Multiple authentication schemes do not work on Azure (app fails to start)

Question

I try to work with two app registrations that uses one app service.

appsettings.json

"AzureAdInternal": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "demo.example.com",
    "TenantId": "tenantId",
    "ClientId": "clientId",
    "ClientSecret": "clientSecret",
    "CallbackPath": "/signin-oidc"
  },
  "AzureAdExternal": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "demo.example.com",
    "TenantId": "tenantId",
    "ClientId": "clientId",
    "ClientSecret": "clientSecret",
    "CallbackPath": "/signin-oidc"
	}

Program.cs

// Multiple authentication (internal/external)
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(Configuration.AzureActiveDirectoryInternalIdentifier), 
    OpenIdConnectDefaults.AuthenticationScheme)
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection(Configuration.MicrosoftGraphIdentifier))
            .AddInMemoryTokenCaches();

builder.Services.AddAuthentication()
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(Configuration.AzureActiveDirectoryExternalIdentifier),
    "AzureAD", "cookiesAzureAD")
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection(Configuration.MicrosoftGraphIdentifier))
            .AddInMemoryTokenCaches();

Locally, it works, but during the publishing process in VS2022 the app fails to start.

Unhandled exception. System.InvalidOperationException: Scheme already exists: AppServicesAuthentication
   at Microsoft.AspNetCore.Authentication.AuthenticationOptions.AddScheme(String name, Action`1 configureBuilder)
   at Microsoft.AspNetCore.Authentication.AuthenticationBuilder.<>c__DisplayClass4_0`2.

Answer 1

Hi @Jörg Auberg,

It seems that you have a misunderstanding about the multi-tenant app.

When we create an app in App Registrations, we are already asked to choose whether the type of app is single-tenant or multi-tenant.

So in the appsetting.json code, we only need to configure the configuration of an AzureAd. TenantId needs to be modified to common.

Up to now, not all users of the organization can log in, and the administrator of the other tenant needs to authorize it, please refer to the following document.

Grant tenant-wide admin consent to an application

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Jason

Answer 2

@Jörg Auberg

I dug a little deeper into this and it seems like you're doing something very similar to https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes. So, when reviewing the error message you're getting, an AppServicesAuthentication scheme is being added. I was able to find that being used as a constant in AppServicesAuthenticationDefaults. It depends on when you're getting the exception, but I'm willing to bet your second call to builder.Services.AddAuthentication() is attempting to add the scheme with that default name.

To fix, you can either add different scheme name, or determine where that scheme name is being added to the services collection.