Issues with OpenIdConnect and MS Identity Web

Question

Issues with OpenIdConnect and MS Identity Web

Fabian Homann 46

I use OpenId Authentication combined with MS Identity Web within a .NET6 Razorpage Project.

I can log in with an account with Global Admin and "TENANT.onmicrosoft.com" and am redirected to /Index. As soon as I want to log in with a "mail" account without role, I get the following error message after the "Do you want to log in permanently?":

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS500208: The domain is not a valid login domain for the account type. Trace ID: d1fa4b6a-f9d2-4b89-89f6-1b25e5ac0600 Correlation ID: ef98b16d-b46e-4062-bacc-9bd6b136ab24 Timestamp: 2024-01-08 10:29:19Z', error_uri: 'error_uri is null'.

This error occurs on the /signin-oidc page.

I have configured the application for this as follows:

Web redirect URI's:

https://localhost:xxxx/signin-oidc

https://localhost:xxxx/Index

URL for front channel logout:

https://localhost:xxxx/signout-oidc

✔️ Access tokens (used for implicit flows)

✔️ ID token (used for implicit and hybrid flows)

✔️ Accounts in any organizational directory (any Microsoft Entra ID client - multi-tenant capable)

In addition, a user flow with email one-time passcode and Google, Facebook runs behind it.

If a user logs in with Global Admin with the following criteria:

Identities ExternalAzureAD

User type Member

it works.

As soon as Global Admin is revoked, the error shown above appears again. So it seems to be a rights problem?

Greetings.

Farid Uddin Kiron MSFT 456 Reputation points Microsoft External Staff

2024-01-09T08:13:51.7866667+00:00

Well according to your error message, the issue particularly related to the account type and login domain. First of all, ensure that the Azure AD tenant is configured properly to allow both Microsoft accounts (personal accounts) and work or school accounts. You can do this in the Azure portal by navigating to Azure Active Directory -> Authentication -> Supported account types.

In addition, make sure, "Supported account types" are configured appropriately for instance, it should be Accounts in any organizational directory and personal Microsoft accounts.

Most importantly, compare the redirect URIs configured in your Azure AD application with those in your .NET application's code double check they match exactly, including any trailing slashes
Fabian Homann 46 Reputation points

2024-01-09T08:51:36.7833333+00:00

Hi!
Thank you for your answer.

I have created a new app registration with "Multitenant" & personal MS accounts.

Unfortunately this gives the same error message.

The user I am trying to register has the User type: Member and Identities: Mail

(one time passcode)

I should mention that this is a customer tenant.

I have double checked the URI's.

1 answer

Your answer

Farid Uddin Kiron MSFT 456 Reputation points Microsoft External Staff

2024-01-09T08:13:51.7866667+00:00

Well according to your error message, the issue particularly related to the account type and login domain. First of all, ensure that the Azure AD tenant is configured properly to allow both Microsoft accounts (personal accounts) and work or school accounts. You can do this in the Azure portal by navigating to Azure Active Directory -> Authentication -> Supported account types.

In addition, make sure, "Supported account types" are configured appropriately for instance, it should be Accounts in any organizational directory and personal Microsoft accounts.

Most importantly, compare the redirect URIs configured in your Azure AD application with those in your .NET application's code double check they match exactly, including any trailing slashes
Fabian Homann 46 Reputation points

2024-01-09T08:51:36.7833333+00:00

Hi!
Thank you for your answer.

I have created a new app registration with "Multitenant" & personal MS accounts.

Unfortunately this gives the same error message.

The user I am trying to register has the User type: Member and Identities: Mail

(one time passcode)

I should mention that this is a customer tenant.

I have double checked the URI's.

Answer 1

Shweta Mathur 30,446 Microsoft Employee Moderator

Hi @Fabian Homann ,

Thanks for reaching out.

The error message you are receiving indicates that the domain you are trying to log in with is not a valid login domain for the account type.

This error is by design in External ID for customers when customers are trying to access Microsoft endpoint which they don't have permission to access and require admin rights to access that endpoint. So, to access the application by users created in customer tenant, they have to access the <tenantname.ciamlogin.com> endpoint. Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Fabian Homann 46 Reputation points

2024-01-09T08:45:18.5866667+00:00

Hi!
Thank you for your answer.

I have created a new app registration with "Multitenant" & personal MS accounts.

Unfortunately this gives the same error message.

The user I am trying to register has the User type: Member and Identities: Mail

(one time passcode)

I should mention that this is a customer tenant.
Fabian Homann 46 Reputation points

2024-01-09T08:50:20.4733333+00:00

duplication of the answer
Fabian Homann 46 Reputation points

2024-01-09T10:44:32.4866667+00:00

New insight:

If a user logs in with Global Admin with the following criteria:

Identities ExternalAzureAD

User type Member

it works.

As soon as Global Admin is revoked, the error shown above appears again. So it seems to be a rights problem?
Shweta Mathur 30,446 Reputation points Microsoft Employee Moderator

2024-01-11T06:19:44.5566667+00:00

Fabian Homann Thanks for update and confirming this is customer tenant. There is ongoing bug going on in External ID for customers regarding this error AADSTS500208. As this feature is in preview, there is no timeline for the fix as of now. I am checking internally with team for further update on this. Thanks, Shweta
Fabian Homann 46 Reputation points

2024-01-11T08:18:39.9933333+00:00

Hello Mr. Mathur, Thank you for the information. Do you use customer tenants in the "woodgrovedemo"? Is there a C2A for us? A kind of role assignment as a workaround? Regards
Shweta Mathur 30,446 Reputation points Microsoft Employee Moderator

2024-01-12T06:50:42.1266667+00:00

Fabian Homann, No, I am not using woodgravedemo and I created customer tenant from work account domain only. Could you please confirm what is the authority and issuer URL passing in your application?

Fabian Homann 46

My Appsettings:

  "AzureAd": {     "Instance": "https://login.microsoftonline.com/",     //"Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",     "ClientId": "xxxx",     "TenantId": "xxxx",     "ClientSecret": "xxxx",     "CallbackPath": "/signin-oidc",     "SignoutcallbackUrl": "/signout-oidc"   }

I do not enter the URL's directly, only the ID's, Paths and in the Razorpage via the Program.cs I let the authentication run:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddInMemoryTokenCaches();

My redirect urls:
Web redirect URI's: https://localhost:xxxx/signin-oidc https://localhost:xxxx/Index URL for front channel logout: https://localhost:xxxx/signout-oidc

Shweta Mathur 30,446 Microsoft Employee Moderator

Fabian Homann Are you following any sample? All https://login.microsoftonline.com endpoints need to replace with ciamlogin.com.

{
  "AzureAd": {
    "Authority": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/",
    "ClientId": "Enter_the_Application_Id_Here",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

Fabian Homann 46 Reputation points

2024-01-17T09:40:44.92+00:00
Thank you very much! I changed

"Instance": "https://login.microsoftonline.com/"

to

"Instance": "https://customertenantname.ciamlogin.com/"

and now I can login without global admin.
Shweta Mathur 30,446 Reputation points Microsoft Employee Moderator

2024-01-17T12:10:09.8466667+00:00

Fabian Homann Thanks for the confirmation. I have updated the answer so that would help others in community as well. Could you please "Accept the answer" so community can get better visibility. Thanks, Shweta

Share via

Issues with OpenIdConnect and MS Identity Web

1 answer

Your answer