Authenticate and Authorize all microsoft accounts including personal account and other tenants

Question

Hello,
I am new to Authentication and tried to follow many Microsoft forums for setting up authentication and authorization for my Angular front end + .Net core API but could not complete it successfully.

So far I am able to authenticate only Microsoft tenant users.

Below is my MSAL config on Angular side for front end authentication.

All my app registrations are supported for 'All Microsoft account users' i.e. including Microsoft personal account like hotmail,live etc.

export const authConfig={
clientId: 'd10e4d98-e7c57151bcf1-*',
authority: 'https://login.microsoftonline.com/common/',
redirectUri: 'http://localhost:4200',
graphEndpoint:'https://graph.microsoft.com/v1.0/me',
consentScopes: [
'api://fd51sdf-e4sdf-4e07-9dc9-/MyAppName.ReadAll'
],
}

Below code is on API side startup class

services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureActiveDirectory", options));

AppSettings Config:

"AzureActiveDirectory": {
"Instance": "https://login.microsoftonline.com/",
"SubscriptionId": "*****",
"TenantId": "common",
"ClientId": "api://fd51sdf-e4sdf-4e07-9dc9-**",
"ClientSecret": "arMTdfdfdwZTf*****"
}

The issue I am getting with this config is, After I login with my personal hotmail account I am getting 401 Unauthorized for all API calls irrespective of role. Below is the error.

Bearer error="invalid_token", error_description="The audience 'api://fd51sdf-e4sdf-4e07-9dc9-**' is invalid"

Could you please let me know if there is any problem with configuration.

Answer 1

Hi dear @Nagarjuna Aravapalli (Capgemini America, Inc.)

Since you are performing cross-tenant access, you must add the .Net core API application and Angular application as an enterprise application to the target tenant. You only need to run the admin consent URL in your browser and log in with the target tenant’s administrator and consent to it (please note that you must first add the .Net core API application to the target tenant). After that, the application will creates a service principal in the enterprise application of the target tenant. https://login.microsoftonline.com/{target tenant id}/adminconsent?client_id={client-id}

Then you will be able to use the users of the target tenant to log in to the Angular application to complete the authorization and call the .Net core API application.

More references for cross-tenant access in multi-tenant applications: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent

Answer 2

Hi @Nagarjuna Aravapalli (Capgemini America, Inc.) • Thank you for reaching out.

Looking at the details that you have provided, I suspect that you are getting this error is because you have acquired a token using scope: api://fd51sdf-e4sdf-4e07-9dc9-*/MyAppName.ReadAll but you are trying to consume the token against Graph API. In this case, the token that you get contains aud (audience) claim as api://fd51sdf-e4sdf-4e07-9dc9-* which can only be consumed against your custom API and not Graph API.

In order to make a graph call at https://graph.microsoft.com/v1.0/me endpoint, the audience claim in the token must be "aud": "00000003-0000-0000-c000-000000000000", which is GUID of graph API. I would suggest updating your code to acquire a token with scope: https://graph.microsoft.com/.default and then use the token as bearer token.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.