使用基于live.com的帐户验证用户身份时，AADSTS50020错误 [英] AADSTS50020 error when authenticating user with live.com based account

问题描述

我正在开发一个为客户管理天蓝色资源的应用程序(供应VM，创建VNet).

I am working on an app that manages azure resources for customers (provision VMs, create VNets).

我们已经在azure门户中创建了一个多租户应用程序，该应用程序配置为使用Windows Azure Service Management API和Windows Azure Active Directory的委派权限.

We have created a multi-tenant application in the azure portal that is configured for Delegated permissions of Windows Azure Service Management API and Windows Azure Active Directory.

我们能够成功登录基于AAD的帐户.但是，当基于live.com的帐户登录时，用户会收到AADSTS50020错误.

We are able to login AAD based account without a problem. But when a live.com based account logs in, the user gets a AADSTS50020 error.

我们用于登录，我们导航到 https://login.microsoftonline.com/common/OAuth2/授权 具有以下参数:

We for the login, we are navigating to https://login.microsoftonline.com/common/OAuth2/Authorize with the following parameters:

client_id=XXX&response_mode=query&response_type=code&redirect_uri=XXX&prompt=consent

这是完整的错误消息:

AADSTS50020:身份提供商的用户帐户"xxx@hotmail.com" 租户"XXX"中不存在"live.com"，并且无法访问 该租户中的应用程序"xxx".该帐户需要添加为 租户中的外部用户优先.退出并使用重新登录 不同的Azure Active Directory用户帐户.

AADSTS50020: User account 'xxx@hotmail.com' from identity provider 'live.com' does not exist in tenant 'XXX' and cannot access the application 'xxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

推荐答案

您需要使用V2终结点才能允许来自个人microsoft帐户的访问.我使用v1端点遇到了同样的问题.

You need to use V2 endpoints in order to allow access from personal microsoft accounts. I run into the same problems by using the v1 endpoint.

使用此端点: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

例如:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize ?client_id=ffffff-1111-2222-3333-37fd4f8c20ee &response_type=id_token &redirect_uri=http://localhost:8080/login/microsoft/callback &response_mode=form_post &prompt=consent &scope=openid &state=12345 &nonce=RandomGUI

https://login.microsoftonline.com/common/oauth2/v2.0/authorize ?client_id=ffffff-1111-2222-3333-37fd4f8c20ee &response_type=id_token &redirect_uri=http://localhost:8080/login/microsoft/callback &response_mode=form_post &prompt=consent &scope=openid &state=12345 &nonce=RandomGUI

祝你好运

这篇关于使用基于live.com的帐户验证用户身份时，AADSTS50020错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！