Reputation: 78
Azure AD authentication with Institutional and Microsoft accounts
I have a custom MVC WebApplication with WebApi-service that require authentication/authorization. I followed the example on GitHub WebApp-WebAPI-OpenIDConnect-DotNet. While developing I created a new test directory on my personal Azure subscription and everything worked perfectly fine. I could add institutional accounts (like [email protected]) and existing Microsoft accounts ([email protected]) and assign them to different groups. When a user typed in a liveID email address on the login page and moved the cursor to the password textbox, he was redirected to a Microsoft account login page.
Now I published the application to our production web server and want to connect the applications to a synchronized Azure Active Directory. It works with all institutional (work-) accounts. But when I add a Microsoft account, and try to login with those credentials, the redirection does not work anymore. The login page displays in red:
We don't recognize this user ID or password Make sure you typed the user ID assigned to you by your organization. It usually looks like [email protected] or [email protected]. And check to make sure you typed the correct password.
What am I missing? Is it possible to use synchronized institutional and personal Microsoft accounts together in one directory?
Upvotes: 1
Views: 1034
Answers (2)
Reputation: 36
My team owns the sign-in UX for Azure AD. The fact that the AAD login page recognizes domains like outlook.com and redirects users to the Microsoft account (Live ID) login page is a happenstance. It doesn’t work for all consumer domains, and it must not be relied on to enable MSA sign in to your apps. If you want to support sign in for Azure AD and MSA users, you need to show separate sign-in buttons in your app. We're looking at how we can make this experience better in the longer term. Hope this helps.
Upvotes: 2
Reputation: 7394
If you are using openid connect like in the sample, and you are not using the /common endpoint,there should be no difference between the two scenarios. I assume you are an admin in your prod directory as well? Did you provision the Microsoft accounts in your prod directory in the exact same way as you did in your test directory?
Upvotes: 0
Related Questions
- Implementing Azure AD authentication in web form application
- Azure Authentication (classic): AAD multiple issuer url
- Coupling Azure AD with existing user accounts in our solution
- Implement both Individual User Accounts and Azure AD Authentication
- Azure AD One User Principal with multiple Identity Providers
- Active authentication against Azure AD
- Azure AD Integrated Authentication
- Authentication using ADAL
- How to configure on-behalf-of authentication in multi-tenant environment?
- Azure AD authentication without redirecting the user