Login/Register
Azure/Msal authentication inside PowerApp Component Framework returns AADSTS50177 error
Asked Answered
azure-ad-msalpowerappspcf
G

0

1

I created a simple PowerApps Component Framework using the pac pcf init command. After successfully packaging and importing this skeleton PCF application to my demo tenant I tried to add MSAL authentication to it.

I used the @azure/msal npm package to write a typescript configuration and login without adding React or Angular npm packages. I only used @azure/msal and package added during the pcf create process.

The final goal was to use the token received from the msal authentication make a request on a authorized method in my Wep Api.

The problem is that my Web Api is not located in my demo tenant and the user that is used for msal authentication is from the demo tenant and does not exist on the tenant of my Web Api.

I cannot change the login user in the popup window as it only displays the error message, and the guest user that was added to the demo tenant, that has access to the Web API cannot have Certificates added to it through portal azure or portal office admin center pages.

This is my login configuration(I will omit the tenant names and client id for the work tenant):

import { AuthenticationParameters, Configuration, UserAgentApplication } from '@azure/msal';
import { AuthOptions, CacheOptions, FrameworkOptions } from "@azure/msal/lib-commonjs/Configuration";

public init(context: ComponentFramework.Context<IInputs>, notifyOutputChanged: () => void, state: ComponentFramework.Dictionary, container:HTMLDivElement)
    {
        // Add control initialization code
        const auth: AuthOptions = {
            clientId:'clientid',
            authority:'https://login.microsoftonline.com/tenantid',
            redirectUri:'redirect uri',
            validateAuthority: true
        };
        const cache: CacheOptions = {
            cacheLocation:"localStorage"
        };
        const framework: FrameworkOptions = {
            protectedResourceMap: new Map([
                ['web api url',['https://tenantid/clientid/uniquename (scope)']],
                ['CRM work sandbox',['CRM work sandbox user impersonation permission(scope)']]
            ]),
            unprotectedResources:[]
        };
        const config: Configuration = {
            auth: auth,
            cache: cache,
            framework: framework
        };
        const params: AuthenticationParameters = {
            authority: 'https://login.microsoftonline.com/tenantid',
            scopes:['offline_access',
            'https://tenantid/clientid/uniquename(scope)',
            'CRM work sandbox user impersonation permission(scope)'],
            redirectUri:'web api redirect uri'
        };
        const userAgentApplication = new UserAgentApplication(config);
        const login = userAgentApplication.loginPopup(params).then(data => {
            console.log(data);
            let user = userAgentApplication.getAccount();
            console.log(user);
            if (user) {
                // signin successful
                console.log('success');
            } else {
                // signin failure
                console.log('fail');
            }
        }, function (error: string) {
            // handle error
            console.log('Error' + error);
        });
    }

The error message displayed:

AADSTS50177: User account 'user name' from identity provider 
'https://sts.windows.net/guid/' does not exist in tenant 'name' 
and cannot access the application 'client id'(name of registered 
app in portal azure) in that tenant. The account needs to be 
added as an external user in the tenant first. Sign out and 
sign in again with a different Azure Active Directory user account.

Is there a way to test this without adding the pcf or account in my work tenant ?

Gelt answered 21/9, 2020 at 14:5 Comment(1)
Did you find any solution?Unblown

© 2022 - 2024 — McMap. All rights reserved.