I was able to register an app created by another tenant as an enterprise app of my own tenant.
I signed in to the app as a user, but I got the following error.
AADSTS50020: User account 'test001#testdomain001.onmicrosoft.com' from identity provider 'https://sts.windows.net/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/' does not exist in tenant 'testdomain002' and cannot access the application '55555555-6666-7777-8888-999999999999'(OneDriveAPIBrowser_test001) in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory user account.
How can a user of another tenant use it without the application creator tenant performing any processing?
If the Azure AD app is registered in Tenant A and you have add it as an enterprise app into Tenant B, you should use a user from Tenant B to sign in.
In your case, if the registered app is in testdomain001 and added into testdomain002, you need to use a user from testdomain002. User "test001#testdomain001.onmicrosoft.com" is not allowed to sign in to the app in testdomain002 unless it is a guest user of testdomain002.
I tried the steps below and it worked for me.
Go to azure.microsoft.com
Select Free Account.
Sign in with your email.
It will detect that you already have a subscription and give you the option to use it.
Related
I need to synchronize users from my on-prem AD to an AD B2C tenant.
Now, the docs clearly state this is not possible, but one of the workarounds offered in other questions (like this one: Can I Use ADConnect to migrate users to Azure B2C) is to create a regular Azure AD, sync the users to it, and then configure this Azure AD as an identity provider for the B2C.
This obviously works, however - it will display a link in the sign-in page to log-in using the Azure AD tenant (similar to what happens with the Facebook identity provider). What I'm looking for is a seamless experience, where the users sign in using the regular B2C pages, as if they're local users, and the users' profiles are retrieved from the Azure AD tenant.
How can that be achieved? How can I use the B2C sign in pages and get the users from the Azure AD tenant?
Thanks!
The easiest way is to use this sample.
"On the sign-in page, the user provides their sign-in email address and clicks continue. B2C checks the domain portion of the sign-in email address. If the domain name is contoso.com the user is redirected to Contoso.com Azure AD to complete the sign-in. Otherwise the user continues the sign-in with username and password. In both cases (AAD B2C local account and AAD account), the user does not need to retype the user name."
So no button clicking.
However, this creates the user as a "shadow" account in B2C. It's not a local account. If the user already has a local account, then you can link the two.
Otherwise, there are some migration samples.
Why do you need Azure B2C, if all users are in the AD, then just use AD as it was intended instead of trying to shoehorn them into something that it wasn't designed for. As you say, the added button to login as an AD user is there for this very purpose, I use that and it works well, if you are an internal user B2B go this way with your normal password, all other public users B2C via the username password front and centre on the screen.
If you migrate users to B2C so they have both, that would be annoying as you would have no single sign on.
My Azure Active Directory have 2 directories:
User1Directory
User2Directory
My app configured with User1Directory and I successfully logged in using User1Directory users, but I want login using User2Directory.
Okay so you have 2 Azure AD tenants (directories).
If you want to allow sign in from multiple tenants, you need to make your app multi-tenant.
Then you have a couple options for how you can handle authentication.
Your app will regardless have to check the issuer of tokens as changing an app to multi-tenant allows login with any tenant.
You probably want to check the issuer is one of those 2 tenants.
Your app could offer two login buttons, one which redirects to https://login.microsoftonline.com/tenant1-id/... and the other to https://login.microsoftonline.com/tenant2-id/....
This approach supports external guest users in those tenants as well.
The other approach is that you can instead always redirect users to authenticate with https://login.microsoftonline.com/organizations/....
This will allow the user to sign in with any Azure AD tenant.
It's simpler from your app's side but it does prevent external guest users in those tenants from signing in as the organizations endpoint (like the common endpoint) always logs the user in to their "home" tenant, making the issuer that home tenant.
I'm trying to login and vote on https://feedback.azure.com/forums/915433-azure-sphere/suggestions/36196912-allow-for-transfering-device-ownership
While using my personal microsoft account, it says "Selected user account does not exist in tenant 'UserVoice, Inc.' and cannot access the application '91a42e81-999b-4cf1-aa36-bb33f25ff53b' in that tenant. The account needs to be added as an external user in the tenant first. "
As I understand, it's a problem on UserVoice tenant and i have no access to it to add my email as guest user.
You need to login with a Azure Active Directory user account, personal account is not allowed here.
The login endpoint is https://login.microsoftonline.com/common/oauth2/authorize?client_id=91a42e81-999b-4cf1-aa36-bb33f25ff53b&redirect_uri=https%3A%2F%2Ffeedback.azure.com%2Fauth%2Foidc%2Fcallback&response_type=code&scope=openid+email+profile+offline_access&state=98a2f664a4ff12e695a7d482dbf1f6a07a0901f95171d70f6cb779639b71e979&sso_reload=true
It is a multi-tenant application with v1.0 endpoint. So you can login with any Azure Active Directory tenant users. Only v2.0 endpoint supports personal accounts.
Azure Sphere does now support signing in with a personal account. (Though it did not at the time the questions was asked, and the first answer was given.)
If you are working with Multitenant stuff you need to use following endpoints.
Login url: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token Url:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
I have 2 tenants:
One for my organization, where I manage users (A)
One that I manage the applications and permissions (B)
My webapp is on tenant A and I configured authentication on the portal using Azure AD on tenant B.
On tenant B I registered the application with only one permission which does not require admin consent: Windows Azure Active Directory > Sign in and read user profile.
When the user logs in he gets the following error:
AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
I believe that this error should not be raised, since the only permission required by the application doesn't required admin.
EDIT
This is the URL that I am redirected to when I try to access the application when I'm not logged in
https://login.microsoftonline.com/d6ac45af-3289-4f79-a826-27824e1c467d/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Ftechnipfmc-tools-app-test.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=d340f0ed-5eb3-43e8-9a50-c449649f3ee1&scope=openid+profile+email&response_mode=form_post&nonce=1895ec0ffef64447bbb712bdae61c7fb_20170521070654&state=redir%3D%252F
EDIT 2
I found out a solution here:
As an administrator, you can also consent to an application's delegated permissions on behalf of all the users in your tenant. This will prevent the consent dialog from appearing for every user in the tenant. You can do this from the Azure portal from your application page. From the Settings blade for your application, click Required Permissions and click on the Grant Permissions button.
I don't know why had to do that since I'm only using permissions that don't require admin consent.
There are several potential problems with your setup:
Your authorization request is set to a specific tenant, the one with tenantId d6ac45af-3289-4f79-a826-27824e1c467d. Only users from that tenant will be able to log in. If this tenantId corresponds to the one for your organization, where you manage users (A), then disregard this point. Otherwise you should either replace this with the tenantId of that tenant or with common which will allow users from any tenant to sign in.
Your application is not multi-tenant. For testing purposes, I replaced the tenantId with common and wasn't able to use this with my test tenant due to the following error: AADSTS70001: Application with identifier 'd340f0ed-5eb3-43e8-9a50-c449649f3ee1' was not found in the directory <MY_TEST_TENANT>. This indicates that the application isn't configured as a multi-tenant application. This is something you must explicitly turn on.
Your organization's tenant (A) might have disabled the ability for regular users to consent to applications. If this capability is disabled, admin consent is always required for the application to be set up in the tenant. To test to see if this is the case, address points #1 (use /common/) and #2 above and try with any other tenant. If you are able to consent with that other tenant but not your organization's tenant, then you'll know that admin consent is required for your organization.
You should check out the How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern article as it explains all of the points above in more detail.
I think that error appears when you are passing "&prompt=admin_consent" in the Login URL.
Even though you are not requesting Admin permissions, if you pass that query string, it will try to show you a consent dialogue so that you can consent on behalf of the whole tenant, which is an operation that only an admin can do.
I'm trying to use Azure Active Directory to authenticate users. I also want Microsoft Accounts (#live.com, #outlook.com, etc.) to be able to sign in to my application.
When I sign in with an AAD user, my application gets a Claim Value back from the login.onmicrosoft.com screen with the user's email address as the claim (user#mydomain.com).
When I sign in with a Microsoft Account user that I've added to my AAD, it returns a Claim Value of "live.com#username#outlook.com" which is perfect.
However, I also want random people to be able to sign in, not just users I add to my active directory. I want anyone to be able to sign in with their Microsoft Account, and it should give me the claim value so that I can create an account for them in my application.
Is there any way to allow these users to log in to my application?
you have 2 options:
Add the MSA OWIN individual auth middleware alongside the OpenId Connect one
If you want to experiment, we are integrating that feature in a future version of Azure AD: http://aka.ms/aadconvergence