具有自定义域的用户的Azure AD B2B身份验证错误-AADSTS65005:当前不支持使用应用程序“我的应用程序" [英] Azure AD B2B Authentication error for users with custom domains - AADSTS65005: Using application 'My Application' is currently not supported

问题描述

我目前正在升级应用程序，以实现多租户和B2B集成.

I'm currently upgrading an application to enable multi-tenancy and B2B integration.

到目前为止，我有以下类型的用户在工作:

I got the following types of users working so far:

• 内部Azure AD用户
• 来自另一个租户的外部Azure AD用户
• 个人Microsoft帐户
• 用户gmail用户

我现在正在尝试通过执行以下过程来允许任何域的用户访问我的应用程序:

I'm now trying to enable users from any domain to access my application by following this process:

1. 将邀请发送到x@abc.com-可行
2. 从x@abc.com收件箱中兑换邀请-此方法有效，并且我成功设置了关联的Microsoft帐户
3. 使用x@abc.com登录到我的应用程序-这不起作用，并且出现以下错误: AADSTS65005:您的组织abc.com当前不支持使用应用程序我的应用程序"，因为它处于非托管状态.管理员需要先通过abc.com的DNS验证声明对公司的所有权，然后才能设置应用程序我的应用程序"

1. Send invite to x@abc.com - this works
2. Redeem invite from x@abc.com inbox - this works and I successfully setup the associated Microsoft account
3. Login into my application using x@abc.com - this does NOT work and I get the following error: AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of abc.com before the application 'My Application' can be provisioned

在这种情况下，abc.com是外部合作伙伴.外部合作伙伴是动态的，并通过域白名单"通过应用程序进行管理.因此，我现在可以拥有abc.com，以后再拥有abcd.com，xyz.com等.这些列入白名单的域中的用户正在通过应用程序URL自注册.

In this case abc.com is an external partner. The external partners are dynamic and managed through the application via a 'domain white-list'. So I can have abc.com now, and later abcd.com, xyz.com, etc. The users from these white-listed domains are self-registering via an application URL.

足够有趣的是，gmail用户可以正常工作，所以我假设该流行域有一个内部Azure AD白名单吗?

Interestingly enough, gmail users work so I'm assuming there's an internal Azure AD white-list for the popular domain?

更新:

Gmail帐户正常运行的原因是，它们确实是在我的Azure AD中作为Microsoft帐户创建的.另一方面，abc.com域帐户被创建为外部Azure Active Directory"帐户. (来源属性)

更新#2:

经过更多研究后，我发现它不起作用是因为我正在使用不支持访客的公用端点 . 此处有更多详细信息:

After a bit more research I found that it wasn't working because I was using the common endpoint which doesn't support guests. More details here: Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?

现在，我切换到使用租户特定的端点，如下所示:

Now I switched to using my tenant specific endpoint like below:

Tenant specific endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0

我可以从abc.com用访客用户登录

and I can login with the guest users from abc.com

但是Microsoft帐户现在停止工作了.

However Microsoft accounts stopped working now.

                        AuthorizationCodeReceived = async (context) =>
                    {
                        ...

                        var cca = new ConfidentialClientApplication(appId, redirectUri,
                           new ClientCredential(appSecret),
                           new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
                        await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
                    },

等待cca.AcquireTokenByAuthorizationCodeAsync(作用域，代码)失败，并显示以下错误:

await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code) fails with the following error:

ErrorCode: invalid_grant
Message=AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.

如何使它与来自自定义域(abc.com)和现有Microsoft帐户的来宾用户一起使用?

推荐答案

原因:

您没有为abc.com租户的多租户应用程序获得用户或管理员同意.也许该租户的设置不允许用户同意，只有管理员可以同意.

You didn't do user or admin consent for the Multi-tenant app for the abc.com tenant. Maybe the settings for that tenant doesn't allow users do consent, only admin can do it.

对于多租户应用程序，如果来自其他租户的用户想要使用该应用程序，则可能需要用户或管理员同意该应用程序.然后，将在该租户中自动创建服务主体.这样该租户中的用户可以使用该应用程序.

For a multi-tenant app, if users from another tenant want to use it, this may needs user or admin do consent for the application. Then the service principal will be automatically created in that tenant. So that users in that tenant can use the app.

您可以在 解决方案:

尝试在您的请求中添加&prompt=admin_consent以强制获得管理员同意.您需要使用一个管理员帐户登录并获得管理员同意.如果您是该租户的管理员，则还可以在Enterprise Applications>User settings中启用user can do consent.

Try to add &prompt=admin_consentin your request to force admin consent. You need to use one admin account to log in and do admin consent. If you're the admin in that tenant, you can also Enable user can do consent in Enterprise Applications>User settings.

请告诉我这是否有帮助！

Please let me know if this helps!

这篇关于具有自定义域的用户的Azure AD B2B身份验证错误-AADSTS65005:当前不支持使用应用程序“我的应用程序"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！