如何使用其他租户的Azure AD应用程序?
[英]How can I use my Azure AD app from another tenant?
问题描述
I am developping a native app that has to display the Office 365 groups the user is a member of. 
我正在开发一个本机应用程序,该应用程序必须显示用户所属的Office 365组。 For this, I call the Microsoft Graph API wich requires authentication. 为此,我将Microsoft Graph API称为需要身份验证。 I'm using the ADAL library. 我正在使用ADAL库。
The permissions needed require admin consent. 所需的权限需要管理员同意。 Everything works fine for users from my tenant, but when I try to authenticate with an account of another tenant it doesn't work. 一切对于租户中的用户都可以正常使用,但是当我尝试通过另一个租户的帐户进行身份验证时,它将无法正常工作。 It keeps giving this result : 它不断给出以下结果:
Correlation ID: 9780ed24-9d24-4604-b8bf-28a02c2ea580
Timestamp: 2017-04-14 12:05:45Z
AADSTS70001: Application with identifier 'xxxxxxxx-xxx-xxx-xxxx-xxxxxxxxxxxx' was not found in the directory XXXXXXX.onmicrosoft.com
even if I use an admin account on first connection. 即使我在第一次连接时使用管理员帐户。 I am never asked for consent and the app is not registered on the other tenant. 我从未征求您的同意,并且该应用程序未在其他租户上注册。
The app is registered as Native so it should be multi-tenant and I pass "/common" as the tenant in the authority. 该应用程序已注册为“本机”,因此应为多租户,并且我通过“ / common”作为授权机构中的租户。
I also tried to register an app with the same specifications on the other tenant, gave admin consent on the permissions and it worked as well. 我还尝试在其他租户上注册具有相同规范的应用程序,征得管理员对权限的同意,并且该功能同样有效。
Here is how I retrieve the access token : 这是我检索访问令牌的方法:
private static string GetAccessToken()
{
AuthenticationContext authContext = new AuthenticationContext(authority);
AuthenticationResult authResult = authContext.AcquireToken(graphResource, clientID, redirectURI, PromptBehavior.RefreshSession);
var accessToken = authResult.AccessToken;
return accessToken;
}
Is it a problem within the code?The parameters? 代码内有问题吗?参数? Do the other tenants need some 'special azure subscription' I'm not aware of? 其他租户是否需要一些我不知道的“特殊天蓝色订阅”?
In short : How do I get it to work for other tenants? 简而言之: 如何使它适用于其他租户?
Edit : I tried to manually add the "prompt=admin_consent" to the request, like this : 编辑 :我试图手动将“提示= admin_consent”添加到请求,像这样:
AuthenticationResult authResult = authContext.AcquireToken(graphResource, clientID, redirectURI,PromptBehavior.RefreshSession, UserIdentifier.Any, "prompt=admin_consent");
But it triggers an error saying that there is a "Duplicate query parameter 'prompt' in extraQueryParameters" 但是它触发一个错误,指出“在ExtraQueryParameters中存在重复的查询参数'prompt'”
1 个解决方案
解决方案1
4 已采纳 2017-04-14 13:41:40
This is a known issue in the new Azure portal when registering native client applications. 注册本机客户端应用程序时,这是新Azure门户中的一个已知问题。
These are currently (as of 2017-04-14) being created as single-tenant applications. 当前(截至2017-04-14),这些文件已作为单租户应用程序创建。 Since the Azure portal doesn't expose the "multi-tenant" toggle for native client applications, you need to update the app manifest or use Azure AD PowerShell to do this. 由于Azure门户不会公开本机客户端应用程序的“多租户”切换,因此您需要更新应用程序清单或使用Azure AD PowerShell来执行此操作。
Making an app multi-tenant from the manifest 从清单中使应用成为多租户
In the Azure portal, from the settings blade for your native client application, click the Manifest option.
在Azure门户中,从本机客户端应用程序的设置刀片中,单击“ 清单”选项。 Update the
availableToOtherTenantsvalue totrue.将availableToOtherTenants值更新为true。Save the manifest.
保存清单。
Making an app multi-tenant with Azure AD PowerShell 使用Azure AD PowerShell使应用成为多租户
- Download the Azure AD PowerShell v2 module (AzureAD): https://docs.microsoft.com/en-us/powershell/azure/install-adv2?view=azureadps-2.0 下载Azure AD PowerShell v2模块(AzureAD): https ://docs.microsoft.com/zh-cn/powershell/azure/install-adv2 ? view = azureadps-2.0
Run the following:
运行以下命令: $appId = "<app ID>" $app = Get-AzureADApplication -Filter "appId eq '$appId'" Set-AzureADApplicatoin -ObjectId $app.ObjectId -AvailableToOtherTenants $true
That should patch it up. 那应该修补它。 Wait a bit, then try again. 请稍等,然后重试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.