I did register a new Application on portal.azure.com with my Office365 company account to Access the GraphAPI.
While authentication is working for users from our own domain (the one registered with O365), I keep getting an error for users from personal Microsoft accounts (outlook.com or live.com).
I did setup the Application to support 'All Microsoft account users'.
This is the Manifest
{
"id": "valid-uid",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "valid-uid",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2019-08-29T13:34:54Z",
"groupMembershipClaims": "All",
"identifierUris": [
"api://app-id"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "My Application (DEV2)",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": true,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "valid-uid",
"startDate": "2019-08-29T13:40:10.571Z",
"value": null,
"createdOn": "2019-08-29T13:40:11.7033226Z",
"hint": "U18",
"displayName": "Local Client"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "NETORGFT(integer-nr).onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "http://localhost:8080/auth/microsoft/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
This is the error I'm getting when trying to login with a outlook.com (personal account).
--------------- Error ----------------
Sign in Sorry, but we’re having trouble signing you in.
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'ourdomain.com' and cannot access the application 'uid-of-our-app'(My Application (DEV2)) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Why does that error occur, despite having configured the app to be "signInAudience": "AzureADandPersonalMicrosoftAccount"
?