oAuth with Microsoft Azure AD with azure GUEST accounts vs employee accounts

1
votes

I am setting up OIDC within an ASP.NET Core 3.1 web mvc application. I have setup "OpenIdConnect" for our employees specifying the authority via

"Authority": "https://login.microsoftonline.com/{0}/v2.0"

Where {0} is the companyname.onmicrosoft.com (or companyname is the tenantId) -> this works fine/well.

We have Azure GUEST accounts within our AD/ADFS and this above authority is not working for these accounts. i.e. my bob@gmail account is setup as a guest account in Azure AD. I have read that it should against companyname.onmicrosoft.com however the only way I could log in with guest access was to use authority

"Authority": "https://login.microsoftonline.com/common/v2.0"

Using common within the authority url I could log into my application. This also means I had to know what type of auth employee or guest account before user could log in (i.e. different buttons making the user choose between type of auth to perform)...this is less than ideal.

I would like to use the same Authority for both employees and guest users..is this possible?

If I use "Authority": "https://login.microsoftonline.com/{0}/v2.0" > where {0} is tenant mycompany.onmicrosoft.com and try to log in with my bob@gmail AD GUEST Account it fails and I get this error... (interesting how the redirect_uri is using common even though bob@gmail is AD guest account

This login.live.com page can’t be foundNo webpage was found for the web address: https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-085c-4d86-bf88-cf50c7252078&scope=openid+profile+email+offline_access&response_mode=form_post&redirect_uri=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2ffederation%2foauth2&state=rQIIAY2VOc_sZgGFv7lLkntJxAWlSHmlpCGS7_Vuv59EMbbHnvE6M17GdjN43_dlxhY_ACEK6jRIlClpQKmoU0Wiyy-IqCIqRAF8_AOaUz3FOdKRni-fo-_gxy9iAqeCKCIgDAAPwkmAQT7uYxAdUzgaEiEWR6D_-es3aPDJl78CH6vfvPnZy__87vUvvtq8upbZHL0LmurrzefpOLbD4_v3ZRN4ZdoM4yMBw8j7IUvqrIaSKRrGv2w23202P2w2Xz8bSIzCaEACEgcUQZI4TrxzqxOmCnymGqdRNQ6YusCwIqipbCSIkpujurqZxhV3xVALJT8RDrq7P_GFc1FGV9hhyhPvGg4sG2mpXszRMZy7mzuLmluFwiW375_9VNtOY4r-L5o-W6N_PHsVN311bZ_qfvX8x5-wMSfS6p5czlFoEqJW66unxfKdZabVC-FKaAKlnrdr4uTdyq4SPw8QAwKtS0uGuynwMRmBZanH3DQbUJwVp1nHpTRbEoN4W_BJNaFg1o6o07nP85vo7CqxuSHrrScjMriI3T7TTp1yHxTzhNeLXGDHHhZ9g_PCpNlNo7WU6D49W22BqhQ-3lRh5-b15E2mk-8H8n6jdWjB22xmU8DAl13P9nBzQlhRYqEAg7REQi2zqpNjQR4REZa1YsIJOZ74YMrmQCRsXo31sVcOR8t2q2pyd6bvWg3cna_MSNVzDkEmQKfxcCC392NnlTk_7QS0mGnMRKf9zXdEXBoV2- ....

It is interested the reference to common here even though i was using "Authority": "https://login.microsoftonline.com/{0}/v2.0" > where {0} is tenant mycompany.onmicrosoft.com

1
oauth-2.0azure-active-directoryidentityserver4adfs
"We have Azure GUEST accounts within our AD/ADFS"? Typically, guest accounts live in Azure AD only and are not synced from AD?rbrayb
Ok thanks for correction ...any ideas about root issue? tyDavid
COMMON -The v2.0 endpoint allows work and school accounts, but it also allows the use of personal accounts, such as hotmail.com, outlook.com, live.com, etc..Sruthi J
Guest users could be Azure AD users in another tenant. Is your Azure AD app. registration set up for multi-tenant? The common endpoint should then work for both.rbrayb
RE: "COMMON -The v2.0 endpoint allows work and school accounts, but it also allows the use of personal accounts" > Yes I read this but my gmail account is setup as an Azure guest account within Azure AD (so I was expecting that I could use our company tenant {companyname}.onmicrosoft.com with the v2.0 endpoint INSTEAD of COMMON hence the confusion....it is not personal account (hotmail/gmail) but a guest account using my gmail accountDavid

1 Answers

-1
votes

Guest users are related only to the particular tenant, so we need to give tenant id instead of common. Current Azure AD B2B common endpoint can't be used for guest users, guest users are treated as personal accounts.