Azure Multi-tenant application - McMap

About

Azure Multi-tenant application

Asked 3/6, 2015 at 14:43 Answered 17/6, 2020 at 8:23

authentication azure multi-tenant azure-active-directory

T

2

5

I need to build an app with Office 365 API and tried several examples provided here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples.

I manage to login to tha app with a user from within my own Azure Active Directory, e.g. user.name@tenant.onmicrosoft.com.

But, whenever I use another Office 365 account from another domain e.g. [email protected] I get this error:

AADSTS50020: User account '[email protected]' from external identity provider 'https://sts.windows.net/908b6c6d-f582-461d-9e73-88a4e48f5d88/' is not supported for application 'df1a02fd-f096-46df-9b5a-5cf1b0f9ef6d'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

The defined application in Azure is set to Multi-tenant!!

I also tried to add the foreign users to my AAD but everytime I get the message "This Microsoft account does not exist"

EXCEPT: I also made a hotmail account which I was able to add to my AAD and with this account logging in to the app was succesfull. But, without adding it to my AAD I get the above error message.

Any help would be welcome.

Tropophilous answered 3/6, 2015 at 14:43 Comment(11)

Has the directory pivabo.be granted access (single sign-on, read user profile etc.) to your application? – Pouncey 3/6, 2015 at 16:13

I did not take any action to do so.I can login to oauthplay.azurewebsites.net with this user. How can I grant access? – Tropophilous 3/6, 2015 at 16:30

Isn't it so that the purpose of multi-tenant apps is to let every user with an Office 365 account can use it without granting? – Tropophilous 3/6, 2015 at 17:33

I think you're mistaken .... in multi-tenant the tenant would refer to an Azure AD. So by that definition, if your application is multi-tenant, users from different Azure Directories would be able to use your application but first the admin would need to allow access in their AD to your application. – Pouncey 3/6, 2015 at 18:0

msdn.microsoft.com/en-us/office/office365/howto/… I've followed the above instructions to setup my app in Azure. Nothing in this manual states that the application has to be granted in other AAD's. Setting the multi-tenant switch to "yes" should be enough. Can you point me out what I should do to make it work. Thanks – Tropophilous 3/6, 2015 at 19:31

I also looked at this document to setup the app msdn.microsoft.com/en-us/library/azure/… – Tropophilous 3/6, 2015 at 19:37

Try following this example: github.com/OfficeDev/O365-WebApp-MultiTenant. Even though your app is marked as "multi-tenant" in your directory, your user (in another directory) has to add it to their directory, and that takes an admin to approve it. – Precess 4/6, 2015 at 5:41

oauthplay.azurewebsites.net How come that on this website I can login with any microsoft account? The application is not added to my AAD and still I can login with any user of my AAD. – Tropophilous 4/6, 2015 at 8:52

@Precess so, if I want to allow users from other AAD tenants to access my Web application with AAD authorization - admins of those "other AAD tenenants" have to approve adding my app to their AAD tenant? That seams to be a bit overcomplicated... – Caudate 6/1, 2017 at 12:0

@Caudate In most cases the new end user has to accept the app and what claims it is requesting, unless an admin has done this already. However for some claims, only an admin can provide this consent. For example: reading my end user contacts list - end user can grant. Reading entire Active Directory - only admin can grant. So I'd slightly adjust my comment today in that some grants don't require admin approval, but in most cases users still have to review and accept claims. – Precess 9/1, 2017 at 21:26

@Roy, I have a multi-tenant web app working. However, using exactly the same App Id/Secret in a Winform application, without changing anything on the Azure configuration of the app, produces this exact error. Is yours a web- or desktop application? – Officialese 2/5, 2017 at 21:34

T

10

Make sure you are using "https://login.microsoftonline.com/common/..." and not "https://login.microsoftonline.com/[your tenant name]" when forming authorization link.

Terrance answered 11/9, 2015 at 17:34 Comment(2)

Hi, can you elaborate more? – Caudate 6/1, 2017 at 11:57

Here's a link to support this claim: learn.microsoft.com/en-us/azure/active-directory/develop/… – Ricks 26/3, 2021 at 20:7

P

0

I am late to the party, but what it fixed for me was that I had to use "common" as tenantId.

Putrid answered 17/6, 2020 at 8:23 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.