Support MSA Auth

[dtzar]

Currently AzureBoth only supports authentication using Azure Active Directory accounts, not Microsoft accounts (i.e. Outlook, Hotmail, etc). We depend on the AuthBot https://github.com/matvelloso/AuthBot, so this functionality enhancement should happen there. Enhancement would be making auth work with MSA.

Bugs would be not graceful handling of when you authenticate with MSA account to let people know we don't support MSA. 1) MSA is global admin of tenant - you get: "message": "An error has occurred.", "exceptionMessage": "AADSTS65001: The user or administrator has not consented to use the application with ID '88443132-9b52-485d-90ed-49f37efd1c2b'. Send an interactive authorization request for this user and resource.” 2) MSA is just a user in the directory - you get an infinite spinning wheel like this:

[aloneguid]

I have the same problem, and it doesn't work on some AAD accounts also, specifically ones replicated from on premises.

[dtzar]

@aloneguid are the AAD accounts replicated from on-premises which don't work global admins by chance?

[aloneguid]

@dtzar no, they aren't definitely. It works randomly on some subscriptions. I can't put my finger on what's special about accounts which do and don't unfortunately.

[Bennoo]

Hello here, is there a workaround to use the bot with a Hotmail account? I really would like to try it.. Thanks

[nzthiago]

At the moment with the current code there's no workaround, you'd have to create a user in your AAD domain and use that to sign in.

One flow you can implement is to ask the user for their subscription ID, then use the subscription ID to determine what tenant the user is in, then finally, sign the user in to that tenant using the / endpoint instead of /common. See: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-api-authentication/ This would work for @hotmail.com and other consumer Microsoft accounts, but would have to be a version of the bot that's not hosted by Microsoft.