MS OpenidConnect : Multitenancy on a nodejs web application - node.js

I have registered an app on my tenant as multitenant app.
using this article.
I am able to login with users only if the users are on my tenant. Any other tenant user, I am unable to login.
I have set validateIssuer to false too.
The error I get is
User account 'xxx#tenantY.onmicrosoft.com' from identity provider https://sts.windows.net/{tenantId}/'
does not exist in tenant 'Default Directory' and cannot access the
application 'App Id' in that tenant. The
account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory
user account.
Not sure if there is a sample to make other tenant users to access the app.
Role delegated permission is set to 'Sign in and read user profile' alone

There are four steps to convert your application into an Azure AD multi-tenant app:
Update your application registration to be multi-tenant
Update your code to send requests to the /common endpoint
Update your code to handle multiple issuer values
Understand user and admin consent and make appropriate code changes
Please verify if above steps are followed.

Related

Access Azure Active Directory SSO from an App outside the tenant

I have SAML SSO setup made for an Active Directory. I have another tenant which contains an app service, a webapp, which tries to authenticate using the SAML connection details.
I'm getting:
AADSTS700016: Application with identifier was not found in the directory . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Isn't it possible to authenticate with users from an AD for multiple applications from different tenants using SAML SSO?
External users won't be able to log in to the Single Tenant application. These users would need to be existing in the same Tenant.
Make your app as a Multi-tenent as per rbrayb.
Multiple application that has its own account system, or supports other kinds of sign-ins from other cloud providers, adding Azure AD sign-in from any tenant is simple. Just register your app, add sign-in code via OAuth2, OpenID Connect, or SAML, and put a "Sign in with Microsoft" button in your application.
Based on the error,
Try Solution 1:
Make use of Application Client ID, instead of using any other client ID.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Azure AD user login to an app fails even after admin consent is given for the multitenant app

I have registered a sample multi-tenant app in azure portal app registration requiring certain permissions to access outlook mails. I also have a SAAS application which uses this app and requests for oauth token from users to read and send emails using outlook.
There is a tenant with a set of users who want to use my app for configuring emails in the SAAS application. But the users in the tenant do not have admin privileges to give consent to the application. Based on MS documentation, admin has to give consent to the application using the v2-permissions-and-consent
Admin has given consent to the application by using the following URL:
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
Admin consented permissions:
consented permissions
Even after admin gives consent to all the permissions that the app requests and adds the users to the configured enterprise application in Azure AD, the users are shown the approval prompt when they try to login to the application.
Approval prompt shown to the users :
approval prompt
Ideally, once the app is approved in Azure AD Enterprise Applications, all the other users in the tenant should be able to use the application without any consent requirement.
The oauth URL that users use to login is
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https%3A%2F%2Fc9713e1c5859.ngrok.io%2Fauth%2Foutlook%2Fcallback&response_type=code&scope=offline_access+https%3A%2F%2Foutlook.office.com%2FUser.Read+https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send&state=5bfc1a7683bfa19468e7d4d67fc6893e5a00f93efe31ca51
Could anyone help me understand what I am missing here?
It should be agreed by the target tenant administrator, and then use the target tenant to log in.
In below url, you should have used wrong {tenant ID}, it should be target tenant id. Not the tenant id where your app is located.
https://login.microsoftonline.com/{tenant ID}/v2.0/adminconsent?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxb&state=12345&redirect_uri=https://c9713e1c5859.ngrok.io/auth/outlook/callback&scope=https://outlook.office.com/User.Read https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send&response_type=code
I have tested it, then reproduced your problem. If you need further help, please let me know.

How to register Azure AD multi-tenant app in another tenant (in which it wasn't created)

I created an Azure AD Multi-tenant app within my own tenant.
When I try and call the Admin consent endpoint from within another tenant, and signing in as another tenant's administrator, I get the error:
AADSTS700016: Application with identifier 'guid' was not found in the directory 'directory-id'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
How can another tenant provision and allow access to my multi-tenant app?
In this endpoint GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent? client_id={client id}, set {tenant} as the tenant id of another tenant. Set it as common should also work.
Make sure you are using the admin account of that tenant.
There is no need to register this app in other tenant. It will work for other tenant if it is already multi tenant and if it is using a end point which supports multi tenant i.e.,common.
Pleace check your application manifest has "signInAudience": "AzureADandPersonalMicrosoftAccount" and "accessTokenAcceptedVersion": 2 and Please update them if they are not same.
I found this api to register the application in a different tenant.
https://login.microsoftonline.com/<new-tenant-id>/oauth2/authorize?client_id=<client-id>&response_type=code&redirect_uri=<redirect-uri>
This will create a new enterprise application in the target tenant with the same client id and new object id.

Is Admin consent always required in an Azure AD Multi tenant environment?

The environment is configured in a Multi-tenant way. 'AppName' is an App Registration within a common AD which was solely created to give access to users from different tenants to a single environment. For the sake of my description, call the multi-tenants AD1, AD2 and AD3.
This message is displayed when a user from one of these ADs (with no Admin privileges) logs in the first time.
AppName needs permission to access resources in your organization that only an admin can grant
Additionally in the application exception logging I can see the below error
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: "OpenIdConnectMessage.Error was not null, indicating an error. Error: 'access_denied'. Error_Description (may be empty): 'AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.
The premise is that for a user from AD1 to successfully access the environment, an Admin user from AD1 has to first login and grant admin access.
The "common AD" app registration is configured as following.
The Supported account types option in the App Registration is set as
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
The only API Permission is as shown in the image below. The status "Granted for ...." only refers to the "common AD" where the tenant ID resides - it does not grant Admin consent to any AD.
The technology being used in the code is ADAL.Net with OpenIDConnect. We are using the: https://login.microsoftonline.com/common (V1.0) endpoint.
In the snippet shown below, found within this url for the only API permission being set in our case.. 'Admin Consent Required' is set as 'No'.
And that is what put me off. Why is the message/error popping up? Is the Admin consent always required because this is a multi tenant scenario? Does this Admin consent, sort of, create the trust between the common AD and the multi-tenant ADs?
Yes. In case of multi-tenancy, admins are required to on-board their tenant. Only after the on-boarding process, users can sign-in. Also, the admin consent which is being shown in the screenshot is not related or dependent on type of tenancy, it is permission specific. App permissions and some delegated permissions require admin consent.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md

Azure multitenant app cant access

I try login to Azure AD web app and when i do it with user inside my tenant its ok,
but when login other user i get
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'a1eda862-65fb-4f90-8482-06151f5c7abc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Login Url :
https://login.microsoftonline.com/common/oauth2/authorize?client_id=a1eda862-65fb-4f90-8482-06151f5c7abc&response_type=id_token+code&redirect_uri=http://localhost:44302/&response_mode=form_post&scope=openid+profile&state=12345&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&resource=https://management.azure.com/
Tenant settings
Few things to check -
Based on the error you shared, it seems you're logged in with some Microsoft account like live.com/hotmail etc. Are you doing that intentionally or just happened to be logged in and getting confused by that? If you do want to login with a Microsoft account other than a usual organizational account, then as the error says, you need to add that account to your AzureAD tenant as an external user.
AADSTS50020: User account '*******' from identity provider 'live.com' does not exist in tenant
For any other organizational user, i.e. user from a different AzureAD tenant than the one where this application is registered, you will first need to go through the consent process. You may have done it already or not.
More details on that process here - https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent
Issue:
You wanted to use a personal account within a multi-tenant application to get a token for the "https://management.core.windows.net" API
Scope:
We will focus on this issue and consider it as resolved once we provide you with the reason that Personal accounts cannot be used against a v1 multi-tenant application.
Alternatively, we will consider this case resolved if we confirm that the problem is caused by a third-party application or is by-design.
This agreed resolution statement describes the specific conditions where we will close this case. Please let me know if you do not agree with this scope.
Cause:
For multi-tenant applications in v1 you can only use an organizational account and not a personal one. That happens because for personal ones you will be logged authenticated by the “Live” endpoints and not by Azure endpoints, also because we are sending the user to the “common” endpoint and in there we do not know in which directory you want to sign in.
Resolution:
Having a multi-tenant application and sign-in users with personal and organizational accounts can be covered by the Azure AD V2 endpoints, nevertheless the v2 has some limitations right now and one of them is that you could only get a token for Microsoft Graph API and not for https://management.core.windows.net. We plan to implement all APIs that are available in v1 also in v2, but as for now cannot be used to acquire a token for such API.

Resources