I have created an multi tenant with Personal account application type and set the "user assignment required" to yes on the service principal in the tenant
But this flag is ignored by Personal accounts during Login. Is this how it is supposed to work?
Although there seems not to be an official document about this question, "user assignment required" feature should only be available to the AAD tenant rather than personal Microsoft account.
We can only assign AAD users (including guest users) to the app. But we cannot do this for a personal account.
If there is a place where we can assign personal accounts to the app, it must be a tenant internally used by Microsoft to manage personal accounts. Obviously we have no access to that tenant(if it exists).
So now that we choose “multi-tenant with Personal accounts” application type, this Azure AD application should be available to any Personal accounts. They won't be restricted by "user assignment required" feature.
Related
I have registered an application via Microsoft's AAD Portal. This application is supposed to be accessed by anyone. So I have set signInAudience: AzureADandPersonalMicrosoftAccount in my manifest.
My application needs two scopes:
User.Read
OnlineMeetings.ReadWrite
When I test the application using my Microsoft developer account (which is a part of the organisation in which this application is created), I am able to consent to both scopes.
However, when using my personal email ID, I am asked to consent only User.Read scope.
Where am I going wrong?
OnlineMeetings.ReadWrite is not supported for personal accounts: https://learn.microsoft.com/en-us/graph/api/onlinemeeting-get?view=graph-rest-1.0&tabs=http#permissions
Are Azure Active Directory app roles only supported for accounts in the same tenancy?
I am trying to use Azure Active Directory to authenticate users both on my tenancy, others, and social accounts, and be able to manually assign different app-level roles.
What I would like:
Users would sign up using any of these methods, and I would see them in the 'Users and groups' blade of the Enterprise Application in Azure portal (or I could invite them). I would assign app roles (roles specific to my app, eg engineer/technician/residential user) via the 'Add user/group' button.
When logging in to my app, I retrieve the app roles via idTokenClaims.roles[]
What happens instead:
This works fine for user accounts already in my Azure tenancy. But for other Microsoft accounts (eg theirname#outlook.com or MS accounts created with any email address), the user doesn't appear in Azure portal after logging in unless I manually invite them. After inviting them (and accepting the invite), I see a user like theirname_outlook.com#EXT##mytenancy.onmicrosoft.com. I can assign app roles to this user, but their idTokenClaims.roles[] is not returned.
Other social accounts (eg Twitter, facebook) seem to not be supported at all
What else I tried
I also investigated AD B2C, which gives the developer more control over the login flow, and supports other social accounts other than MS (which looks good), but it seems that doesn't support app roles at all.
Am I trying to use the wrong tool for the job?
All I want to do is support any user to sign up to my app, and for an admin to set what their app-specific roles should be.
Update
I am using the MSAL auth library, following the instructions
https://login.microsoftonline.com/Enter_the_Tenant_Id_here should be one of the following:
If your application supports accounts in this organizational directory, replace this value with the Tenant ID or Tenant name. For example, contoso.microsoft.com.
If your application supports accounts in any organizational directory, replace this value with organizations.
If your application supports accounts in any organizational directory and personal Microsoft accounts, replace this value with common.
To restrict support to personal Microsoft accounts only, replace this value with consumers.
Because I wanted this to work with any social account, I chose https://login.microsoftonline.com/common. This shows a UI that allows you to use any organisation or personal MS account, or sign up for a personal MS account with any email address. But I noticed the objectId returned for personal accounts is different to the id when I manually invite the account in azure portal. I changed to use my TenantID instead, and that worked. Personal accounts that have been previously invited via portal can log in. Other personal accounts get an error and cant log in. App roles are now returned for these personal accounts. This now partially solves my original problem, but I still have some unsolved issues:
this method shows a slightly different UI that doesn't allow the user to sign up for a new MS account in this flow
I still can't use other oauth accounts eg Twitter/Facebook. Do these not support app roles at all?
the instructions quoted above seem incorrect, clearly it is possible to log in using "accounts in any organizational directory and personal Microsoft accounts" via TenentID, not common, once they've been invited to the app
App roles absolutely support guest accounts. But as you can see, the id token of the guest account does not seem to contain the roles claim, and it is not clear whether this is by design. But the roles claim will appear in the access token.
I think an access token you can be used, and the access token also contains user information.
Scenario
We have an app that will be used by schools. Each school has an Azure AD instance that contains their staff and student users. These users have access to Office/Teams etc. through their school licenses. We also need to support parents having accounts and logging in.
For the parent accounts we would need to use something like B2C to allow them to create "local accounts" or sign up with their own Microsoft/Google/Facebook Accounts.
For student and staff accounts we would like to allow them to sign in with their AAD accounts.
My understanding is that this can be enabled with AADB2C by adding AAD as an identity provider within the B2C configuration. B2C also supports "IDP pass through" which allows you to get the access_token of the third party IDP being used.
My question is can this functionality (or indeed AADB2C at all) be used to get an access token that would allow you to access the signed in users MSGraph API (for whichever school it relates to)?
If not would that mean having to set up a B2C directory for the parent accounts and manage these completely separately from the AAD accounts that the school are managing for students and staff?
I've done a lot of reading and honestly, the more I read, the more confused I get xD
Totally can do that, heree a sample : https://github.com/azure-ad-b2c/samples/tree/master/policies/B2C-Token-Includes-AzureAD-BearerToken
I am having trouble getting an access token using the password grant auth end point.
I created an app registration in my Azure account which is tied to my personal live.com Microsoft account.
In the application settings I've set the supported account types to AzureADandPersonalMicrosoftAccount (Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox))
When I attempt to to authorize via my personal account's username/password using the https://login.microsoftonline.com/{{TenantId}/oauth2/v2.0/token end point using grant_type=password I get the following error:
AADSTS50034: The user account {EmailHidden} does not exist in the xxx-xxx directory. To sign into this application, the account must be added to the directory.
I am not sure how this is possible as I am obviously the only member of my Azure AD.
The app, Todo Inventory is listed under the applications in the user profile as shown below:
Note that I am successfully able to get an access token using the auth code flow described in the documentation here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
But I want to use the password grant instead but nothing I tried seem to be working.
Am I missing something here..?
Microsoft identity platform doesn't support resource owner password flow for personal accounts. https://learn.microsoft.com/azure/active-directory/develop/v2-oauth-ropc
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.
We have an application which uses AAD B2B collaboration to invite users. These users are created as guest users in our AAD. This all works great:
Users that have an AAD/Office 365 can use their normal credentials to sign in.
Users that don't have an AAD/Office 365 create their account in the invite redeem process, and can use it to sign in. Microsoft stores these acounts in an external, for us hidden AAD.
Situation:
An organization uses our application. This organization doesn't have an own AAD/Office 365 yet. We invite some employees of this organization in our AAD using their email addresses. They get guest accounts in our AAD.
After a while this organization gets its own AAD/Office 365, for their existing domainname. This domainname was previously used in the email addresses in the invite redeem process.
The AAD admin of the organization creates the AAD, and immediately sees existing user accounts: all the accounts that have been invited are shown in the AAD. He didn't expected this when creating a new AAD, and he doesn't know where they come from.
It appears the external, for us hidden AAD, has become visible to the AAD admin.
The AAD admin might decide to delete these accounts, to start with an empty AAD. As a result the employees aren't able to sign in anymore in our application.
Our application uses the Microsoft Graph API to invite the users.
Is there a way to mark the users in the external hidden AAD in some way to make clear where the accounts are coming from? Like mentioning our organization/application in an existing field?
So to be clear: We don't want to set properties on the guest account. We want to set properties on the user account that an AAD admin sees when he has created the AAD. We want to make clear he must not delete this user, because it's created by/for application X.
No, this is a feature of Azure AD.
A domain owner can choose to take over the hidden Azure AD if they choose to create one later.
They control the domain, and thus control the users so it is up to them.
Now of course if you create an AAD Guest user with a Gmail account, they don't actually get added to a huge hidden Google Azure AD.
If AAD thinks the account is a social account, currently they create a personal Microsoft account transparently for that user (so the user always is in control of their account).
So if you invite users using their work emails, you must expect their domain owner to have control over their users' accounts.
AFAIK, there is no property that you could set.