a regular AD user because creating regular users requires having a validated web domain and I did not want to go through validation at this point.
I have made sure that my guest user is every bit an admin user as the regular one:
In User Settings for the TailspinClient1 AD, "Users can register applications" is set to Yes (default)
In "Manage external collaboration settings", "Guest users permissions are limited" is set to No
My guest user has administrative directory roles (specifically, "Global administrator" and "Application administrator")
To resume, I ended up having two ADs in a single Azure subscription: the Default AD with the multi-tenant-enabled Tailspin app/API in it,
and the TailspinClient1 AD with an admin user (albeit external).
I am running the Tailspin application locally.
When I try to sign up to the application as the admin user from the TailspinClient1 AD, I am getting the following error message after I (successfully) authenticate myself:
AADSTS50020: User account <my TailspinClient1 admin user> from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application <GUID of my Tailspin Web app> in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
That message would have made sense had I forgotten to mark my Tailspin app/API as Multi-tenant, which I did not.
What am I missing here? Is this particular setup supported at all? Do I need to establish trust between those two ADs somehow?
Any help is appreciated.
Related
I am trying to make a multi-tenant application using Microsoft active directory but found out that you need a MPN ID to do so. However, it seems that you can't sign-up for the Microsoft Partner Network as an Individual Developer and you instead need to be a registered business. Is there anyway to create a multi-tenant application as an individual? I'm assuming something like this must exist akin to how you can publish iOS apps as an individual developer.
When you said "multi-tenant application", it means you need to own an AAD tenant to create it.
I assume that you are already an individual developer registered to Microsoft. What you need to do is Create a new tenant in Azure Active Directory. Sign into https://portal.azure.com/ with your individual account to do the above operations.
Please note that your account is a personal account currently, you need to follow the the guidance the portal shows (if it shows) to convert it to a work account as well and then you can create the tenant.
After that you can create multi-tenant application in Azure AD.
Select one of the options to make it as multi-tenant app.
UPDATE:
"Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers" alert means normal user cannot do user consent but admin still can do admin consent.
You need to do the admin consent for custom's tenant by using admin consent (see this answer). It doesn't matter that if they don't do the admin consent before using your application. When the first time an admin from other tenant tries to sign into your application, he will be required to do admin consent as well.
Please refer to auth code flow to learn about the authentication process. Using /common or /organizationare both OK.
I am developing a web application that allow users from any azure organization to give my application reading rights on their OneDrive using windows Graph-Api (scope: File.Read.All)
I registered a multi-tenants application in the azure portal and i configured the application like it is explained in the documentation
I need to Allow a user from other azure organisations to make a consentment for my application to read files content, but in my case i get a "Need admin aproval" after sending Authentication Code URL (tested with a user from another azure organization)
AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXX&response_type=code&redirect_uri=YYY&scope=user.read files.read.all offline_access&state=ZZZ
What a user get after authetification to his Office-365 account
I know that there is other applications who do not have this issue, for exemple the application app.diagrams.net need only user consentment and not admin consentment even if it ask for read write scopes
diagrams.net AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=b5ff67d6-3155-4fca-965a-59a3655c4476&response_type=code&redirect_uri=https%3A%2F%2Fapp.diagrams.net%2Fmicrosoft&scope=user.read files.readwrite.all offline_access&state=cId%3Db5ff67d6-3155-4fca-965a-59a3655c4476
What a user get with diagram application
This is not because of any particular scope. The answer to your question is discussed under "application provisioning" in Azure AD (AAD) terms. Put simply, an AAD application needs to be "provisioned" into an AAD tenant, and a tenant admin can choose whether users can initiate this by themselves or not. Here, it seems this is not allowed.
In more detail, when you create an AAD application, you create 2 objects: a representation of the application, and a "Service Principal" that handles access to that application. When you offer your AAD app to other tenants/organizations, they need their own service principal object to be able to access your application, and this happens through admin consent i.e. provisioning.
In general, there are 2 articles that you should take a look:
How and why applications are added to Azure AD
How to: Sign in any Azure Active Directory user using the multi-tenant application pattern
And these code samples should clarify the process:
Developing a Multi-tenant (SaaS) application with the Microsoft Identity Platform
Protect a multi-tenant SaaS web application that calls Microsoft Graph using Azure AD & OpenID Connect
EDIT: Correction: tenant admins can choose or not whether users are allowed to initiate app provisioning. Credits: #jasonJohnston.
We deleted an "unused" user in our Azure AD. Deleting both the MS account as well as removing him from the AD. Now, a few days into the 60 day deletion process (of the MS account) we realize he might have been the creator of an AD application that we can now no longer find anywhere. My guess it is was a "private" application? But somehow still in AD? Not sure exactly.
We reopened the MS account and created the user again in the AD (as a global admin), but the application is no-where to be found. If we try to access the application via a direct link we have lying around, we see a 403 No Access page, and an error notification in the notification center that suggests there's a permission issue but the user is a global admin again:
Additional information from the call to get a token: Extension:
Microsoft_AAD_IAM Resource: identity.diagnostics Details: AADSTS50020:
User account '{EmailHidden}' from identity provider 'live.com' does
not exist in tenant 'Default Directory' and cannot access the
application 'xxxxxxxxxxxxx'(ADIbizaUX) in that tenant. The account
needs to be added as an external user in the tenant first. Sign out
and sign in again with a different Azure Active Directory user
account. Trace ID: xxxxxxxx Correlation xxxxxxx Timestamp: 2020-06-25
14:44:18Z
We've also tried logging in with multiple other global admins but no-one can access that page or find the application using the id it has. Is there something to be done maybe using Powershell?
Actually, as I recall, it might have been an application listed for this user under 'App registrations' -> 'Applications from personal account'. But that tab is no longer available after deleting and reopening the user :)
As per the New changes made in the Azure portal app registration
In the new experience, if your personal Microsoft account is also in
an Azure AD tenant, you will see three tabs--all applications in the
tenant, owned applications in the tenant as well as applications from
your personal account. So, if you believe that apps registered with
your personal Microsoft account are missing, check the Applications
from your personal account tab.
When you sign in using personal Microsoft accounts(e.g. Outlook, Live,
Xbox, etc.) with an Azure AD email address, we found out that when you
go to the Azure portal from the old experience, it signs you into a
different account with the same email in your Azure AD tenant. If you
still believe your applications are missing, sign out and sign in with
the right account.
The new app list shows applications that were registered through the
legacy app registrations experience in the Azure portal (apps that
sign in Azure AD accounts only) as well as apps registered though the
Application registration portal (apps that sign in both Azure AD and
personal Microsoft accounts).
If you know the application ID you can restore using Powershell
The error is due to using the v1 endpoint url. You need to use V2 endpoints in order to allow access from personal microsoft accounts.
Use this endpoint: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Please go through the document
I didn't realize it was possible to restore a deleted Azure AD user (for 30 days). Once I restored the deleted AD user instead of creating the user again, the app appeared again in the user's 'Applications from personal account' under 'App registrations'.
I'd still love to move the app to the Azure AD proper, but from an earlier SO question I was told that's not possible. I guess we'll either keep this old account or create the app again (and have all our users reauthorize).
I have created a Web application in my local Azure AD which I can successfully use to authenticate members of my AD tenant with (using oAuth2 flow). Now I need to extend my supported scenarios to allow a global admin from an external Azure AD tenant to sign-up their company to use this application as well.
Based on the Microsoft Docs this scenario, Multi-Tenant, is supported...
Authentication Scenarios for Azure AD
Multi-Tenant: If you are building an application that can be used by users outside your organization, it must be registered in your company’s directory, but also must be registered in each organization’s directory that will be using the application. To make your application available in their directory, you can include a sign-up process for your customers that enables them to consent to your application. When they sign up for your application, they will be presented with a dialog that shows the permissions the application requires, and then the option to consent. Depending on the required permissions, an administrator in the other organization may be required to give consent. When the user or administrator consents, the application is registered in their directory. For more information, see Integrating Applications with Azure Active Directory.
From my reading it appears that at some point a global admin for the foreign tenant should be presented with a URL which they can follow ( login.microsoftonline.com/common/??? ) which will somehow cause the external application to precipitate like a morning dew into their Azure AD. However, if this is the correct approach I would appreciate a tokenized example of how one correctly builds the login URL for a multi-tenant external Azure AD application which a group admin can follow to allow access in their AzureAD.
Ok, through trial and failure I have found the solution. The group admin for the remote tenant needs to be provided with the following URL which will allow them to register your Azure AD application as an Enterprise Application in their tenant.
https://login.microsoftonline.com/{remoteTenantUrl.com}/adminconsent?client_id={YourAppsClientID}&redirect_uri={YourAppsCallbackPage}
We are building a Web App/API to publish in our Azure AD and want to provide access to the app by inviting (B2B scenario) external users into our Azure AD. This will create accounts in our Azure AD of type "Guest" which we will use to assign permissions to the app. In this scenario, do we need to configure our application to be "multi-tenant"? There are steps to take inside the code to accommodate for multi-tenant sign-ins and there is a setting on the Settings tab of the App Registration in Azure AD that is labeled "Multi-tenanted" where you select either Yes or No. On the App Registration setting, there is a pop-out bubble that says:
Designates whether users in external organizations are allowed to grant your
app access to data in their organization's directory
I am not sure how (or if) the code changes and the app registration setting are related but our app will not need access to any data outside of our directory.
No your app does not need to be multi-tenanted and you do not need to direct users to the /common endpoint. I have tested this, and you still get a kind of SSO experience.
Example paul#org1.com (homed in Org1 AAD) is a guest user in Org2 AAD (invite has been accepted). Now this same user opens a private browser and logs in to Org1 AAD.
The user then tries to hit a web app with app registration in Org2, and web app redirects user to https://login.microsoftonline.com/org2.onmicrosoft.com/oauth2/authorize.
Result, user is considered logged in by AAD and gets redirected to the redirect_url with tokens, etc.