Azure AD authentication failing when using ms live accounts other than my AAD acount

0
votes

I trying to read user data from their Microsoft live account. I have written code as below:

    public void GetUserData(){
        var authContext = new AuthenticationContext("https://login.microsoftonline.com/common/");
        var result = _authenticationContext
                .AcquireTokenAsync("https://graph.microsoft.com", "<my client/app ID>", "<redirect URI>", new PlatformParameters(PromptBehavior.RefreshSession))
                .Result;    
        var accessToken = result.AccessToken;

        var httpClient = new HttpClient();
        httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",accessToken);
        var userResponse = httpClient.GetStringAsync("https://graph.microsoft.com/beta/me/").Result;

        //DO SOMTHING WITH DATA
    }

my code is working fine when I used my AAD credentials, but when I used my personal account it is giving the following error.

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'XXXXXXXXXXXXXXXXX' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Here is the screenshot:

enter image description here

It's similar to this question. could someone help me out?

2
c#azureazure-active-directorymicrosoft-graph-api
Have you added the personal live account in your azure active directory?Wayne Yang
check this link out - stackoverflow.com/questions/37255819/…MethodMan
@Wayne Yang, not added any account to the azure ad. I want my app working for any live account.Sivaprasad derangula
Then you have to use MSAL + AAD v2.0 endpoints instead of ADAL + v1: docs.microsoft.com/en-us/azure/active-directory/develop/…juunas
Hi, @sitchie ,You shouldn't just use Azure AD to achieve this. This is Azure AD B2B, you need invite users in to your directory and use v2.0 endpoint to authentication. According to your request, I suggest you use Azure AD B2C to achieve this. docs.microsoft.com/en-us/azure/active-directory-b2c/…Wayne Yang

2 Answers

3
votes

v1 endpoints require that the user is a member in a directory.

You should probably use the v2.0 endpoints for this: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview

If you expect only consumer MS accounts to login, you can specify the authorize URL as:

https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
1
votes

First, for the error massage in your question, you need to add the live account into your directory first and then try to use Azure AD v2 endpoint to authenticate. You can not sign in the app with the external account which was not in that directory.

I assume that you want any Microsoft live account can use your app.

Based on this requirement, I suggest you can use Azure AD B2C to achieve this. Azure AD B2C can enables your application to authenticate with any Microsoft account. You can add Microsoft Account as a social identity providers. So that any live accounts can sign up and sign in your App through Azure AD B2C.

You can see more details about Providing sign-up and sign-in to consumers with Microsoft accounts in this official document.

Hope this helps.