Authorization only with tenant users

[luscl1]

Hi, I'm using the Authorization with the v2 endpoint. In the web.config file i put the GUID of my tenant to the ActiveDirectory.Tenant key. I thought this would then result to the fact that only users in this tenant can authorize to the bot. Isn't this true? I can authorize with any user, even with my private Microsoft account. Do I have to change other things to guarantee that only users from the azure tenant can authorize? Thanks for your answer!

[Masssluis]

Yes its true, Users present in your active directory will be able to login and then can access your bot flow. You can also create your own Tenant user id's.

[luscl1]

I think you didn't understand my problem. Even though I declared my tenant, I can still log in with any account. Also with accounts that aren't in this tenant. I need the bot to only log in the users from my azure ad tenant.

[beugnen]

I am having the same problem as the OP. I have found that I can authenticate and authorize against my personal @msn.com account not just those accounts used by our corporation.

How do we limit logins to just our organisation's Azure Directory?

[beugnen]

Ah nevermind, my mistake was to use the v2 API instead of v1 and to register my AD app as a "converged app"

[ItsHaden]

Thanks @mickyd , this also solved my issue :)

[jamachad]

This issue is on the file AuthBot/AuthBot/Helpers/AzureActiveDirectoryHelper.cs#39

Uncommenting the below code (and comment the current code at the end of this post) will make it work

//var uri = "https://login.microsoftonline.com/" + AuthSettings.Tenant + "/oauth2/v2.0/authorize?response_type=code" +
//    "&client_id=" + AuthSettings.ClientId +
//    "&client_secret=" + AuthSettings.ClientSecret +
//    "&redirect_uri=" + HttpUtility.UrlEncode(AuthSettings.RedirectUrl) +
//    "&scope=" + HttpUtility.UrlEncode("openid profile " + string.Join(" ", scopes)) +
//    "&state=" + encodedCookie;

Below is the one that is being applied and there is no reference to Tenant that is the reason the common is always applied.

var uri = await client.GetAuthorizationRequestUrlAsync(
scopes,
null,
$"state={extraParameters}");`

[luscl1]

well, that can't be the problem. it's already like this in my code.

[matvelloso]

What you want is to leverage Microsoft Graph to check if your users belong to a specific group or tenant and make decisions on your code on whether you want to allow them in or not. The library by itself won't make these decisions on your behalf (some bots want that behavior, others don't).