access to my Office 365 third-party app for external user : “a User account is not registered for the account”

2
votes

I am writing an application to access data (email, contacts, calendar) of user in office 365. So i need to enable the access to my for external user.

I've followed the instructions of microsoft office here (http://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_MultiT) and defined in the Azure portal my app as a multi-tenant.

Then I have to use Oauth2 to access the data ( http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx )

When I follow the steps in the link above, I get an error in the response of the first get request (the authorisation request):

request sent:

GET_https://login.windows.net/{key_provided}/oauth2/authorize?response_type=code&client_id={client_id_of_my_app}&redirect_uri={redirec_uri_of_my_app}&resource=https:%2f%2foutlook.office365.com%2f&state=5fdfd60b-8457-4536-b20f-fcb658d19458

response:

{redirec_uri_of_my_app}error=access_denied&error_description=AADSTS50034%3a+User+account+is+not+registered+for+the+account.%0D%0ATrace+ID%3a+3d9957b5-3d26-4193-b56a-0fbecd216499%0D%0ACorrelation+ID%3a+3ff14789-ca86-47f1-a02b-baaf084c416e%0D%0ATimestamp%3a+2014-08-14+19%3a11%3a15Z&state=5fdfd60b-8457-4536-b20f-fcb658d19458

And I can retrieve the auth code and the access token perfectly for the user of my account but not for external users.

Does anybody have an idea on how I can fix this problem?

Thank you!

2
azurems-officeexchangewebservicesoffice365

2 Answers

8
votes

You are sending the OAuth request to a tenant specific endpoint of Azure AD. Note the {key_provided} part of your Url - that part represents the tenantid or a registered domain name of an Azure AD tenant. Azure AD throws this error is the user signing in is not a user in that tenant.

Multi-tenant applications like yours have two options:

  1. Perform home realm discovery yourself and send the SSO request to the correct tenant-specific endpoint of Azure AD: when a new Azure AD organization signs-up for your application, record its tenant ID, and registered domain names. On your login page, ask the user for their email and try to discover what Org they belong to using the suffix the email.
  2. Use the common endpoint of Azure AD. Instead of the {key_provided} part of the URL, use 'common'. In this case Azure AD will determine the user's tenant and sign-in the user. The token that your application will receive will still be from the user's tenant (iss claim).

2 is more convenient for apps. However #1 has an advantage when the user's Organization has customized their sign-in page with the company logo etc - in the case of #1 the user will directly be taken to the customized and familiar sign-in page.

I recommend a combination of the two: try determining the user's organization and sending them to the tenant specific SSO endpoint. If you're not able to - send them to the common endpoint.

Hope this helps.

0
votes

Make sure that the user is signing in with an Office 365 organizational account. When you say "external users" I assume you mean users in an Office 365 tenant other than your own?