如何使用个人 Microsoft 帐户通过 AzureAD 多租户应用程序访问 AzureRM? [英] How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?

问题描述

我的目标很简单:使用 Azure AD 多租户应用程序能够在其他租户上调用 Azure 资源管理器 API.但是，当您使用个人 Microsoft 帐户登录时，我不知道该怎么做.

1. 我使用公司的租户创建了一个 Azure AD 多租户应用
2. 然后创建了一个测试 ASP.NET Core Web 应用程序，该应用程序将访问这样的 URL:
3. Microsoft 的登录页面出现，我可以使用 personal LIVE.COM 成功登录，测试 Web 应用程序会收到带有给定重定向 URL 的回调.我正在尝试访问使用我的个人 MS 帐户创建的另一个 Azure 租户.
4. 多租户 AAD 应用程序已添加到

从技术角度来看，这可能是有道理的，但是当我使用个人帐户登录时，如何将 AAD 应用添加到另一个租户?

我认为授权"URL 必须包含 AAD 租户名称/ID 而不是通用"(确认在目标租户上创建了服务主体):但是，当用户登录时，该租户名称/ID 是未知的，我真的不知道使用什么 API 来查询它.

应该手动完成 - 检测个人 MS 帐户并找到与 AAD 租户的关联，或者是否有 API 可以促进这一点?在这两种情况下，如何?如果一个帐户与多个租户关联(Azure 门户中的切换目录")怎么办?

附:使用 URL https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize(orgainzations"而不是common")或 https://login.microsoftonline.com/common/oauth2/authorize(不带v2.0")不允许使用个人 MS 帐户登录.

<小时>

更新

为了演示该问题，对访问资源

<块引用>

当您使用 v1.0 端点时，它适用于个人帐户.

这是因为该个人帐户至少属于一个 Azure AD 租户.那么这个个人账号就会被识别为租户中的访客用户.

<块引用>

v2 端点不允许资源的个人帐户https://management.azure.com/

是的，如果您在使用v2.0端点时使用个人帐户登录，它会检测到您属于个人帐户，并将您重定向到个人帐户登录端点https://login.live.com/oauth20_authorize.srf.

使用 v2.0 端点时，您必须识别租户才能使用个人帐户登录

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=20244877-ae8f-4325-b4cf-c6dc239cb124&response_type=代码&redirect_uri=https://localhost&response_mode=片段&scope=https://management.azure.com/.default&状态=12345&nonce=默认值

然后您可以调用https://management.azure.com/tenants?api-version=2016-06-01 列出该帐户所属的所有租户.

更新:

<块引用>

你不能这样做是正常的.您没有告诉 Azure ADMSA 用户是外部用户的哪个租户，因此 Azure AD 是猜测并检查注册应用程序的租户(租户 A).如果您希望外部用户能够登录，您必须指定客人之前被邀请到的租户(例如租户 B).

My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.

1. I created an Azure AD multi-tenant app using a company's tenant
2. Then created a test ASP.NET Core Web application which goes to a such URL:
3. The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
4. The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.

It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?

I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant): However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.

Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?

P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.

---

UPDATE

To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:

1. Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts: https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

2. Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

3. Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user@live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account." https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback

4. Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.

Thoughts.

1. The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
2. Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.

---

ANSWER

Long story short, it's not possible for general public as per Microsoft.

解决方案

Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.

It works with personal account when you use v1.0 endpoint.

That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.

The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/

Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.

You must identify the tenant to login in with personal account when use v2.0 endpoint

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default

Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.

Update:

It is normal that you can't do that. You are not telling Azure AD that the which tenant the MSA user is an external user, so Azure AD is making a guess and checking in the tenant where the app is registered (tenant A). If you expect external users to be able to sign in, you must specify the tenant where the guest has previously been invited to (e.g. tenant B).

这篇关于如何使用个人 Microsoft 帐户通过 AzureAD 多租户应用程序访问 AzureRM?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！