I'm trying to setup authentication against Azure DevOps using MSAL. I've followed Microsoft's sample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:
This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.
In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
What am I doing wrong or missing?
When configuring the application to use your app registration, you need also find the key ado:OrganizationUrl and replace the existing value to the URL of your Azure DevOps organization. Please note: This must use HTTPS. As it mentioned in Configure the application to use your app registration.
If you already replaced the ado:OrganizationUrl, you may have a try to change the Supported account types back to "Accounts in this organizational directory only" to see if it works for troubleshooting.
I spent a little bit time to get the samples working and the key steps required to accomplish this are:
the Microsoft personal account need to be added to an Azure active directory tenant. As MSAL uses Azure AD as a fundamental infrastructure.
https://learn.microsoft.com/en-us/answers/questions/228067/invite-or-add-personal-ms-account-to-azure-ad.html
Link the Azure Ad tenant (with the Microsoft personal account) to the Azure DevOps service Instance.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
To complete the sample, I used my MS personal account to sign up a free Azure account (so that I can test the Azure AD stuff), and used the same account to request a free Azure devops service account.
Thanks
In your question you mention:
"I'm trying to setup authentication against Azure DevOps using MSAL. "
So, the goal is to let Microsoft Account users logon to some part of Azure DevOps using MSAL? I'm curious what the exact use case is, but let's assume I understand you correctly.
The first thing that comes in mind is, are those users already invited to the AzDo organization? Please read here how to do this.
Doing this will add them to the Active Directory as a guest like this:
Alternatively if you just want to invite these users to Azure, please use the invite from: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers
This site suggests this error occurs when the user doesn't have multi-factor authentication setup. You may need to have your Microsoft account setup with MFA.
Related
I'm looking to see if it's possible to use both individual user accounts authentication along side Azure AD authentication in a single application. Either Framework or Core (ASP.NET).
So far it's been all Google searching and I'm not finding anything that clearly states one can do this. Secondly, I'm not very familiar with authenticating an application aside from the basics for both individual or azure ad (well documented examples / VS template code).
Any help, links, small code example from Startup.cs is greatly appreciated.
Thanks.
It's too vast topic to put into an answer as a how-to-guide. However, I would try to give you brief overview and enough references/examples to look at. Your scenario can be better solved by using Azure AD B2C in conjunction with Azure AD. I strongly suggest you to go through the overview from those links for foundational concepts first. Azure AD B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
In your case, you need to add Azure AD as identity provider in the B2C tenant, and add required User flow (personal/social login) which will enable your user to login with either organizational (AAD) or personal/social account by signing up. This explains how to configure custom policies in B2C to add AAD as identity provider in such case. And for example, this provides you guide to enable Azure AD and Facebook login.
Now coming to code/SDK part, since you are into C# and asp.net, your one stop shop should be the new Microsoft Identity Web library. It would make your life lot easier to wire up with Microsoft Identity Platform with minimal configuration and code, and also has pretty good documentation, reference and samples to handle most common scenario. For example, this is a sample for B2C. There are many more here for your reference in case you need.
I would emphasize your starting point should be Microsoft Identity Web for asp.net core.
Is it possible to pull work items from the DevOps API without needing a user to be logged in to get an access token every time?
I am trying to create a back-end service that pulls work items from the API every so often to generate a report. Can I just generate a one-time access key to use with that back-end service?
I've looked around the documentation, but it seemed like it all requires either a PAT or Azure Active Directory authorization/authentication.
Here's the docs for the API: Link
you can do something like this https://learn.microsoft.com/en-us/azure/devops/organizations/settings/manage-authorizations?toc=%2Fazure%2Fdevops%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdevops%2Forganizations%2Fbreadcrumb%2Ftoc.json&view=azure-devops
and
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
Basically authorize applications to use devops based on your credentials using oauth. similar to an app registration.
Thats the only way I can see without PAT and manual login each time.
Instead of your personal account, you could create a fake AAD user then add it to your Azure DevOps Service.
Use that account to create a Personal Access Token. Similar to Build Service account to pull source code/work items. This should be a easy way to track everything.
But the limitation here is also obvious: this needs involvement of IT department, and also causes additional costs, since every user is billed.
Allow personal access tokens that do not expire is not supported right now. There is a related user voice.
As an alternatively way you could use OAuth just as alphaz18 suggested. Details please refer-- Authorize access to REST APIs with OAuth 2.0
I did not found an answer for such specific question.
I have checked:
https://graph.microsoft.io/en-us/docs
I have also found the thread below, but it was not useful:
Microsoft Graph does not work with ADFS?
I would like to know how to get ADFS and Microsoft working together in a .NET MVC app. I did not found anything for that in https://graph.microsoft.io/en-us/code-samples-and-sdks
Thanks.
Per the other thread you reference - Office365/Azure AD can be federated with ADFS (using AD Connect or Azure AD PowerShell for example). Once this is in place, an app can use AAD to sign users in (using their corporate creds), and acquire access tokens to Microsoft Graph to access the signed-in user's cloud data (after consent is provided by the user).
We also support a preview of "hybrid deployments" which allows an app to be written once against Microsoft Graph, but can access a user's Outlook data whether the user's mailbox is hosted in Office365, outlook.com (personal email) or in an on-premises Exchange mailbox.
If this is the information you are looking for, please update your question to be more specific about your scenario, so that we can provide more help.
I am new to UWP and I am trying to make an app that includes sign in with Microsoft account. The problem is that I got very confused what API should I use and how to make the authentication.
After very long search I found that Microsoft have APIs and SDKs for everything - Outlook, OneDrive, Live, Office365, Microsoft Graph etc. But there is no clear documentation, what developer should use to authenticate a user and get his account details such as name and email.
It seems that the Live SDK could do the trick, but Microsoft state that this SDK is legacy and developers should use OndeDrive SDK. But OneDrive don't suit my needs, I can't get users email address and also I have to have developer account so I can build a sample app to test it. This is too much just for a test, isn't it?
After more research I found that Microsoft Graph could help, but it seems that it is only for business purposes or maybe I am wrong?
So in short what I try to achieve is making an app that let the user sign in with his Microsoft account. After successful authentication I need to get his account details so I can build him a profile in the app. And all of this I want to do it without having to make developer or business accounts.
Hope someone could help, becaouse the Microsoft documentation is very confusing.
Microsoft Graph does support the ability for you to sign in with a Microsoft Account, and then access the user's very basic profile and their personal consumer OneDrive and Outlook. Token acquisition is achieved through the new v2 endpoint (converged auth, that allows you to get a token for the signed in user, whether they are a consumer user through Microsoft Account or a commercial/business/school user through Azure AD).
I recommend taking a look at a couple of places. One place is https://graph.microsoft.io/en-us/docs/authorization/converged_auth and here on app registration and token acquisition: https://azure.microsoft.com/en-us/documentation/articles/active-directory-appmodel-v2-overview/ and here for get started for windows apps: https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-devquickstarts-wpf/. NOTE: This last one uses a preview/experimental client library.
Hope this helps,
I would like to authenticate against both Microsoft accounts and 'Work or School' accounts in a Azure multi-tenant environment. Each authentication type requires different requests. If I try to login as a Microsoft account against the 'work or school' request the login will fail at the Microsoft login and not return to my application.
Is there a way to query if a given email address is a 'Work or School' account against the Microsoft graph API?
If you use the REST api, it should automatically handle the two types of accounts.
However, it is in preview and might have restrictions or issues.
Here is a guide for using the REST api: http://graph.microsoft.io/en-us/docs/platform/rest
But be sure to check if that is acceptable to work with given the restrictions: https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-limitations/
Microsoft released a converged Azure AD v2 of the authentication model. This blog post explains how to register your app to be able to use it. It will allow you to authenticate against both Work or School Account and Microsoft account.
Also, there is a YouTube tutorial here.