问题
I have a custom MVC WebApplication with WebApi-service that require authentication/authorization. I followed the example on GitHub WebApp-WebAPI-OpenIDConnect-DotNet. While developing I created a new test directory on my personal Azure subscription and everything worked perfectly fine. I could add institutional accounts (like jon@mytenantname.onmicrosoft.com) and existing Microsoft accounts (jon@hotmail.com) and assign them to different groups. When a user typed in a liveID email address on the login page and moved the cursor to the password textbox, he was redirected to a Microsoft account login page.
Now I published the application to our production web server and want to connect the applications to a synchronized Azure Active Directory. It works with all institutional (work-) accounts. But when I add a Microsoft account, and try to login with those credentials, the redirection does not work anymore. The login page displays in red:
We don't recognize this user ID or password Make sure you typed the user ID assigned to you by your organization. It usually looks like someone@example.com or someone@example.onmicrosoft.com. And check to make sure you typed the correct password.
What am I missing? Is it possible to use synchronized institutional and personal Microsoft accounts together in one directory?
回答1:
My team owns the sign-in UX for Azure AD. The fact that the AAD login page recognizes domains like outlook.com and redirects users to the Microsoft account (Live ID) login page is a happenstance. It doesn’t work for all consumer domains, and it must not be relied on to enable MSA sign in to your apps. If you want to support sign in for Azure AD and MSA users, you need to show separate sign-in buttons in your app. We're looking at how we can make this experience better in the longer term. Hope this helps.
回答2:
If you are using openid connect like in the sample, and you are not using the /common endpoint,there should be no difference between the two scenarios. I assume you are an admin in your prod directory as well? Did you provision the Microsoft accounts in your prod directory in the exact same way as you did in your test directory?
来源:https://stackoverflow.com/questions/27797846/azure-ad-authentication-with-institutional-and-microsoft-accounts