Application is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint

Question

I know there are several other posts listed about this topic but I cannot seem to find any useful info in them to apply to my own application. I am building a .Net MVC Web App that uses the Microsoft Graph API. I followed another project (https://github.com/microsoftgraph/aspnet-snippets-sample) but when I launch the application, it redirects to https://login.microsoftonline.com where it attempts to log in using a Microsoft work account, and redirects back to the homepage. However, after entering Microsoft account credentials and before being redirected back, I am shown an error:

.

Below is a section from my Startup.Auth.cs that I believe is causing the problems. If anyone can see anything that seems off or has any insight on this topic, I would greatly appreciate it. I have been spinning my wheels just trying to sign-in to this application using Open Id Connect to be able to use the Microsoft Graph API. Thanks!

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {

    // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0
    // The `Scope` describes the permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/                    
    ClientId = appId,

        * * Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "common", "/v2.0"), * *
        RedirectUri = redirectUri,
        Scope = scopes,
        PostLogoutRedirectUri = redirectUri,
        TokenValidationParameters = new TokenValidationParameters {
            ValidateIssuer = false,
        },
        Notifications = new OpenIdConnectAuthenticationNotifications {
            AuthorizationCodeReceived = async(context) => {
                    var code = context.Code;
                    string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                    string graphScopes = nonAdminScopes;
                    string[] scopes = graphScopes.Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);

                    ConfidentialClientApplication cca = new ConfidentialClientApplication(appId, redirectUri,
                        new ClientCredential(appSecret),
                        new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance(), null);
                    AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, scopes);

                    // Check whether the login is from the MSA tenant. 
                    // The sample uses this attribute to disable UI buttons for unsupported operations when the user is logged in with an MSA account.
                    var currentTenantId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
                    if (currentTenantId == "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx") {
                        HttpContext.Current.Session.Add("AccountType", "msa");
                    }
                    // Set IsAdmin session variable to false, since the user hasn't consented to admin scopes yet.
                    HttpContext.Current.Session.Add("IsAdmin", false);
                },
                AuthenticationFailed = (context) => {
                    context.HandleResponse();
                    context.Response.Redirect("/Error?message=" + context.Exception.Message);
                    return Task.FromResult(0);
                }
        }
});

Answer 1

Unfortunatelly adding Converged Apps from https://apps.dev.microsoft.com/ is no longer supported by MS. They redirect to Azure portal from there.

Answer 2

If you are using microsoftgraph/msgraph-sdk-dotnet-auth for getting access token, then /common endpoint is valid.

If you are using AzureAD/microsoft-authentication-library-for-java for getting access token, then use /organizations endpoint instead of /common.

Answer 3

This error is usually caused by an incompatibility between your app registration and the authentication library you are using.

The code in that sample is using the Microsoft Authentication Library (MSAL), which uses the Azure V2 OAuth endpoints, which supports converged auth (both Azure AD accounts and Microsoft accounts). In order for the v2 auth endpoints to work, your app registration MUST come from https://apps.dev.microsoft.com.

If you register your app on the Azure portal (https://portal.azure.com), you'll see this error. That's because the Azure portal registers the app using the Azure v1 OAuth schema.

There is also a case where the https://apps.dev.microsoft.com portal can create a v1 registration. If you login to that portal and you see more than one grouping of apps, with multiple "Add an app" buttons, you need to choose the "Add an app" button for Converged Apps.