Application '' is not configured as a multi-tenant application

2
votes

I am trying to develop a single-tenant application and I am receiving the following error message when signing in:

"Application '(app ID)' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant."

  1. I verified in the Azure AD portal, under the 'App Registrations' => 'Authentication' => 'Supported Account Types' section, that the 'Accounts in this organizational directory only (###### only - Single tenant)' option had been selected.

  2. I then made certain, inside my code, the 'https://login.microsoftonline.com/{tenantID}' endpoint is in use. Stated differently, there is no mention of the '/common' endpoint anywhere in the code.

    Private Shared appId As String = ConfigurationManager.AppSettings("ida:ClientId")
    Private Shared appSecret As String = ConfigurationManager.AppSettings("ida:ClientSecret")
    Private Shared redirectUri As String = ConfigurationManager.AppSettings("ida:PostLogoutRedirectUri")
    Private Shared graphScopes As String = ConfigurationManager.AppSettings("ida:AppScopes")
    Private Shared sAzureAdInstance As String = "https://login.microsoftonline.com/"
    Private Shared sTenant As String = ConfigurationManager.AppSettings("ida:TenantId")
    Private Shared sAuthority As String = sAzureAdInstance & sTenant

    Public Sub ConfigureAuth(ByVal app As IAppBuilder)
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)
        app.UseCookieAuthentication(New CookieAuthenticationOptions())
        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions With {
            .ClientId = appId,
            .Scope = $"openid email profile offline_access {graphScopes}",
**            .Authority = sAuthority, **
            .RedirectUri = redirectUri,
            .PostLogoutRedirectUri = redirectUri,
            .TokenValidationParameters = New TokenValidationParameters With {
                .ValidateIssuer = False
            },
            .Notifications = New OpenIdConnectAuthenticationNotifications With {
                .AuthenticationFailed = AddressOf OnAuthenticationFailedAsync,
                .AuthorizationCodeReceived = AddressOf OnAuthorizationCodeReceivedAsync,
            }
        })

    End Sub

I am expecting my app to run in single-tenant mode. I am unable to find meaningful documentation relating to this issue.

EDIT:

I have isolated the erroneous method in my code and the following snippet shows its context:

Dim signedInUser = New ClaimsPrincipal(notification.AuthenticationTicket.Identity)
Dim idClient As IConfidentialClientApplication = ConfidentialClientApplicationBuilder.Create(appId).WithRedirectUri(redirectUri).WithClientSecret(appSecret).Build()
Dim scopes As String() = graphScopes.Split(" "c)
'NOTE:  The scopes string array contains the following two values: User.Read and Calendars.Read.
Dim authResult = Await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync()
'EXECUTION HALTS HERE

I cannot discern the correlation between the AcquireTokenByAuthorizationCode() method and the error message. It is not readily apparent to me what might be wrong.

Any assistance is greatly appreciated.

1
web-applicationsazure-active-directorysingle-sign-onopenid-connect
The error seems odd. You don't need to disable issuer validation by the way, that's only for multi-tenant apps.juunas
Could you try using https://login.microsoftonline.com/tenant-id/v2.0 as the authority?juunas
Using the v2.0 endpoint throws the following exception: "IDX20807: Unable to retrieve document from: '[PII is hidden. For more details, see aka.ms/IdentityModel/PII.]'. "R Powell

1 Answers

0
votes

I am not very familiar with vb, but by referring to the c# code, you may manually specify the Authority :

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0
        Authority = Globals.Authority,
        ClientId = Globals.ClientId,
        RedirectUri = Globals.RedirectUri,
        PostLogoutRedirectUri = Globals.RedirectUri,
        Scope = Globals.BasicSignInScopes + " Mail.Read", // a basic set of permissions for user sign in & profile access "openid profile offline_access"
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            // In a real application you would use IssuerValidator for additional checks, like making sure the user's organization has signed up for your app.
            //     IssuerValidator = (issuer, token, tvp) =>
            //     {
            //        //if(MyCustomTenantValidation(issuer))
            //        return issuer;
            //        //else
            //        //    throw new SecurityTokenInvalidIssuerException("Invalid issuer");
            //    },
            //NameClaimType = "name",
        },
        Notifications = new OpenIdConnectAuthenticationNotifications()
        {
            AuthorizationCodeReceived = OnAuthorizationCodeReceived,
            AuthenticationFailed = OnAuthenticationFailed,
        }
    });

It seems that https://login.microsoftonline.com/common/v2.0 will be used by default. So you may change the value to https://login.microsoftonline.com/{your_tenant}/v2.0

Update:

You can create a new vb web project, and choose to use Azure AD single tenant authentication.

enter image description here

enter image description here

And then you will get a workable sample:

Partial Public Class Startup
    Private Shared clientId As String = ConfigurationManager.AppSettings("ida:ClientId")
    Private Shared aadInstance As String = EnsureTrailingSlash(ConfigurationManager.AppSettings("ida:AADInstance"))
    Private Shared tenantId As String = ConfigurationManager.AppSettings("ida:TenantId")
    Private Shared postLogoutRedirectUri As String = ConfigurationManager.AppSettings("ida:PostLogoutRedirectUri")
    Private Shared authority As String = aadInstance & tenantId

    Public Sub ConfigureAuth(app As IAppBuilder)
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType)

        app.UseCookieAuthentication(New CookieAuthenticationOptions())

        app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions() With {
            .ClientId = clientId,
            .Authority = authority,
            .PostLogoutRedirectUri = postLogoutRedirectUri
        })
    End Sub
*
*
End Class

It is also supported to specify the Authority. And you can see that it has been set to aadInstance & tenantId

If you want to use Azure AD v2, you need to use v2.0 endpoint.