I have an Web Application that I am authenticating to the Azure AD for Office 365 integration. Authenticating against Office365 account seems to work just fine, however when I am redirected tohttps://login.live.com/ using the "Microsoft account" link, I am getting:
AADSTS50020: User account 'email address' from external identity provider 'live.com' is not supported for application 'application id'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
I have added the Windows Live application to the tenant for my Azure AD, however it is still failing. I am using the most common sample code I've found (below). This post is listed as a solution http://stackoverflow.com/questions/25316175/access-to-my-office-365-third-party-app-for-external-user-a-user-account-is-n however, from the description, I am unable to determine what I need to change to use the common endpoint of Azure AD.
Any assistance is greatly appreciated.
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
Authority = Authority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
// This ensures that the address used for sign in and sign out is picked up dynamically from the request
// this allows you to deploy your app (to Azure Web Sites, for example)without having to change settings
// Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl;
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
return Task.FromResult(0);
},
// we use this notification for injecting our custom logic
SecurityTokenValidated = (context) =>
{
// retriever caller data from the incoming principal
string issuer = context.AuthenticationTicket.Identity.FindFirst("iss").Value;
string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value.ToLower();
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
if (Task.FromResult(0).Status == TaskStatus.RanToCompletion)
{
// If the authentication was successful, process the user information
if (context.AuthenticationTicket.Identity.IsAuthenticated)
{
// Obtain the email to check the database for an existing user
string email = context.AuthenticationTicket.Identity.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn").Value;
if (!UserDataProvider.UserExists(email))
{
// Allocate a new user and persist it to the database
UserDetail newUser = new UserDetail();
newUser.FirstName = context.AuthenticationTicket.Identity.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname").Value;
newUser.LastName = context.AuthenticationTicket.Identity.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname").Value;
newUser.Email = email;
// Persist the new user to the database
UserDataProvider.AddUser(newUser);
}
}
}
else
{
// Authentication did not complete, throw an exception.
throw new SecurityTokenValidationException();
}
// All finished...
return Task.FromResult(0);
},
AuthenticationFailed = (context) =>
{
context.OwinContext.Response.Redirect("/Home/Error?message=" + context.Exception.Message);
context.HandleResponse(); // Suppress the exception
return Task.FromResult(0);
}
}
});