Azure Multi-tenant application

5
votes

I need to build an app with Office 365 API and tried several examples provided here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples.

I manage to login to tha app with a user from within my own Azure Active Directory, e.g. user.name@tenant.onmicrosoft.com.

But, whenever I use another Office 365 account from another domain e.g. [email protected] I get this error:

AADSTS50020: User account '[email protected]' from external identity provider 'https://sts.windows.net/908b6c6d-f582-461d-9e73-88a4e48f5d88/' is not supported for application 'df1a02fd-f096-46df-9b5a-5cf1b0f9ef6d'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

The defined application in Azure is set to Multi-tenant!!

I also tried to add the foreign users to my AAD but everytime I get the message "This Microsoft account does not exist"

EXCEPT: I also made a hotmail account which I was able to add to my AAD and with this account logging in to the app was succesfull. But, without adding it to my AAD I get the above error message.

Any help would be welcome.

2
authenticationazuremulti-tenantazure-active-directory
Has the directory pivabo.be granted access (single sign-on, read user profile etc.) to your application?Gaurav Mantri
I did not take any action to do so.I can login to oauthplay.azurewebsites.net with this user. How can I grant access?Roy Decaestecker
I think you're mistaken .... in multi-tenant the tenant would refer to an Azure AD. So by that definition, if your application is multi-tenant, users from different Azure Directories would be able to use your application but first the admin would need to allow access in their AD to your application.Gaurav Mantri
oauthplay.azurewebsites.net How come that on this website I can login with any microsoft account? The application is not added to my AAD and still I can login with any user of my AAD.Roy Decaestecker
@Prokurors In most cases the new end user has to accept the app and what claims it is requesting, unless an admin has done this already. However for some claims, only an admin can provide this consent. For example: reading my end user contacts list - end user can grant. Reading entire Active Directory - only admin can grant. So I'd slightly adjust my comment today in that some grants don't require admin approval, but in most cases users still have to review and accept claims.ChrisW

2 Answers

10
votes

Make sure you are using "https://login.microsoftonline.com/common/..." and not "https://login.microsoftonline.com/[your tenant name]" when forming authorization link.

0
votes

I am late to the party, but what it fixed for me was that I had to use "common" as tenantId.