question

WalterGandarella-0944 avatar image
0 Votes"
WalterGandarella-0944 asked AnshulKumarMINDTREELIMITED-5501 commented

Sign-in with "Accounts in this organizational directory only - single tenant" not work with MSAL Android library

Describe the bug
We are having a serious problem when trying to log in via Azure AD Single-tenant.
We've read many forums and many other issues and no solution or answer seems to explain how to correctly configure a native android application, using msal library, to work as it should.
The error says that we are using an incompatible endpoint, but there is no way to force an endpoint in the current configuration of the msal.config file. We are currently with our hands tied.

We did all the setup correctly. We chose "Accounts in this organizational directory only - single tenant" in Supported Account Types.
We configure the return URLs using package name + sha when adding the Android platform.
We configured msal_config.json as shown:

 {
   "client_id": "my-client-id",
   "redirect_uri": "msauth://my-package-name/sha",
   "broker_redirect_uri_registered": true,
   "authorities": [
     {
       "type": "AAD",
       "audience": {
         "type": "AzureADMyOrg",
         "tenant_id": "my-tenant-id"
       }
     }
   ]
 }

We configure the intent-filter in android manifest as shown:

 <activity
       android:name="com.microsoft.identity.client.BrowserTabActivity">
       <intent-filter>
         <action android:name="android.intent.action.VIEW" />
         <category android:name="android.intent.category.DEFAULT" />
         <category android:name="android.intent.category.BROWSABLE" />
         <data
           android:scheme="msauth"
           android:host="my-package-name"
           android:path="/sha" />
       </intent-filter>
     </activity>


Smartphone (please complete the following information):

Device: OnePlus 3T
Android Version: 9
Browser Chrome and Edge
MSAL Version: 2.+

Stacktrace

 Authentication failed: com.microsoft.identity.client.exception.MsalServiceException: AADSTS50194: Application 'my-tenant-id-here'(PORTAL_APPGAMIFICATION) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
     Trace ID: db590646-c5c9-4c06-8af5-d826f4127301
     Correlation ID: cafd4040-eb7c-4ebb-ac08-3950048fd58e
     Timestamp: 2021-07-12 10:17:58Z


To Reproduce
Steps to reproduce the behavior:

1 - Set up an Azure app with single-tenant
2 - Configure the android platform with your package name and the sha generated with your subscription key
3 - Configure msal.config as indicated above
4 - Try running the app on your mobile

Expected behavior
It was expected that the token would be returned and the login process would complete.

Actual Behavior
The login process runs well halfway through. The app correctly opens the Microsoft login screen, you can fill in the user's email and password, but when you go to login, this error appears in the android LOG:

 Application 'my-tenant-id-here'(PORTAL_APPGAMIFICATION) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

Additional context
We don't want multi-tenant. We don't want any logins that aren't from within our organization's directory. It makes no sense to reconfigure Azure AD to "multi-tenant", the library should work fine with the single-tenant option.












azure-active-directoryazure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @WalterGandarella-0944 , the error message you're receiving is because you're using the /common endpoint, you should be using a tenant specific endpoint.


Error message:

Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.


Endpoint example of /common - https://login.microsoftonline.com/common

You should be using a tenant specific - https://login.microsoftonline.com/contoso.onmicrosoft.com


Please let me know if this fixes your problem or if you have any questions.

If this answer helped you please mark it as "Verified" so other users may reference it.

Thank you,
James

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.