如何使用Microsoft Azure中的多租户应用程序在客户端的活动目录中注册应用程序?
[英]How do I register an app in client's active directory using my multi tenant app in microsoft azure?
问题描述
I have registered a multi-tenant app in my Azure subscription. 
我已经在Azure订阅中注册了多租户应用程序。 using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory. 使用此应用程序,我想为我的客户端创建一个OAuth流,以便能够向我授予在其活动目录中创建应用程序的权限。
We are using OpenID connect flow to access the Azure AD graph API. 我们正在使用OpenID连接流来访问Azure AD图形API。
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz@outlook.com) tries to sign in: 尽管通过控制台使我们的应用成为多租户,但是当客户端(xyz@outlook.com)尝试登录时,我们仍收到以下错误:
User account 'xyz@outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token: 我使用以下端点获取访问令牌:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error 请帮助我解决此错误
1 个解决方案
解决方案1
2 已采纳 2018-01-08 06:48:09
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now. 不幸的是, 您暂时无法使用访客用户登录Azure AD Graph Explorer 。
I came across the same issue as yours long time ago and I understand it's very important for customers. 很久以前,我遇到了与您相同的问题,并且我知道这对客户来说非常重要。 So, you can post your idea in this User Voice Page and the Azure Team will see it. 因此,您可以将您的想法发布到此用户语音页面中 ,Azure团队将看到它。 I will also upvote for it. 我也会为此投票。
But there are other solutions if you don't mind: 但是,如果您不介意的话,还有其他解决方案:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com 解决方案1:尝试使用该目录的内部帐户,该帐户的upn以.onmicrosoft.com结尾
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. 解决方案2:尝试使用其他工具来获取访客用户的访问令牌(该帐户也需要是该目录的管理员),例如邮递员。 Then you can use Postman to call Azure AD Graph API. 然后,您可以使用Postman调用Azure AD Graph API。 You can refer to this blog to use Azure AD Graph API with Postman. 您可以参考此博客,以将Azure AD Graph API与Postman一起使用。
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.