I want to access the Azure AD Graph Explorer using my administrator account. When I try to access it, it shows this error:
Selected user account does not exist in tenant graphExplorerMT and cannot access the application d3ce4cf8-6810-442d-b42e-375e14710095 in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
What shall I do?
You should probably try with a user that is internal to the AAD or add your MS account as an external user to it.
The Azure subscription admin is not necessarily part of the Azure Active Directory.
For Azure AD Graph Explorer, you can only use the member account(internal) to sign in, such as xxx.onmicrosoft.com.
You cannot use a guest user account(external) to sign in AAD Graph Explorer.
Solutions:
Try to sign in AAD Graph Explorer with a member account.
According to this answer on Microsoft's forum, this does not work with Microsoft accounts.
Are you trying to sign in using a Microsoft account (outlook/live) into https://graphexplorer.azurewebsites.net/ ?
Azure AD Graph explorer cannot authenticate social accounts and only works with work or school accounts in Azure AD.
You would have to use the latest MS graph, if you want to use MSA accounts
Related
Question: Using Microsoft Graph API, is there a way to query if a logged-in user has both the Office365 and Azure subscription?
Details:
My WPF-Core app is using MS Graph to access Azure resources as well as Office365 services (Outlook schedule and OneDrive). My personal Azur Account does not have Office365 subscription. When I login with
an Azure (admin) account to my app the app can perform CRUD operations on Azure AD users.
Likewise, when I login as an MSA account (Outlook, Hotmail, etc.) the app can perform operations such as updating Outlook events, Upload/Download files to the logged-in user's OneDrive etc.
But in both case the converse is not true. For example, if I log-in using Azure AD account and try to have app update Outlook event (or upload a file to my OneDrive), I get the following error: Tenant does not have a SPO license.. So, if a user is logged-in with Azure AD account and try to click on the app's button that display or update user's outlook events I would like to display a message to the user that your Azure account does not have a SPO license. And, display a similar message in the reverse case (i.e. this Office account does not have Azure subscription etc.)
NOTE: The above scenario is not working for display purposes, as well. That is, an Azure AD login is not able to see Outlook events; and an MSA login is not able to see the Azure AD users list.
Firstly, the answer is NO. We cannot determine if the user has Azure subscription.
MS Graph mainly manages the Azure AD resources while Azure subscription mainly manages Azure resources such as Azure App Service, VM, etc.
But we can determine if a user has O365 subscription (or the license under O365 subscription).
Firstly, you could use GET https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,assignedPlans to get the logged-in user's O365 licenses.
We can find the Sharepoint license in the response:
In fact you may find more than one Sharepoint license in the response because the user may have multiple O365 subscriptions.
Besides, if the Azure subscription you mentioned actually refers to AAD subscription, then the method I described above is also suitable for querying AAD subscription.
The above content applies to AAD users.
If the logged-in user is an MSA, when you query GET https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,assignedPlans, it won't return a property named assignedPlans.
I have configured identity provider as described in this documentation
Sign up page shows up as in the photo. When entering existing office 365 email address, it doesn't accept. It only accepts personal Microsoft accounts.
Found an old feature request what was declined.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/16849006-aadb2c-integrate-office-365-to-work-with-b2c
Is it still the same OR is there any alternate way ?
Update (couldnt page photo in comment, updating the question)
I chose 2nd option for multi-tenancy from suggestion and now it gives me error
The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
If you want any O365 Account to sign in to your AAD B2C protected app, you need to federate with AAD Multi Tenant using Custom Policies.
https://learn.microsoft.com/en-gb/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom?tabs=app-reg-ga
Set up sign-up and sign-in with a Microsoft account using Azure Active Directory B2C is only for personal Microsoft accounts.
You should configure Azure AD IDP by following Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C.
Then you can use existing office 365 account to sign in.
We're trying to invite users (including those from different ADs) to ours in order to give them access to our enterprise app. We are using the AD to manage the app's users and permissions.
We send them an email to join our AD as a guest user.
However, when they already have an Azure AD account connected to a local AD (that's federated), we don't have the permission to create an account on our side.
There are a few articles on this problem including (resending invites till it works, asking them to add our organization to trusted, and creating our own account for them)
https://techcommunity.microsoft.com/t5/Microsoft-Teams/Invitation-redemption-failed-AADB2B-0001/td-p/292175
http://answers.flyppdevportal.com/MVC/Post/Thread/d9c92fea-a554-4c7a-91af-30016aa35111?category=windowsazuread
Our objective is to use their AD sign in for our apps as well. Is there an easy way, such as copying their AD profile or sending them a link that they have to simply click "Yes" without having to do much IT work on their side? Thank you!
Here's an example from a different post:
They have a local ad and an azure ad setup, but the specific user I was trying to invite doesn't have an account in their azure ad.
We can't create an azure ad account for them
They have to give the user an azure ad account
I am trying to create a multi-tenant application in Azure AD, which can login all users like Microsoft live/hotmail and also get the access permissions to access their management resource apis. I can get work accounts from other domain login but not live account. I get this error-
User account 'mitesh_***#live.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '382dfccb-33af-4567-90cd********' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have heard of MSAL v2 endpoint to login both type of accounts, but I heard that this endpoint doesnt support permissions to access Resource management libraries yet.
Is there any way to achieve this with ADAL or any other way?
Thanks,
Mitesh
The azure ad v2.0 endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory . But the v2.0 endpoint issues access tokens only for:
-The app that requested the token. An app can acquire an access token for itself, if the logical app is composed of several different components or tiers.
-The Outlook Mail, Calendar, and Contacts REST APIs, all of which are located at https://outlook.office.com.
-Microsoft Graph APIs. You can learn more about Microsoft Graph and the data that is available to you.
v2.0 endpoint doesn't support management apis .And azure ad v1.0 endpoint it supports work accounts unless Microsoft accounts are added as an external user in the tenant first . In my opinion , currently there is no other ways or workaround to achieve your requirement .
I've logged in to azure portal using my work account (Azure AD) and created new vsts account and team project. I can now login to vsts using my work account and add my colleagues from the same AD to team project.
Is it possible to add users/stakeholders from another company to my team project if I don't have admin access to my company's AD?
EDIT:
please vote for multi-tenant authentication in VSTS on uservoice
Answer from Microsoft support:
Any user who wants to use VSTS will have to be in that AAD. Normally they would get added as an MSA account, or an account in another AAD.
Me: I was thinking about creating my own AAD in Azure and adding users from another AAD to it, but I’m not sure whether they will still be able to log in using their corporate login and in case their account will be disabled in their AAD, it will be disabled also in my AAD.
If it is linked to an AAD, the accounts have to be in there somehow.
If he creates his own AAD and doesn’t have admin access to the corp aad, users will be added as MSA users.
If he did add corp users as AAD users (not MSA users) in his AAD and they were deleted/disabled in the native AAD, they would not be
able to logon to his VSTS. (Same is true for MSA users, if the MSA
account is deleted/disabled they couldn’t logon to VSTS even though
they were in his AAD as #EXT)
Accoording to this doc, no.
Q: Why can't some users sign in?
A: This might happen because users must sign in with Microsoft accounts unless your Visual Studio
Team Services account controls access with Azure Active Directory
(Azure AD). If your account is connected to Azure AD, users must be
directory members to get access. How do I find out if my account uses
Azure Active Directory (Azure AD)?
If you're an Azure AD administrator, you can add users to the directory. If you're not, work with the directory administrator to add
them. Learn how to control account access with Azure AD.