I am developing an Office 365 app that I want to be multitenant: that is, I want the application to have access to access exchange data for users from other organizations. So far, I have been able to create an OAuth 2 access token on behalf of the desired third-party user, but no consent screen is ever shown to the user and API requests fail with 401 Unauthorized error containing the following header:
< x-ms-diagnostics: 2000001;reason="No applicable user context claims found.";error_category="invalid_token"
In more detail, I have done the following. I have created and configured Azure AD application. I have configured the application to be multi-tenant, and added delegated permissions for AAD access as well as exchange and sharepoint access. Using the endpoints for this application, I make an OAuth 2 authorization request on behalf of the third party user. This request succeeds without showing any consent screen, returning an access code [1]. A subsequent access token request also succeeds [2]. The requested resource in the access token request is https://outlook.office365.com, and the successful access token response contain the Mail.Read scope. At this point, mail API requests (for example, to list messages for a user) fail on behalf of the third party user [3].
What is needed to set up a proper multi-tenant application that may be used by users in other organizations?
[1]
Third party auth code request:
https://login.windows.net/<uid>/oauth2/authorize?api-version=1.0&client_id=<client id>&response_type=code&resource=https://outlook.office365.com/
Redirect is to:
http://localhost:3000/?code=<access code>&session_state=e9ba65e1-860e-41ab-b3d4-7af64d54135e
Where localhost:3000 is my configured reply URL for the application
[2] Access token request:
curl -X POST https://login.windows.net/<uid>/oauth2/token \
-F redirect_uri=http://localhost:3000 \
-F grant_type=authorization_code \
-F resource=https://outlook.office365.com \
-F client_id=<id> \
-F client_secret=<secret> \
-F code=<auth code above>
Response:
200 OK
{
"access_token": "<token>",
"expires_in": "3599",
"expires_on": "1421092817",
... "resource": "https://outlook.office365.com",
"scope": "Calendars.Read Calendars.Write Contacts.Read Contacts.Write full_access_as_user Mail.Read Mail.Send Mail.Write",
"token_type": "Bearer"
}
[3] API Request:
curl -v https://outlook.office365.com/api/v1.0/me \
-H "Authorization: Bearer <access token>"
Response:
< HTTP/1.1 401 Unauthorized
* Server Microsoft-IIS/8.0 is not blacklisted
< Server: Microsoft-IIS/8.0
< request-id: 4b30a79a-ee3d-4bac-856c-2b1cce9c4043
< Set-Cookie: ClientId=ZILVUOFNNUSPO455YJRBCW; expires=Tue, 12-Jan-2016 18:27:47 GMT; path=/; secure; HttpOnly
< x-ms-diagnostics: 2000001;reason="No applicable user context claims found.";error_category="invalid_token"
< X-Powered-By: ASP.NET
< X-FEServer: BN3PR0301CA0033
< WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm=""
< Date: Mon, 12 Jan 2015 18:27:49 GMT
< Content-Length: 0
<
