访客用户的角色在Azure Active Directory身份验证令牌声明中不可见 [英] Guest user's role not visible in Azure Active Directory auth token claims

问题描述

我正在构建一个使用Microsoft身份验证库(MSAL)来管理用户身份验证的应用程序.我一直在测试邀请用户并使用AAD企业应用程序向他们应用应用程序角色.当用户从应用程序目录外部(一个通用的Microsoft帐户)登录到应用程序时，他们没有在其身份验证令牌中收到任何角色声明.

I am building an application that uses Microsoft Authentication Library(MSAL) to manage user authentication. I have been testing inviting users and applying app roles to them using AAD enterprise applications. When a user from outside of the application's directory, (A generic microsoft account), logs into the application they are not receiving any role claims in their auth token.

我尝试关闭外部协作设置中的设置，该设置显示来宾用户权限受到限制" ，但这没有什么不同.

I have tried turning off the setting in external collaboration settings that says "Guest users permissions are limited" but this has not made a difference.

我将不胜感激，谢谢.

推荐答案

如果使用 https://login.microsoftonline.com/common 作为授权，它将不会针对租客.因为个人Microsoft帐户没有租户.该帐户将被视为MSA，而不是您租户的访客用户.

If you use https://login.microsoftonline.com/common as the authority, it won't do the authentication against the tenant. Because personal Microsoft account doesn't have a tenant. The account will be treated as MSA rather than a guest user of your tenant.

因此，您需要通过将权限设置为 https://login.microsoftonline.com/{您的租户} 来强制您的个人Microsoft帐户针对特定租户进行身份验证，这些角色将被添加到索赔.

So you need to force your personal Microsoft account to authenticate against specific tenant by setting authority as https://login.microsoftonline.com/{your tenant}, the roles will be added to the claims.

这篇关于访客用户的角色在Azure Active Directory身份验证令牌声明中不可见的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！