从Microsoft帐户登录不适用于Multitenant Azure AD应用程序 [英] Login from Microsoft account not working for Multitenant Azure AD application
问题描述
我正在构建基于多租户SaaS Web的应用程序.应用程序已在我的租户中注册,每个拥有office 365订阅的客户都将在Azure AD中获得Service主体对象.
I'm building multitenant SaaS web based application. Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.
我在从客户租户中的外部帐户(Microsoft帐户)登录时遇到问题.
我创建了示例,并尝试查看从访问令牌中可以获得什么.
I created example and tried to see what I can get from access token.
示例由一个使用MSAL库处理身份验证的客户端应用程序(.js)和两个具有受保护端点的API组成.我还创建了三个单独的Azure AD应用程序AlanClient,AlanAPI1,AlanAPI2. AlanAPI1和AlanAPI2都公开了API(在Azure Portal应用程序中公开API部分),并指定了一个使用者AlanClient. AlanClient拥有对这两个API的许可.所有应用程序都使用"accessTokenAcceptedVersion":2和"signInAudience":"AzureADMultipleOrgs"注册.
Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".
据我了解,这足以登录
- 主机租户的Office 365帐户
- 在主机租户中注册为外部用户的Microsoft帐户
- 来宾租户的Office 365帐户
- 在来宾租户中注册为外部用户的Microsoft帐户
- Office 365 account from host tenant
- Microsoft account that is registered as external user in host tenant
- Office 365 account from guest tenant
- Microsoft account that is registered as external user in guest tenant
说明: -主机租户->在其中注册了应用程序的Azure AD实例.在错误消息中,下面的租户A. -来宾租户->仅使用应用程序的Azure AD实例
Clarification: - host tenant --> Azure AD instance in which application is registered. In error message bellow tenant A. - guest tenant --> Azure AD instance that is only using application
我对案例号有疑问. 4
我收到此错误消息: AADSTS50020 :来自身份提供者"live.com"的用户帐户"lovro.p365 @ ..."在租户"A"中不存在,并且无法访问该租户中的应用程序AlanClient.首先需要将该帐户作为外部用户添加到租户中.注销并使用其他Azure AD用户帐户再次登录.
I get this error message: AADSTS50020: User account 'lovro.p365@...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.
推荐答案
2和4的场景应该相同.
The scenes of 2 and 4 should be the same.
我都测试了,一切都很好.
I have tested both and everything is OK.
You could use OAuth 2.0 auth code grant flow to have a test with it.
使用您的应用配置来构造对login.microsoftonline.com的请求.
Construct a request to login.microsoftonline.com with your app configurations.
此URL看起来像:
https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com.
在租户A中使用Microsoft帐户的凭据登录后,您将在地址栏中获得代码".使用此代码来请求访问令牌:
After signing in with credentials of Microsoft Account in tenant A, you will get a "code" in the address bar. Use this code to request access token:
POST /[tenant]/oauth2/v2.0/token HTTP/1.1
client_id=[client id of the Azure AD app registered in host tenant]
&scope=https://graph.microsoft.com/user.read
&code=[code got from the previous step]
&redirect_uri=[redirect uri of the Azure AD app]
&grant_type=authorization_code
然后,我们可以作为租户A中的来宾用户获得Microsoft帐户的访问令牌.
Then we could get the access token for Microsoft Account as a guest user in tenant A.
这篇关于从Microsoft帐户登录不适用于Multitenant Azure AD应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
