Authenticate guest user in Azure AD using graph api

1
votes

I am trying to authenticate users in my web application using Azure AD to store user records. For authenticating the user I am using ADAL4J API (https://github.com/AzureAD/azure-activedirectory-library-for-java). I am using the the AuthenticationContext.acquireToken() method to acquire the token for users. This is working for local users in my directory but not for guest users invited to the directory.

While authenticating guest users I am getting an error : "To sign into this application the account must be added to the directory" . However, I am sure the user has been successfully added to the directory as seen through the Azure Portal. Also, I have verified the same using the graph API where I can see the guest users in the user list in the directory.

So the question is how do I authenticate the guest user in my web application through code (not through redirecting to the Azure UI)?

EDIT : This the method to which I am passing the username and password of the user:

 private static AuthenticationResult getAccessTokenFromUserCredentials(
    String username, String password) throws Exception {
    AuthenticationContext context = null;
    AuthenticationResult result = null;
    ExecutorService service = null;
    try {
         service = Executors.newFixedThreadPool(1);
         context = new AuthenticationContext("https://login.windows.net/<tenant_name>", false, service);
         Future<AuthenticationResult> future = context.acquireToken(
            "https://graph.windows.net", CLIENT_ID, username, password,
            null);
         result = future.get();
     } catch(Exception e){
        e.printStackTrace();
     } finally {
         service.shutdown();
     }

     if (result == null) {
         throw new ServiceUnavailableException(
                 "authentication result was null");
     }
     return result;
 }
1
azureazure-active-directoryazure-ad-graph-apiadal4j
Can you share the details of the login URL you are constructing for the user? Are you using the 'common' endpoint or a tenant specific endpoint? How did you add the guest user?Shawn Tabrizi
I added the guest user through the Azure UI, after which I received an invite through email for the user. Once I completed the instructions in the invite the user was added in my directory. I am using the 'common' endpoint. My code for authentication looks like this : context = new AuthenticationContext("login.windows.net/common", false, service); Future<AuthenticationResult> future = context.acquireToken( "graph.windows.net", CLIENT_ID, username, password, null);adarsh hegde
In this code snippet, what is "service"... also you should be using the endpoint "login.microsoftonline.com". Also is there a specific reason you are passing in the username and password to acquire the token rather than following the authorization code grant flow?Shawn Tabrizi
@ShawnTabrizi the "authorization code grant flow" explains how the Azure UI is used for user authentication in a interactive mode. My requirement needs me to use my app's login page for authentication where I authenticate the user credentials (username and password) using the ADAL4J api as explained here : github.com/Azure-Samples/active-directory-java-native-headless.adarsh hegde
The "service" is an ExecutorService object which is used to define the thread pool. I tried pointing to "login.microsoftonline.com" but got the exact same error.adarsh hegde

1 Answers

1
votes

With the information you provided, I feel like the issue here is related to the login endpoint. Remember that the common endpoint uses the logged in user to help 'guess' which tenant endpoint to authenticate to. If you are doing more tricky things like guest accounts, it is very likely the common endpoint will not figure out all the right details.

I recommend you specifically call your tenant's login endpoint, through the whole process, and see if that resolves your issues.

Let me know if this helps!