如何使用其他租户的Azure AD应用程序?
我正在开发一个本机应用程序,该应用程序必须显示用户所属的Office 365组.为此,我将Microsoft Graph API称为需要身份验证.我正在使用ADAL库.
I am developping a native app that has to display the Office 365 groups the user is a member of. For this, I call the Microsoft Graph API wich requires authentication. I'm using the ADAL library.
所需的权限需要管理员的同意. 一切对于租户中的用户都可以正常使用,但是当我尝试通过另一个租户的帐户进行身份验证时,它将无法正常工作.它一直在给出这个结果:
The permissions needed require admin consent. Everything works fine for users from my tenant, but when I try to authenticate with an account of another tenant it doesn't work. It keeps giving this result :
相关ID:9780ed24-9d24-4604-b8bf-28a02c2ea580
Correlation ID: 9780ed24-9d24-4604-b8bf-28a02c2ea580
时间戳:2017-04-14 12:05:45Z
Timestamp: 2017-04-14 12:05:45Z
AADSTS70001:在目录XXXXXXX.onmicrosoft.com中找不到标识符为'xxxxxxxx-xxx-xxx-xxx-xxxx-xxxxxxxxxxxx'的应用程序
AADSTS70001: Application with identifier 'xxxxxxxx-xxx-xxx-xxxx-xxxxxxxxxxxx' was not found in the directory XXXXXXX.onmicrosoft.com
即使我在首次连接时使用管理员帐户也是如此.我从未征求过您的同意,并且该应用程序也未在其他租户上注册.
even if I use an admin account on first connection. I am never asked for consent and the app is not registered on the other tenant.
该应用程序已注册为本地用户,因此应为多租户,并且我通过"/common"作为授权机构中的租户.
The app is registered as Native so it should be multi-tenant and I pass "/common" as the tenant in the authority.
我还尝试在其他租户上注册具有相同规格的应用,并征得管理员的许可,并且效果也很好.
I also tried to register an app with the same specifications on the other tenant, gave admin consent on the permissions and it worked as well.
这是我检索访问令牌的方式:
Here is how I retrieve the access token :
private static string GetAccessToken()
{
AuthenticationContext authContext = new AuthenticationContext(authority);
AuthenticationResult authResult = authContext.AcquireToken(graphResource, clientID, redirectURI, PromptBehavior.RefreshSession);
var accessToken = authResult.AccessToken;
return accessToken;
}
代码内有问题吗?参数?其他租户是否需要一些我不知道的特殊天蓝色订阅"?
Is it a problem within the code?The parameters? Do the other tenants need some 'special azure subscription' I'm not aware of?
简而言之:如何使它适用于其他租户?
编辑:我试图将"prompt = admin_consent"手动添加到请求中,如下所示:
Edit : I tried to manually add the "prompt=admin_consent" to the request, like this :
AuthenticationResult authResult = authContext.AcquireToken(graphResource, clientID, redirectURI,PromptBehavior.RefreshSession, UserIdentifier.Any, "prompt=admin_consent");
但是它会触发一个错误,提示在ExtraQueryParameters中存在重复的查询参数'prompt'"
But it triggers an error saying that there is a "Duplicate query parameter 'prompt' in extraQueryParameters"
在注册本机客户端应用程序时,这是新Azure门户中的一个已知问题.
This is a known issue in the new Azure portal when registering native client applications.
当前(截至2017-04-14)将这些文件创建为单租户应用程序.由于Azure门户不会公开本机客户端应用程序的多租户"切换,因此您需要更新应用程序清单或使用Azure AD PowerShell来执行此操作.
These are currently (as of 2017-04-14) being created as single-tenant applications. Since the Azure portal doesn't expose the "multi-tenant" toggle for native client applications, you need to update the app manifest or use Azure AD PowerShell to do this.
从清单中使应用成为多租户
-
在Azure门户中,从本机客户端应用程序的设置刀片中,单击"清单"选项.
将availableToOtherTenants值更新为true.
保存清单.
使用Azure AD PowerShell进行应用多租户
- Download the Azure AD PowerShell v2 module (AzureAD): https://docs.microsoft.com/en-us/powershell/azure/install-adv2?view=azureadps-2.0
Run the following:
$appId = "<app ID>"
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
Set-AzureADApplicatoin -ObjectId $app.ObjectId -AvailableToOtherTenants $true
那应该修补它.请稍等,然后重试.
That should patch it up. Wait a bit, then try again.