使用机构和Microsoft帐户的Azure AD身份验证 [英] Azure AD authentication with Institutional and Microsoft accounts

问题描述

我有一个带有WebApi服务的自定义MVC Web应用程序，需要身份验证/授权。我按照GitHub WebApp-WebAPI-OpenIDConnect-DotNet 上的示例进行操作。在开发过程中，我在个人Azure订阅上创建了一个新的测试目录，并且一切正常。我可以添加机构帐户（如jon@mytenantname.onmicrosoft.com）和现有的Microsoft帐户（jon@hotmail.com），并将它们分配给不同的组。
当用户在登录页面上输入liveID电子邮件地址并将光标移至密码文本框时，他将被重定向到Microsoft帐户登录页面。

I have a custom MVC WebApplication with WebApi-service that require authentication/authorization. I followed the example on GitHub WebApp-WebAPI-OpenIDConnect-DotNet. While developing I created a new test directory on my personal Azure subscription and everything worked perfectly fine. I could add institutional accounts (like jon@mytenantname.onmicrosoft.com) and existing Microsoft accounts (jon@hotmail.com) and assign them to different groups. When a user typed in a liveID email address on the login page and moved the cursor to the password textbox, he was redirected to a Microsoft account login page.

现在，我将该应用程序发布到了我们的生产Web服务器，并希望将应用程序连接到同步的Azure Active Directory。它适用于所有机构（工作）帐户。但是，当我添加一个Microsoft帐户并尝试使用这些凭据登录时，重定向将不再起作用。登录页面显示为红色：

Now I published the application to our production web server and want to connect the applications to a synchronized Azure Active Directory. It works with all institutional (work-) accounts. But when I add a Microsoft account, and try to login with those credentials, the redirection does not work anymore. The login page displays in red:

我们无法识别此用户ID或密码
确保输入了用户ID由您的组织分配给您。它通常看起来像someone@example.com或someone@example.onmicrosoft.com。并检查以确保输入了正确的密码。

We don't recognize this user ID or password Make sure you typed the user ID assigned to you by your organization. It usually looks like someone@example.com or someone@example.onmicrosoft.com. And check to make sure you typed the correct password.

我缺少什么？

推荐答案

我的团队拥有以下用户的登录UX： Azure AD。
AAD登录页面可以识别Outlook.com之类的域并将用户重定向到Microsoft帐户（Live ID）登录页面这一事实是偶然的。它不适用于所有消费域，并且不能依赖它来启用MSA登录到您的应用程序。如果要支持Azure AD和MSA用户登录，则需要在应用程序中显示单独的登录按钮。我们正在研究如何长期改善这种体验。
希望这会有所帮助。

My team owns the sign-in UX for Azure AD. The fact that the AAD login page recognizes domains like outlook.com and redirects users to the Microsoft account (Live ID) login page is a happenstance. It doesn’t work for all consumer domains, and it must not be relied on to enable MSA sign in to your apps. If you want to support sign in for Azure AD and MSA users, you need to show separate sign-in buttons in your app. We're looking at how we can make this experience better in the longer term. Hope this helps.

这篇关于使用机构和Microsoft帐户的Azure AD身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！