How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?

2
votes

My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.

  1. I created an Azure AD multi-tenant app using a company's tenant enter image description here
  2. Then created a test ASP.NET Core Web application which goes to a such URL: enter image description here
  3. The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
  4. The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant. enter image description here

It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?

I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant): enter image description here However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.

Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?

P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.

UPDATE

To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:

  1. Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts: https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

  2. Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

  3. Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account." https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

  4. Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.

Thoughts.

  1. The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
  2. Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.

ANSWER

Long story short, it's not possible for general public as per Microsoft.

1
azureauthenticationazure-active-directorymulti-tenant

1 Answers

0
votes

Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.

enter image description here

It works with personal account when you use v1.0 endpoint.

That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.

The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/

Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.

You must identify the tenant to login in with personal account when use v2.0 endpoint

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default

Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.

Update:

It is normal that you can't do that. You are not telling Azure AD that the which tenant the MSA user is an external user, so Azure AD is making a guess and checking in the tenant where the app is registered (tenant A). If you expect external users to be able to sign in, you must specify the tenant where the guest has previously been invited to (e.g. tenant B).