如何使用个人Microsoft帐户通过AzureAD多租户应用程序访问AzureRM? [英] How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?

问题描述

我的目标很简单:使用Azure AD多租户应用程序可以在其他租户上调用Azure资源管理器API.但是，当您使用个人Microsoft帐户登录时，我不知道该怎么办.

1. 我使用公司的租户创建了一个Azure AD多租户应用程序
2. 然后创建了一个测试ASP.NET Core Web应用程序，该应用程序转到了这样的URL:
3. 将显示Microsoft的登录页面，我可以使用个人LIVE.COM 成功登录，测试Web应用程序将在其中接收具有给定重定向URL的回调.我有另一个要使用我的个人MS帐户创建的Azure租户.
4. 多租户AAD应用已添加到 https://account的个人空间"中. live.com/consent/Manage ，但不适用于Azure AD租户.

从技术角度看，这可能很有意义，但是当使用个人帐户登录时，如何将AAD应用添加到另一个租户?

我认为授权" URL必须包含AAD租户名称/ID而不是公共"(确认在目标租户上创建了服务主体): 但是，当用户登录时，该租户名称/ID是未知的，我真的不知道该使用哪个API来查询它.

应该手动完成-检测个人MS帐户并找到与AAD租户的关联，或者是否有API可以简化这一过程?在两种情况下如何?如果一个帐户与多个租户(Azure Portal中的交换目录")相关联，该怎么办?

P.S.使用URL https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize(组织"而不是"common")或https://login.microsoftonline.com/common/oauth2/authorize(没有"v2.0")URL不允许使用个人MS帐户登录.

---

更新

为演示该问题，已进行了4次测试以访问资源" https://management.azure.com /"与多租户应用:

1. 使用v1终结点授权Microsoft的"Microsoft Azure"应用-适用于个人帐户: https://login.microsoftonline.com/common/oauth2/authorize?client_id= & response_type = code& response_mode = form_post& resource = https://management.azure.com/，这是v1终结点所在的位置.

2. Microsoft Azure应用可能具有包含未记录或硬编码设置的清单，该清单允许使用个人帐户获取所需资源.

---

答案

长话短说，按照微软的说法，这对普通公众是不可能的.

解决方案

只有V2.0终结点支持个人帐户(即使它不属于任何Azure AD租户)也可以登录.

当您使用v1.0端点时，它可用于个人帐户.

这是因为该个人帐户至少属于一个Azure AD租户.然后，该个人帐户将被识别为租户中的访客用户.

v2端点不允许该资源使用个人帐户 https://management.azure.com/

是的，如果您在使用v2.0端点时使用个人帐户登录，它将检测到您属于个人帐户，并将您重定向到个人帐户登录端点https://login.live.com/oauth20_authorize.srf.

使用v2.0端点时，您必须标识租户以个人帐户登录

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default

然后，您可以调用https://management.azure.com/tenants?api-version=2016-06-01列出该帐户所属的所有租户.

更新:

您不能这样做是很正常的.您不是在告诉Azure AD MSA用户是外部用户的租户，因此Azure AD是 进行猜测并签到注册该应用程序的租户 (租户A).如果您希望外部用户能够登录，则可以 必须指定以前邀请来宾的租户 (例如，租户B).

My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.

1. I created an Azure AD multi-tenant app using a company's tenant
2. Then created a test ASP.NET Core Web application which goes to a such URL:
3. The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
4. The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.

It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?

I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant): However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.

Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?

P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.

---

UPDATE

To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:

1. Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts: https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

2. Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

3. Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user@live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account." https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

4. Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.

Thoughts.

1. The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
2. Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.

---

ANSWER

Long story short, it's not possible for general public as per Microsoft.

解决方案

Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.

It works with personal account when you use v1.0 endpoint.

That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.

The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/

Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.

You must identify the tenant to login in with personal account when use v2.0 endpoint

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default

Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.

Update:

It is normal that you can't do that. You are not telling Azure AD that the which tenant the MSA user is an external user, so Azure AD is making a guess and checking in the tenant where the app is registered (tenant A). If you expect external users to be able to sign in, you must specify the tenant where the guest has previously been invited to (e.g. tenant B).

这篇关于如何使用个人Microsoft帐户通过AzureAD多租户应用程序访问AzureRM?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！