I have Auth0 configured with Social Connections > Microsoft Account.
This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah#gmail.com
However, when I try to authenticate with my work account blah.blah#myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with
"That Microsoft account doesn’t exist. Enter a different account or get a new one.":
I thought given the Microsoft settings it would allow it connect.
How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?
Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?
Is there a way to configure this without having to upgrade to Auth0 Enterprise?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.
For sample I used the below endpoint to authorize the users:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I tried to sign-in with the personal account, the user logged in successfully like below:
And now I tried to login with other tenant user like below:
By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.
To limit the feature to specific companies AAD, check this blog.
Auth0 Enterprise is required to authorize tenants to the Azure AD Application.
For more in detail, refer below MsDocs:
Use tenant restrictions to manage access to SaaS apps - Microsoft Entra
Multi-tenant application with a whitelist on tenants authorized by Marshaljs
Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).
Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user#tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.
If you want users in tenantB to sign in your app with account like user#tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user#tenantB.onmicrosoft.com can sign in this application.
Related
I've been working on authentication and authorization within ASPNET Core. I'm familiar with setting up OpenID Connect on my own Azure tenant (such as this this example).
I'm also aware of how to register an client ID and secret on platforms such as Google (such as this example).
But what's confusing to me is that is how to setup OpenID connect to allow for a user to sign in with their own Microsoft account, regardless of whether they're created their own account through https://signup.live.com/ or signing in from their own Office365 subscription.
Is this possible? Or is OpenID Connect (for Microsoft) registrations only supported separately in each Azure AD tenant?
When you register the Azure AD app, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
Keep common as the "TenantId" in your appsettings.json file, which will allow both AAD account/O365 account and personal Microsoft account to sign in.
I'm planning on building a G suite integration with my existing SaaS site.
I want Gsuite admins to allow access for their organisation. So I only want "domain install" possible.
After this has been done users can be imported from Google into our application. Users should be able to use SSO to login but I don't want each user having to pass the consent screen.
I also want the app to have readonly access to the calendar of the user.
What is confusing for me: do I need to create a regular web app integration or a Service account integration? I don't really need offline access but I want to avoid all users having to grant access individually.
Here it says: The user sees the OAuth Consent screen only once; if you’re using a service account to allow a domain admin accept terms on behalf of the domain users, then the end users must never see the OAuth consent screen.
So does that mean only service accounts allow this?
Yes, using a service account you can install and authorize one app for all your domain user impersonating the admin account. In such a way, your users won't have to authorize the app individually.
You will have to enable domain wide delegation in order to impersonate the admin account when using a service account.
Reference
Service Account
I am trying to integrate the Sign-In functionality of Microsoft. I have registered my app in Azure Portal and My requirement is to give authority to any end-user (MS Account holder) to sign-in into my app and get the Access Token, so as per documentation i have set the client Id, Redirect URI, Tenant-ID to "Common", but its not allowing the personal MS account holder to sign-IN. Its giving below error:
"You can't sign in here with a personal account. Use your work or school account instead."
Can anyone help into this?
You should register the Azure AD app as this type: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts.
If you want to modify the exist Azure AD app to make it support personal account login, you could modify the manifest file, setting AzureADandPersonalMicrosoftAccount as the value for "signInAudience".
See reference here.
Working off pages like this, I have a "service/daemon" test app working with the O365 mail REST API: i give consent to the app, an app-only token is granted via a X.509-signed client assertion, and i can read info from an arbitrary mailbox. It works great.
But our app will be installed for various clients on their private machines -- so it's like a native app, but we need the global permissions that app-only tokens are required for (which is why we aren't a native app).
Since access tokens are granted only based on our app credentials, i think they won't work for us: Customer A could get an access token for Customer B's private data using just the app credentials and the Azure AD tenant ID.
Is there any way to "require client secret for app-only token generation and restrict calls to this tenant ID"? I could then make a secret key for each customer.
Or if a cert could be restricted to a particular tenant ID, we could make a separate cert for each customer.
Having each customer define an app of their own isn't a realistic option, as it's far too complicated for them, requires cert generation, editing the manifest, etc etc.
Maybe there is a back-door way to get app-only style global access with a 'native app' architecture? E.g. if our customer has an admin account, could we authenticate with the 'native app' style oauth grant for that one admin user, and access all users' email via that account's permissions?
I have developed and published a simple Marketplace App needing access to all members of a domain. I followed the Google Instructions (see http://goo.gl/XvczDQ) and created a service account (for domain-wide delegation of authority). Everything is working if I access the users from my own company / domain.
But it is not clear to me what happens if an administrator from a different company installs the app from the Google Marketplace. How can I access the users in the client's domain and how works the service account approach there? What are the further steps?
I figured it out myself. Provided that the service account is correctly configured with the required scopes: All you have to know is the client's administrator email and the domain. Usually you can get this with the setup url in your marketplace app.
Then you have to set the service account user to the administrator's email before you request an access token. That worked for me.
When the admin installs the app, he grants you the authorization to use the service account to impersonate his users.
You can also list the users using the Directory API if you need the complete list of users. Note that you will need to have the relevant Directory API scope in your marketplace app configuration and you will need to impersonate an admin user.