Exception in Azure AcquireTokenAsync() accessing_ws_metadata_exchange_failed

Question

Regarding adding external Gmail users to the Azure Active Directory Group, I have invited a Gmail user from the azure portal and the Gmail user has granted the consent to access the Application registered in Azure Enterprise Application.

When the Gmail user tried to Sign In into my Single Sign-On page, Azure validation is throwing the exception, when I am trying to acquire token by AcquireTokenAsync() Method

accessing_ws_metadata_exchange_failed

Response status code does not indicate success: 406 (NotAcceptable).

Below is my C# code to validate the users against Azure Active Directory.

var authority = string.Format(CultureInfo.InvariantCulture, "https://login.windows.net/{0}", tenantId);
var authenticationcontext = new AuthenticationContext(authority);
var upc = new UserPasswordCredential(username, password); //gmailusername and password
authenticationResult = authenticationcontext.AcquireTokenAsync("https://graph.windows.net", clientId, upc).Result;
            

Answer 1

The login flow you are using doesn't really work well with federated users (like these Guests).

Resource Owner Password Credentials (ROPC) grant flow that you are using here is only really meant to be a legacy upgrade path and isn't really modern authentication.

By the way, that login flow also does not support users with Multi-Factor Authentication or an expired password.

You could use Authorization code flow to login(back-end web app/native app).

In the case of a back-end Web app, authorization code flow works by you redirecting the user to login, getting a code back which you exchange for tokens.

In native apps it can be used by showing a pop-up of the login page to the user. It can be used through different overloads of AcquireTokenAsync().