问题
I did register a new Application on portal.azure.com with my Office365 company account to Access the GraphAPI.
While authentication is working for users from our own domain (the one registered with O365), I keep getting an error for users from personal Microsoft accounts (outlook.com or live.com).
I did setup the Application to support 'All Microsoft account users'.
This is the Manifest
{
"id": "valid-uid",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "valid-uid",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2019-08-29T13:34:54Z",
"groupMembershipClaims": "All",
"identifierUris": [
"api://app-id"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "My Application (DEV2)",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "valid-uid",
"startDate": "2019-08-29T13:40:10.571Z",
"value": null,
"createdOn": "2019-08-29T13:40:11.7033226Z",
"hint": "U18",
"displayName": "Local Client"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "NETORGFT(integer-nr).onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "http://localhost:8080/auth/microsoft/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
This is the error I'm getting when trying to login with a outlook.com (personal account).
--------------- Error ----------------
Sign in Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'someemail@outlook.com' from identity provider 'live.com' does not exist in tenant 'ourdomain.com' and cannot access the application 'uid-of-our-app'(My Application (DEV2)) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Why does that error occur, despite having configured the app to be "signInAudience": "AzureADandPersonalMicrosoftAccount"
?
回答1:
Actually I figured this out by myself.
The Manifest property seems to get ignored if you pass your Tenant-ID along the URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
....
In the docs I found, that for both Business and Personal Account you have to pass 'common'
as {tenant}
.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are
common
for both Microsoft accounts and work or school accounts,organizations
for work or school accounts only,consumers
for Microsoft accounts only, and tenant identifiers such as the tenant ID or domain name.
More info here https://docs.microsoft.com/en-us/graph/auth-v2-user
回答2:
To fix the issue, you would need to add these Microsoft accounts in your Azure AD as guest users.
Basically what is happening is that these users are getting authenticated elsewhere but in order for them to access the application created in your tenant (Azure AD), they would need to be present in your tenant. Since these users are not present in your tenant, you are getting this error.
来源:https://stackoverflow.com/questions/57712737/login-with-personal-microsoft-accounts-failes-to-oauth2-v2