5

I need to build an app with Office 365 API and tried several examples provided here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples.

I manage to login to tha app with a user from within my own Azure Active Directory, e.g. user.name@tenant.onmicrosoft.com.

But, whenever I use another Office 365 account from another domain e.g. user@pivabo.be I get this error:

AADSTS50020: User account 'user@pivabo.be' from external identity provider 'https://sts.windows.net/908b6c6d-f582-461d-9e73-88a4e48f5d88/' is not supported for application 'df1a02fd-f096-46df-9b5a-5cf1b0f9ef6d'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.

The defined application in Azure is set to Multi-tenant!!

I also tried to add the foreign users to my AAD but everytime I get the message "This Microsoft account does not exist"

EXCEPT: I also made a hotmail account which I was able to add to my AAD and with this account logging in to the app was succesfull. But, without adding it to my AAD I get the above error message.

Any help would be welcome.

Roy Decaestecker
  • 91
  • 1
  • 5
  • Has the directory `pivabo.be` granted access (single sign-on, read user profile etc.) to your application? – Gaurav Mantri Jun 03 '15 at 16:13
  • I did not take any action to do so.I can login to https://oauthplay.azurewebsites.net with this user. How can I grant access? – Roy Decaestecker Jun 03 '15 at 16:30
  • Isn't it so that the purpose of multi-tenant apps is to let every user with an Office 365 account can use it without granting? – Roy Decaestecker Jun 03 '15 at 17:33
  • 1
    I think you're mistaken .... in `multi-tenant` the tenant would refer to an `Azure AD`. So by that definition, if your application is multi-tenant, users from different Azure Directories would be able to use your application but first the admin would need to allow access in their AD to your application. – Gaurav Mantri Jun 03 '15 at 18:00
  • https://msdn.microsoft.com/en-us/office/office365/howto/getting-started-Office-365-APIs I've followed the above instructions to setup my app in Azure. Nothing in this manual states that the application has to be granted in other AAD's. Setting the multi-tenant switch to "yes" should be enough. Can you point me out what I should do to make it work. Thanks – Roy Decaestecker Jun 03 '15 at 19:31
  • I also looked at this document to setup the app https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_MultiT – Roy Decaestecker Jun 03 '15 at 19:37
  • Try following this example: https://github.com/OfficeDev/O365-WebApp-MultiTenant. Even though your app is marked as "multi-tenant" in your directory, your user (in another directory) has to add it to their directory, and that takes an admin to approve it. – ChrisW Jun 04 '15 at 05:41
  • 1
    http://oauthplay.azurewebsites.net How come that on this website I can login with any microsoft account? The application is not added to my AAD and still I can login with any user of my AAD. – Roy Decaestecker Jun 04 '15 at 08:52
  • @ChrisW so, if I want to allow users from other AAD tenants to access my Web application with AAD authorization - admins of those "other AAD tenenants" have to approve adding my app to their AAD tenant? That seams to be a bit overcomplicated... – Prokurors Jan 06 '17 at 12:00
  • 1
    @Prokurors In most cases the new end user has to accept the app and what claims it is requesting, unless an admin has done this already. However for some claims, only an admin can provide this consent. For example: reading my end user contacts list - end user can grant. Reading entire Active Directory - only admin can grant. So I'd slightly adjust my comment today in that some grants don't require admin approval, but in most cases users still have to review and accept claims. – ChrisW Jan 09 '17 at 21:26
  • @Roy, I have a multi-tenant web app working. However, using exactly the same App Id/Secret in a Winform application, without changing anything on the Azure configuration of the app, produces this exact error. Is yours a web- or desktop application? – flip May 02 '17 at 21:34

2 Answers2

10

Make sure you are using "https://login.microsoftonline.com/common/..." and not "https://login.microsoftonline.com/[your tenant name]" when forming authorization link.

aaronlt
  • 101
  • 1
  • 3
0

I am late to the party, but what it fixed for me was that I had to use "common" as tenantId.

zerk
  • 516
  • 4
  • 9
  • 34