C# ASP.NET Web API Authenticating with Azure AD and Personal Microsoft Accounts

Question

Hello All,

I am trying to allow access to my Web API for users authenticated with Azure AD or Microsoft Personal Accounts (Hotmail, Outlook, Live etc.)

The front-end application is an Angular SPA which uses MSAL library to authenticate and invokes the Web API with ID token in "Authorization" header with "Bearer" scheme.

Issue: I am able to successfully authenticate and allow access to the API with Azure AD users. When I try to authenticate with my Personal Hotmail or Outlook.com account, the Web API call returns 401 Unauthorize

Controller class:

[RoutePrefix("Subscription")]     
[Authorize]     
public class SubscriptionController : ApiController     
{
	[Route("UserSubscriptions")]         
	[HttpGet]         
	public JsonResult<ApiResponse> GetUserSubscriptions()         
	{
		.....
		.....
		.....
		return Json(response);
	}
}

Startup.cs:

public void ConfigureAuth(IAppBuilder app)         
{             
	JwtSecurityTokenHandler.DefaultMapInboundClaims = false;             
	app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions                 	
		{                     
			AuthenticationMode = AuthenticationMode.Active,                     	
			TokenValidationParameters = new TokenValidationParameters()                     	
			{                         
				ValidateIssuer = false,                         		
				ValidateAudience = false,                         
				ValidateIssuerSigningKey = false,                         
				ValidIssuer = ConfigurationManager.AppSettings["Issuer"],                         
				ValidAudience = 	
				ConfigurationManager.AppSettings["Audience"],                         
				IssuerSigningKey = new SymmetricSecurityKey(		
						Encoding.UTF8.GetBytes(
							ConfigurationManager.AppSettings["SecKey"])),                         		
				RoleClaimType = "roles"                     
			}
		});
	
	app.UseWindowsAzureActiveDirectoryBearerAuthentication(
	new WindowsAzureActiveDirectoryBearerAuthenticationOptions()             
	{                 
		Tenant = "common",                 
		TokenValidationParameters = new TokenValidationParameters()                 			
		{                     
			ValidateIssuer = false,                    
			ValidateIssuerSigningKey = false,                     
			ValidateAudience = false,                                         
			RoleClaimType = "roles"
		}
	});
}

Environment

Windows 11, IIS

.NET Framework 4.8

ASP.NET Web API Application using C#

Visual Studio 2019

Thanks,

Raghunathan S

Answer 1

Hi @S.Raghu Nathan ,

Thanks for reaching out.

When you registered your application with the Microsoft identity platform, you specified who and which account types can access it.

You need to register your application as "AzureADandPersonalMicrosoftAccount" to allow users from personal Microsoft accounts to use your applications**.**

	Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)	All users with a work or school, or personal Microsoft account can use your application or API. It includes schools and businesses that use Office 365 as well as personal accounts that are used to sign in to services like Xbox and Skype. Use this option to target the widest set of Microsoft identities and to enable multitenancy.

Make sure you selected below option while register the application:

If you have already registered your application with the above option, please share the error you are getting to troubleshoot further.

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.