Login with personal Microsoft accounts failes to Oauth2 v2

1
votes

I did register a new Application on portal.azure.com with my Office365 company account to Access the GraphAPI.

While authentication is working for users from our own domain (the one registered with O365), I keep getting an error for users from personal Microsoft accounts (outlook.com or live.com).

I did setup the Application to support 'All Microsoft account users'.

This is the Manifest

{
    "id": "valid-uid",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "valid-uid",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2019-08-29T13:34:54Z",
    "groupMembershipClaims": "All",
    "identifierUris": [
        "api://app-id"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "My Application (DEV2)",
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": true,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2299-12-30T23:00:00Z",
            "keyId": "valid-uid",
            "startDate": "2019-08-29T13:40:10.571Z",
            "value": null,
            "createdOn": "2019-08-29T13:40:11.7033226Z",
            "hint": "U18",
            "displayName": "Local Client"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "NETORGFT(integer-nr).onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:8080/auth/microsoft/callback",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": null,
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [],
    "tokenEncryptionKeyId": null
}

This is the error I'm getting when trying to login with a outlook.com (personal account).

--------------- Error ----------------

Sign in Sorry, but we’re having trouble signing you in.

AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'ourdomain.com' and cannot access the application 'uid-of-our-app'(My Application (DEV2)) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Why does that error occur, despite having configured the app to be "signInAudience": "AzureADandPersonalMicrosoftAccount"?

2
azureoauth-2.0azure-ad-graph-api

2 Answers

3
votes

Actually I figured this out by myself.

The Manifest property seems to get ignored if you pass your Tenant-ID along the URL https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize....

In the docs I found, that for both Business and Personal Account you have to pass 'common' as {tenant}. https://login.microsoftonline.com/common/oauth2/v2.0/authorize

The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are

  • common for both Microsoft accounts and work or school accounts,
  • organizations for work or school accounts only,
  • consumers for Microsoft accounts only, and tenant identifiers such as the tenant ID or domain name.

More info here https://docs.microsoft.com/en-us/graph/auth-v2-user

-1
votes

To fix the issue, you would need to add these Microsoft accounts in your Azure AD as guest users.

Basically what is happening is that these users are getting authenticated elsewhere but in order for them to access the application created in your tenant (Azure AD), they would need to be present in your tenant. Since these users are not present in your tenant, you are getting this error.