0

我们使用公司帐户在 Azure 中注册了一个应用程序。我们已将其设置为 web-app 类型,并将 signInAudience 设置为AzureADandPersonalMicrosoftAccount

当我们使用公司帐户登录我们的网络应用程序时,它可以工作,但是当我们使用带有 hotmail 地址的个人 Microsoft 帐户时,我们会收到以下消息:

AADSTS50020: User account '*********@hotmail.com' from identity provider 'live.com' does not exist in tenant '*********' and cannot access the application '******'(***-api) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

我们仔细检查了所有设置,它们看起来有效。我们的想法已经用完了这是我们清单的一个版本:

{
    "id": "**********",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": null,
    "appId": "*********",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2020-08-04T14:32:25Z",
    "groupMembershipClaims": "None",
    "identifierUris": [
        "https://***.company.be"
    ],
    "informationalUrls": {
        "termsOfService": "https://www.company.be/legals/gebruiksvoorwaarden",
        "support": null,
        "privacy": "https://www.company.be/legals/privacy",
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": "https://secure.aadcdn.microsoftonline-p.com/...",
    "logoutUrl": null,
    "name": "***-api",
    "oauth2AllowIdTokenImplicitFlow": true,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": {
        "idToken": [
            {
                "name": "email",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "family_name",
                "source": null,
                "essential": false,
                "additionalProperties": []
            },
            {
                "name": "given_name",
                "source": null,
                "essential": false,
                "additionalProperties": []
            }
        ],
        "accessToken": [],
        "saml2Token": []
    },
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [
        {
            "customKeyIdentifier": null,
            "endDate": "2299-12-30T23:00:00Z",
            "keyId": "**********",
            "startDate": "2020-08-04T14:47:56.759Z",
            "value": null,
            "createdOn": "2020-08-04T14:47:58.647043Z",
            "hint": "gIh",
            "displayName": "*****-api clientSecret"
        }
    ],
    "preAuthorizedApplications": [],
    "publisherDomain": "company.be",
    "replyUrlsWithType": [
        {
            "url": "http://localhost:3000/link/microsoft/callback",
            "type": "Web"
        },
        {
            "url": "https://api.copmpany.be/link/microsoft/callback",
            "type": "Web"
        },
        {
            "url": "https://api.copmpany.be/auth/microsoft/callback",
            "type": "Web"
        },
        {
            "url": "https://api.staging.copmpany.be/link/microsoft/callback",
            "type": "Web"
        },
        {
            "url": "https://api.staging.copmpany.be/auth/microsoft/callback",
            "type": "Web"
        },
        {
            "url": "http://localhost:3000/auth/microsoft/callback",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "***",
            "resourceAccess": [
                {
                    "id": "****",
                    "type": "Scope"
                },
                {
                    "id": "***",
                    "type": "Scope"
                },
                {
                    "id": "***",
                    "type": "Scope"
                },
                {
                    "id": "***",
                    "type": "Scope"
                },
                {
                    "id": "***",
                    "type": "Scope"
                }
            ]
        }
    ],
    "samlMetadataUrl": null,
    "signInUrl": "https://www.company.be",
    "signInAudience": "AzureADandPersonalMicrosoftAccount",
    "tags": [
        "webApp",
        "notApiConsumer"
    ],
    "tokenEncryptionKeyId": null,
    "verifiedPublisher": {
        "displayName": null,
        "verifiedPublisherId": null,
        "addedDateTime": null
    }
}
4

3 回答 3

2

如果您的业务场景不需要访问租户的资源(例如为租户调用 MS Graph API),除了Sarthak 的回答之外,您还可以将您的权限 Uri 更改为支持 MSA 的公共端点,而无需邀请租户。请参阅有关权限端点的文档。根据您的业务场景,选择您的解决方案。

于 2020-08-25T02:47:52.280 回答
0

从您的清单文件中,我可以看到您的应用程序已经注册为多租户,因此无需更改任何设置。

在我们以外部用户身份签署或连接我们的 azure Active Directory 之前,应邀请该用户,请按照以下步骤操作:

  1. 访问这里https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers
  2. 以访客用户身份邀请
  3. 然后受邀用户将收到邀请,请先接受。
  4. 重试访问 Web 应用程序。
  5. 肯定会奏效的。
于 2020-08-21T21:24:03.323 回答
-1

该应用程序应注册为多租户才能正常工作。

于 2020-08-21T15:05:34.540 回答