1

We are successfully authenticating the Azure AD users from different subscription using Azure AD Multi-tenant application but unable to authenticate the Windows Live ID accounts.

To authenticate the live ID accounts we use the Windows Live ID identity provider with Azure Access Control Service (ACS), its working fine with Azure AD single tenant application but we are struggling to authenticate Azure AD users across subscriptions which can only be done by using the Azure AD multi-tenant application.

We follow this blog https://msdn.microsoft.com/en-us/library/azure/dn486924.aspx and it works for Single tenant application but when we try to configure the Azure AD app to multi-tenant and configure it with ACS getting the below error. enter image description here Is there any approach we authenticate the Windows Live ID and use the Azure Multi-Tenant Application?

Imran Arshad
  • 11
  • 2

2 Answers2

2

You can authenticate Microsoft Account (live id) users in a multi tenant application by skipping ACS altogether and provisioning the Microsoft Account in directory tenants. One gotcha is that authenticating with a Microsoft Account requires you to fully specify the authentication endpoints by instantiating the tenant in the URL. You cannot use the /common endpoint because that relies on the user's home tenant, and an MSA user does not have one.

vibronet
  • 7,364
  • 2
  • 19
  • 21
  • We are building an app having the capability to authenticate user across subscription with multiple AD. If we remove the /Common endpoint and use the Tenant ID then we have to identify the incoming request and its tenant so that we use the TenantID and authenticate the user on its own tenant, Which is not possible unless we have different Url/Query string for each tenant. Is there any other way we authenticate the Windows live ID with /Common end point? – Imran Arshad Jan 26 '16 at 08:14
  • As I mentioned above, no. But nothing prevents you from hosting an experience where the user somehow specifies the tenant they want to work with, for example by entering a domain. That would allow you to create a tenanted auth URL on the fly. – vibronet Jan 26 '16 at 08:47
0

You add following code in your Account controller

public void SignIn(string directoryName = "common")
    {
        // Send an OpenID Connect sign-in request.
        if (!Request.IsAuthenticated)
        {
            HttpContext.GetOwinContext().Environment.Add("Authority", string.Format(ConfigurationManager.AppSettings["ida:Authority"] + "OAuth2/Authorize", directoryName));

            HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
               OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }

and add this block in your startup.auth.cs

 app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ClientId,
                Authority = Authority,
                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                {
                    // we inject our own multitenant validation logic
                    ValidateIssuer = false,
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    RedirectToIdentityProvider = (context) =>
                    {
                        object obj = null;
                        if (context.OwinContext.Environment.TryGetValue("Authority", out obj))
                        {
                            string authority = obj as string;
                            if (authority != null)
                            {
                                context.ProtocolMessage.IssuerAddress = authority;
                            }
                        }
                        if (context.OwinContext.Environment.TryGetValue("DomainHint", out obj))
                        {
                            string domainHint = obj as string;
                            if (domainHint != null)
                            {
                                context.ProtocolMessage.SetParameter("domain_hint", domainHint);
                            }
                        }
                        context.ProtocolMessage.RedirectUri = HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path);
                        context.ProtocolMessage.PostLogoutRedirectUri = new UrlHelper(HttpContext.Current.Request.RequestContext).Action
                            ("Index", "Home", null, HttpContext.Current.Request.Url.Scheme);
                        //context.ProtocolMessage.Resource = GraphAPIIdentifier;
                        context.ProtocolMessage.Resource = AzureResourceManagerIdentifier;
                        return Task.FromResult(0);
                    },
...
}

When you click on "SignIn" ask for "Azure AD name". Pass that variable to the Account/SignIn action. If the user will be present in the mentioned Azure AD, sign-in will be successful.

Rahul Mohan
  • 493
  • 3
  • 5
  • 18