Azure AD OAuth 2 with Endpoint Ver. 2 - work account succeeds, personal account fails with "Microsoft account is experiencing technical problems."

Question

We are adding sign-in with Microsoft to our website. Our requirement is to support both personal Microsoft accounts and work/school accounts from Azure Active Directory.

I'm only permitted to post 2 URLs in this post so I will break them with spaces.

We carefully followed Microsoft's documentation at the following URL: https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols/

• Our app is registered in apps.dev.microsoft.com

• The endpoints we are using are:

https ://login.microsoftonline.com/common/oauth2/v2.0/authorize

https ://login.microsoftonline.com/common/oauth2/v2.0/token

• Our redirect URL is https://sub.example.com/login/office365/process

School/work account succeeds

When we initiate an OAuth 2 login using this protocol, we are taken to Microsoft's login page at the following URL: https ://login.microsoftonline.com/common/oauth2/v2.0/authorize

Entering an email address and password for a user with a school/work account in the form "user@mydomain.microsoftonline.com" successfully authenticates that user, we receive an access token, and are able to successfully query the Microsoft Graph API.

Personal Account Fails

When we initiate an OAuth 2 login and are taken to https ://login.microsoftonline.com/common/oauth2/v2.0/authorize but enter a personal Microsoft account email address, we are immediate redirected to the Microsoft personal account login page at the following URL:

https ://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=00000000-0000-0000-0000-000000000000&redirect_uri=https%3A%2F%2Fsub.example.com%2Flogin%2Foffice365%2Fprocess&scope=openid%20User.Read&response_mode=query&state=0000000000qi7ua80000000000

which fails and redirects to an error page with the message:

"Microsoft account is experiencing technical problems. Please try again later."

The URL of the error page is:

https ://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+'redirect_uri'+is+not+valid.+The+expected+value+is+'https ://login.live.com/oauth20_desktop.srf'+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=0000000000qi7ua80000000000

Our debugging steps

• Tried adding/removing several combinations and ordering of redirect URLs, both with and without the subdomain, just containing the domain without path, and so forth (https ://example.com, https ://sub.example.com)

• Tried adding the URL mentioned in the error message (https ://login.live.com/oauth20_desktop.srf) to our permitted redirect URLs

• Enabled Chrome debugger and recorded network requests to confirm our redirect URLs matched the parameters passed to Microsoft login and what was registered with our app

Answer 1

It's indeed a bug. Microsoft doesn't store your redirect_uri even though it appears to be changed.

What works for me is changing the manifest. You only change your applications name in the manifest and save it. Microsoft will then correctly store the whole manifest including your redirect_uri.

It's an annoying bug which cost me a lot of time.

Answer 2

Looks like you're doing everything right. Over the past few weeks the apps.dev.microsoft.com portal has occasionally failed to record the redirect_uri in the Microsoft account data store. It seems like you're hitting this bug.

The only workaround right now is try removing & re-adding redirect_uris in apps.dev.microsoft.com until it actually sticks. For others, starting fresh by creating a new App ID has worked well.