25,081 questions
the easiest is to use b2c
https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview
How to secure asp.net web api with azure ad and microsoft personal accounts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 40%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
S.Raghu Nathan
1
Reputation point
I am trying to allow access to my web API from an Angular SPA app which implements Azure AD users and Microsoft Personal Account (Hotmail.com, Outlook.com, etc) authentication using client-side MSAL library.
The following code allows access only to Azure AD users. Microsoft Personal account users' requests are rejected with 401 - Unauthorized.
//Controller Class code
[RoutePrefix("Subscription")]
[Authorize]
public class SubscriptionController : ApiController
{
Route("UserSubscriptions")]
[HttpGet]
public JsonResult<ApiResponse> GetUserSubscriptions()
{
var response = new CustomResponseClass();
....
....
//DB Logic here to get the data and return it
....
....
return Json(response);
}
}
//OWIN Startup Class code
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
app.UseJwtBearerAuthentication( new JwtBearerAuthenticationOptions { AuthenticationMode = AuthenticationMode.Active, TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = false, ValidateAudience = false, ValidateIssuerSigningKey = false, ValidIssuer = ConfigurationManager.AppSettings["Issuer"], ValidAudience = ConfigurationManager.AppSettings["Audience"], IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(ConfigurationManager.AppSettings["SecKey"])), RoleClaimType = "roles" } }); app.UseWindowsAzureActiveDirectoryBearerAuthentication(new WindowsAzureActiveDirectoryBearerAuthenticationOptions() { Tenant = "common", TokenValidationParameters = new TokenValidationParameters() { ValidateIssuer = false, ValidateIssuerSigningKey = false, ValidateAudience = false, RoleClaimType = "roles" } }); } }
Need the fix to make the request pass through to web API for Microsoft Personal Account users, successfully.
Thanks
Raghunathan S
Microsoft Security Microsoft Entra Microsoft Entra ID
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator2023-06-22T22:27:55.4033333+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator2023-06-26T11:43:18.2+00:00 Hi @S.Raghu Nathan ,
Thanks for reaching out.
When you registered your application with the Microsoft identity platform, you specified who and which account types can access it.
You need to register your application as "AzureADandPersonalMicrosoftAccount" to allow users from personal Microsoft accounts to use your applications.
Make sure you selected below option while register the application:
Make sure to register a new application to avoid conflict with App URI ID.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.