mrochon
commented
3 years ago Hi Patrick, sorry you are having so many issues and thanks that you described them in such detail here. I will try to address just the main title issue and handle the others as separate updates over the next couple of weeks.
Is your login perhaps in a non-commercial (e.g. government AAD)? Government and soverign (e.g. China) tenants cannot subscribe to multi-tenant apps. Azure B2C which runs the signin process exposes itself to other tenants as a multi-tenant app.
Please check that your B2C tenant, viewed from through the regular AAD balde (not B2C blade) has the app whose guid is in your error message and that it is marked as multi-tenant. If that's all OK, can you capture a Fiddler trace (saz archive) and send it to me? If you do, please make sure to delete any requests which contain your passwords. A multi-tenant app, once consented should appear as a Service Principal (in the Enterprise Apps blade) of the tenant you signed into.
Thanks again, I will try to record your other issues as separate git issues and address them one by one.
ericmqt
Thank you @mrochon for this excellent repo! I had a few observations/issues (sorry if this is a bit long):
As per #5 I modified Setup-B2CMultiTenant.ps1 and Remove-B2CMultiTenant.ps1 to specify the Tenant and subscription when connecting, otherwise it will try to deploy apps to my B2C tenant, instead of my organizational tenant:
Upload-IEFPolicies will fail to upload TrustFrameworkBase.xml and TrustFrameworkExtensions.xml due to validation errors, if the IEF does not have policy keys named B2C_1A_GoogleSecret and B2C_1A_FacebookSecret. Maybe these had originally existed when I first created my B2C tenant and I deleted them, not sure. But adding placeholder generated keys fixed the issue, and the keys would be needed regardless if one wishes to implement Google/FB auth.
I notice in the sample app that initially after the "Create Tenant" flow, everything works fine, but after some time (20 mins?) the Members and Tenant tab will no longer work, displaying blank views. I'm guessing some sort of a token timeout to the API, that isn't auto-renewing?
After completing the setup script, on the final setup for granting admin consent to permissions for the client-creds app, pressing Accept on the consent screen will throw a sign in error, owing to the client creds app not having a redirect uri. I assumed this was okay since it doesn't need one? I was also able to manually add the permissions and grant them in the portal.
I can't get the app to work, in both the auto-deployed version, and the .NET core version running locally. Following the Create Tenant journey (policy = susint I believe), I select Work or School on the login screen, choose an account, then get the following:
Sorry, but we’re having trouble signing you in. AADSTS700016: Application with identifier 'https://fa1fc4c9-0029-44d4-2b87-d0581bcbf22a/tenant' was not found in the directory 'e21f9n12-3318-4e2c-v11c-8040c4b31318'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
These are contrived GUIDs, but the first is the ClientId of the AADCommon app in the B2C tenant, and the second I believe is the tenant id of whatever user is trying to create a new tenant. I've tried with a number of users from different tenants.
I would have expected the app registration to auto-appear in the organizational tenant of any user that consents to adding the client app. Much like in Azure AD Multi-Tenancy when using the Admin consent endpoint. Is that not the case here?
Is it possible to omit the invitation process for users coming from Azure AD tenants? i.e. Once an application tenant is "created" (which, as I understand, is just adding the user to a tenant group), is it possible to have all further users using the same Azure Ad tenant added to the same group/app tenant?
Any advice would be greatly appreciated. Thank you again.