Open dpaulino opened 3 years ago
jmprieur
commented
3 years ago @dpaulino it will work provided you change the audience of your web API to be Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)
dpaulino
commented
3 years ago @dpaulino it will work provided you change the audience of your web API to be Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)
which chapter did you try ?
did you see chapter 3: 3.-Web-api-call-Microsoft-graph-for-personal-accounts
I used chapter 1 instructions.
That's already the audience of the web API. In fact, the instruction already specifies that audience. But it doesn't work. I'm getting unauthorized error.
Is the issue related to my tenant? I'm using my default tenant. Should I create a new tenant?
And I haven't seen chapter 3 yet. I can try it.
dpaulino
commented
3 years ago For clarity, here is where the instruction says what audience to use: https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API#register-the-service-app-todolistservice-active-directory-dotnet-native-aspnetcore-v2. So how come I'm getting an unauthorized error when I use my personal microsoft account?
jmprieur
commented
3 years ago @dpaulino Could you please debug the web API by using the TodoListService launch profile, which is kestrel, not IIS, and look at the logs that appear in the console. you should be able to see an error and we'd understand what happens.
I'm assuming that the token is not validated (and that you don't enter into the controller Get method:
You might also want to add PII logging, for instance in the contructor of the Startup.cs, add:
IdentityModelEventSource.ShowPII = true;I figured out the issue. By sheer luck, I discovered that Azure AD's free-tier has a Single Sign-On limitation. You can only have 10 app registrations for SSO to work. I had 11. I reduced this down to 8, and then this sample code magically started working.
I'm extremely frustrated by this whole experience. The error messages I'm getting from Microsoft Identity made no mention of the SSO limitation. I'm just thankful that in my desperation, I was browsing through AAD's settings pages to see if I missed a setting somewhere.
Perhaps you may want to add a warning like this in your docs: "Be aware that Azure AD has a limit of 10 app registrations when it comes to SSO authentication. This sample code will ask you to create 2 new app registrations, so please make sure you are not over the 10-app limit after creating them." Or something like that.
So this issue is resolved, but I recommend adding the warning. Feel free to close this ticket as you see fit.
jmprieur
commented
3 years ago Thanks for the update @dpaulino I didn't know either. I wonder if this is recent.
@jennyf19 @henrik-me : let's try to improve the error message if we can at the level of Microsoft.Identity.Web (and possibly MSAL (@jennyf19 @henrik-me @bgavrilMS @trwalke @pmaytak)
cc: @lnalepa @SaeedAkhter-MSFT for the feedback ...
bgavrilMS
commented
10 months ago Not sure what fails here, but we need bug in either MSAL or Id.Web to improve the experience.
This issue is for a: (mark with an
x)Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
OS and Version?
Versions
Mention any other details that might be useful
I understand that the instructions say "this sample does not work with personal microsoft accounts". What do I have to do in order to protect an API using personal microsoft accounts? This sample is everything that I need, except that I just need to accept personal MSAs from users. Please help!