I want to allow people to use some deployments tools to perform actions in their Azure environments.
We currently have a working MSAL.js solution for supporting work accounts to be able to login and acquire the scope https://management.azure.com/user_impersonation
using an AAD app.
To move to supporting non-work accounts we:
- Verified our application is set to allow all types of accounts
- Changed the endpoint used for logins from
/organizations
to/common
Unfortunately despite the /common
it says we need to use a work or school account when we provide something like an @gmail account.
Without being able to acquire a permission scoped to this API we can't list tenants someone has access to so that we can proceed. It seems really backward & poor UX to have a workaround of needing their tenant ID to be manually provided and changing the our login endpoint. Prior we simply made the assumption that it's whatever tenant their AAD account is part of but a default login acquisition only returns the tenant id of the app.
Reproducible example You can see this behaviour with a Microsoft demo application.
OpenID works with a personal email
Azure scope does not work
What is the right combination of login endpoints and scopes (or multiple steps!) needed to be able to support user impersonation of non-work accounts for acting in Azure?
PS Older Q in a similar vein indicates this may not be possible which is exceedingly frustrating.