Unable to Authenticate Azure apis with Different Tenant

1
votes

I am not able to authenticate the Azure API's though my application with the email id registered under different domain name. It works for me company email address.

Steps I followed to register the application in AD:

  1. Registered an app in Azure Active Directory.
  2. Set permission requests to allow the client to access the Azure Resource Manager API.
  3. Also, enabled the Multi tenanted option.

Followed URL Azure Authentication

Authorize URL: 

/common/oauth2/authorize?
client_id=XXXXXXXXXXXXXXXXXXXXX
&response_type=code
&redirect_uri=calBackURL
&response_mode=query
&resource=https%3a%2f%2fmanagement.azure.com
&state=12345&prompt=consent

Token URL: 
/common/oauth2/token?
grant_type=authorization_code
&client_id=xxxxxxxxxx
&code={Code}
&redirect_uri={calBackURL}
&client_secret=xxxxxxxxxx

Error Message:

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'xxxx' and cannot access the application 'xxxx xxxx xxxx xxxx xxxx'(Azure Demo Builder Dev) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

1
azureazure-active-directoryazure-authentication
If you still have any query feel free to ask here in comment. Thank you.Md Farid Uddin Kiron
You are using v1.0 endpoint, users created under other tenants will be able to access your application. But the user account [email protected] which you used is a personal account. If you want this account to be able to access your application. You need to add this user to your tenant as a guest. Or you can change to use v2.0 endpoint which is mentioned in the answer. If you use v2.0 endpoint, all the personal accounts will be able to access your application.Tony Ju

1 Answers

0
votes

Having look on your request code it seems that you are trying to authenticate your application using azure active directory V1.0

Point To Remember

If you look into Microsoft official document you would get to know that azure AD V1.0 does't not support personal account integration for authentication. See the screen shot below:

enter image description here

To make it workable you could use Azure Active Directory V2.0 Or you have to change your personal email either.

For V2.0 Token Request endpoint you could hit following URL

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

The code grant flow you had used on your request you could prepare it for V2.0 by having look here

Note: The v2.0 endpoint and platform has been in preview and continually enhanced. Its not recommended for production version.