Reputation: 26561
Authenticating with Azure AD using UPN (User principal name)
I have Angular 9 client calling Azure Functions. I started off with msal-angular package using "implicit grant flow" for authentication, and that worked fine.
My client app registration in Azure has its Authentication set to "Accounts in this organizational directory only (Default Directory only - Single tenant)". I can't change this setting as the app will only be available to company users.
I'm using my personal Microsoft account with Gmail username (e.g.: [email protected]). This account is a "Guest" in Azure AD, so far, so good.
I'm moving away from msal-angular and implementing PKCE authentication flow.
I'm using angular-auth-oidc-client package. My stsServer and authWellknownEndpoint are set to https://login.microsoftonline.com/[tenant-id]/v2.0 (turned out to be the problem, see update at the bottom)
Here are the login scenarios I'm having issues with:
When I use my
[email protected], I get"unauthotized_client ..."error right after I enter my username
When I use my UPN (e.g.:
[email protected]#EXT#@our_ad_owner.onmicrosoft.com) I get to the password prompt, but my Microsoft password doesn't work. I understand why it doesn't work (that password has nothing to do with AD), but I can't figure out how to set AD password for that account.
When I try to reset my password in AD, it tells me that "[email protected] is a Microsoft account that is managed by the user. Only [email protected] can reset their password for this account."
Any help with setting AD password for my UPN would be appreciated. I would also like to know if it's possible to login with my actual email address, and not UPN.
UPDATE: The problem was with angular-auth-oidc-client setup, authWellknownEndpoint was set to https://login.microsoftonline.com/common/v2.0, after I changed it to https://login.microsoftonline.com/[tenant-id]/v2.0 it worked!
Upvotes: 1
Views: 3349
Answers (1)
Reputation: 16478
You get the first error because you are using https://login.microsoftonline.com/common/v2.0 as the authority. It treats your account as personal account rather than the guest account in your tenant. But your Azure AD app is configured as Accounts in this organizational directory only (Default Directory only - Single tenant), which is not supported for consumers (personal account). See the reference here.
So you should use https://login.microsoftonline.com/{your tenant id}/v2.0 as the authority. Then it will allow your [email protected] to sign in.
Upvotes: 2
Related Questions
- How can I use Azure AD to authenticate for Azure .net API calls?
- Azure AD SPN and UPN?
- Assign UPN to Azure Active Directory Application Registration
- Generating AAD Token with UPN
- Claims: difference between UPN, Name with Azure AD
- Azure AD Authentication With Auth0
- How to authenticate user with Azure Active Directory using OAuth 2.0?
- Not getting upn (unique principal name) in claims in Azure AD authentication
- Azure Active Directory: Get user's UPN with OpenID Connect authentication
- How to configure Windows Azure as an Identity Provider with Oauth 2.0