I am working on an app that manages azure resources for customers (provision VMs, create VNets).
We have created a multi-tenant application in the azure portal that is configured for Delegated permissions of Windows Azure Service Management API and Windows Azure Active Directory.
We are able to login AAD based account without a problem. But when a live.com based account logs in, the user gets a AADSTS50020 error.
We for the login, we are navigating to https://login.microsoftonline.com/common/OAuth2/Authorize
with the following parameters:
client_id=XXX&response_mode=query&response_type=code&redirect_uri=XXX&prompt=consent
Here is the full error message:
AADSTS50020: User account 'xxx#hotmail.com' from identity provider
'live.com' does not exist in tenant 'XXX' and cannot access the
application 'xxx' in that tenant. The account needs to be added as an
external user in the tenant first. Sign out and sign in again with a
different Azure Active Directory user account.
You need to use V2 endpoints in order to allow access from personal microsoft accounts. I run into the same problems by using the v1 endpoint.
Use this endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
For example:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=ffffff-1111-2222-3333-37fd4f8c20ee
&response_type=id_token
&redirect_uri=http://localhost:8080/login/microsoft/callback
&response_mode=form_post
&prompt=consent
&scope=openid
&state=12345
&nonce=RandomGUI
Good luck
Related
I'm trying to create an app hosted in Azure that (should) allow public login, as long as you have a Microsoft account. I don't care if it's a business or personal account. You just need to be able to log in. I'm creating a SPA and an API.
So I went to the Azure portal and created an app registration and configured the app reg to allow all users from within, or outside the organization with a valid personal or business Microsoft account.
Now the SPA is an Angular app and I use Damien Bod's OpenId library to log in. When I point the stsServer to my login endpoint (https://login.microsoftonline.com/{my-tenant-id}/v2.0) and log in, all works fine, except when I log in using an account outside the organization (for example my personal account).
I get receive the following error:
AADSTS50020: User account 'xxxx#xxxx.xxx' from identity provider 'https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/' does not exist in tenant 'Default Directory' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(App Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Now the problem is that I simply don't want to add all these users, but allow them access to this app. How can I do that?
Thanks a bunch!
If you want to allow any account to sign in, you can't use your tenant-specific login endpoint.
You need to use the "common" endpoint: https://login.microsoftonline.com/common/v2.0.
This allows login with any Azure AD / Personal Microsoft account.
I have followed this tutorial I want to use this in my signup user flow.
I created OpenID Connect Identity Provider pointing to the app created in the Azure B2C, and I also created another one pointing to the app created in my normal Azure tenant, and in both cases, when I log in I get the error:
AADSTS50020: User account '{<!-- -->{ACCOUNT}}' from identity provider 'https://sts.windows.net/{<;!-- -->{TENANT_ID}}/' does not exist in tenant 'ADefWebserver' and cannot access the application '{<!-- -->{my Azure B2C Tenant id}}'(Blazor Simple Survey AAD) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Is there documentation that tells what you are supposed to do to fully make this work?
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization.
You can add your user account to your tenant 'ADefWebserver' based on the following document.Please follow this document.
I'm building multitenant SaaS web based application. Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.
I'm having problem with login from external account (Microsoft account) in customer tenant.
I created example and tried to see what I can get from access token.
Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".
As far as I understood this should be enough to login with
Office 365 account from host tenant
Microsoft account that is registered as external user in host tenant
Office 365 account from guest tenant
Microsoft account that is registered as external user in guest tenant
Clarification:
- host tenant --> Azure AD instance in which application is registered. In error message bellow tenant A.
- guest tenant --> Azure AD instance that is only using application
I have a problem with case no. 4
I get this error message:
AADSTS50020: User account 'lovro.p365#...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.
The scenes of 2 and 4 should be the same.
I have tested both and everything is OK.
You could use OAuth 2.0 auth code grant flow to have a test with it.
Construct a request to login.microsoftonline.com with your app configurations.
This URL will look like:
https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com.
After signing in with credentials of Microsoft Account in tenant A, you will get a "code" in the address bar. Use this code to request access token:
POST /[tenant]/oauth2/v2.0/token HTTP/1.1
client_id=[client id of the Azure AD app registered in host tenant]
&scope=https://graph.microsoft.com/user.read
&code=[code got from the previous step]
&redirect_uri=[redirect uri of the Azure AD app]
&grant_type=authorization_code
Then we could get the access token for Microsoft Account as a guest user in tenant A.
My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.
I created an Azure AD multi-tenant app using a company's tenant
Then created a test ASP.NET Core Web application which goes to a such URL:
The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.
It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?
I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant):
However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.
Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?
P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.
UPDATE
To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:
Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user#live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.
Thoughts.
The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.
ANSWER
Long story short, it's not possible for general public as per Microsoft.
Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.
It works with personal account when you use v1.0 endpoint.
That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.
The v2 endpoint does not allow personal accounts for the resource
https://management.azure.com/
Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.
You must identify the tenant to login in with personal account when use v2.0 endpoint
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default
Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.
Update:
It is normal that you can't do that. You are not telling Azure AD that
the which tenant the MSA user is an external user, so Azure AD is
making a guess and checking in the tenant where the app is registered
(tenant A). If you expect external users to be able to sign in, you
must specify the tenant where the guest has previously been invited to
(e.g. tenant B).
I am not able to authenticate the Azure API's though my application with the email id registered under different domain name. It works for me company email address.
Steps I followed to register the application in AD:
Registered an app in Azure Active Directory.
Set permission requests to allow the client to access the Azure Resource Manager API.
Also, enabled the Multi tenanted option.
Followed URL Azure Authentication
Authorize URL:
/common/oauth2/authorize?
client_id=XXXXXXXXXXXXXXXXXXXXX
&response_type=code
&redirect_uri=calBackURL
&response_mode=query
&resource=https%3a%2f%2fmanagement.azure.com
&state=12345&prompt=consent
Token URL:
/common/oauth2/token?
grant_type=authorization_code
&client_id=xxxxxxxxxx
&code={Code}
&redirect_uri={calBackURL}
&client_secret=xxxxxxxxxx
Error Message:
AADSTS50020: User account 'xxxxxx#hotmail.com' from identity provider
'live.com' does not exist in tenant 'xxxx' and cannot access the
application 'xxxx xxxx xxxx xxxx xxxx'(Azure Demo Builder Dev) in that
tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active
Directory user account.
Having look on your request code it seems that you are trying to authenticate your application using azure active directory V1.0
Point To Remember
If you look into Microsoft official document you would get to know that azure AD V1.0 does't not support personal account integration for authentication. See the screen shot below:
To make it workable you could use Azure Active Directory V2.0 Or you have to change your personal email either.
For V2.0 Token Request endpoint you could hit following URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
The code grant flow you had used on your request you could prepare it for V2.0 by having look here
Note: The v2.0 endpoint and platform has been in preview and continually enhanced. Its not recommended for production version.