azure - 使用个人 Microsoft 帐户进行单点登录在 Azure 中的已注册应用程序中不起作用
问题描述
我们使用公司帐户在 Azure 中注册了一个应用程序。我们已将其设置为 web-app 类型,并将 signInAudience 设置为AzureADandPersonalMicrosoftAccount
当我们使用公司帐户登录我们的网络应用程序时,它可以工作,但是当我们使用带有 hotmail 地址的个人 Microsoft 帐户时,我们会收到以下消息:
AADSTS50020: User account '*********@hotmail.com' from identity provider 'live.com' does not exist in tenant '*********' and cannot access the application '******'(***-api) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
我们仔细检查了所有设置,它们看起来有效。我们的想法已经用完了这是我们清单的一个版本:
{
"id": "**********",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "*********",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-08-04T14:32:25Z",
"groupMembershipClaims": "None",
"identifierUris": [
"https://***.company.be"
],
"informationalUrls": {
"termsOfService": "https://www.company.be/legals/gebruiksvoorwaarden",
"support": null,
"privacy": "https://www.company.be/legals/privacy",
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": "https://secure.aadcdn.microsoftonline-p.com/...",
"logoutUrl": null,
"name": "***-api",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "family_name",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "**********",
"startDate": "2020-08-04T14:47:56.759Z",
"value": null,
"createdOn": "2020-08-04T14:47:58.647043Z",
"hint": "gIh",
"displayName": "*****-api clientSecret"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "company.be",
"replyUrlsWithType": [
{
"url": "http://localhost:3000/link/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.copmpany.be/link/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.copmpany.be/auth/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.staging.copmpany.be/link/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.staging.copmpany.be/auth/microsoft/callback",
"type": "Web"
},
{
"url": "http://localhost:3000/auth/microsoft/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "***",
"resourceAccess": [
{
"id": "****",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": "https://www.company.be",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [
"webApp",
"notApiConsumer"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}
解决方案
如果您的业务场景不需要访问租户的资源(例如为租户调用 MS Graph API),除了Sarthak 的回答之外,您还可以将您的权限 Uri 更改为支持 MSA 的公共端点,而无需邀请租户。请参阅有关权限端点的文档。根据您的业务场景,选择您的解决方案。
推荐阅读
- angular - 如何在Angular 6中将异步管道的结果分配给没有*ngIf的变量
- android - JSONArray 中的项目总和在活动重新启动时翻倍
- java - 在 JBoss 中部署 Web 服务后禁用它
- vba - 使用输入条件的搜索范围将值从一张表复制到另一张表
- android - 如何绘制多边形,如谷歌地图中的图像所示?
- excel - Excel VBA 导出模块应用程序定义或对象定义错误:50012
- arrays - VBA:从数据表中创建一个包含数组数组的 .txt 文件
- dart - 小部件在颤动中未在屏幕底部对齐
- django - Django-Python 日期时间本地化问题
- javascript - JS 过滤器不工作