Interactive Browser Credential "You can't sign in here with a personal account. Use your work or school account instead."

Question

Interactive Browser Credential "You can't sign in here with a personal account. Use your work or school account instead."

alma eyre 11

I am attempting to implement Interactive Browser Credential with Azure Identity (JS) in my app so that users can authenticate to their own Azure accounts for my dev tool. I got advice that app registration in Azure AD would be required on a Reddit thread (https://www.reddit.com/r/AZURE/comments/smcl15/azure_identity_sdk_js_how_to_authenticate_to/). I have now done so.

I have registered localhost:8083 and localhost:8085 as redirect URIs and selected the option to allow Account in any organizational directory. However, I am still getting the error "You can't sign in here with a personal account. Use your work or school account instead." Every answer(https://stackoverflow.com/questions/56007863/access-with-personal-account-to-multi-tenant-application-aad) I have read on the topic says that I need to set "signInAudience": "AzureADandPersonalMicrosoftAccount" in the manifest. However, that is how my manifest already is and has been since the beginning. How do I fix the error?

Shweta Mathur 13,076 Reputation points Microsoft Employee

2022-02-08T11:00:08.157+00:00
Hi @alma eyre ,

Thanks for reaching out.

Could you please confirm below so that we can understand the issue in detail.

Did you tried to login using different browsers or clear the cookie.

The issue is only happening when you are trying to login using personal account or with other accounts as well.

Thanks,
Shweta
alma eyre 11 Reputation points

2022-02-08T16:33:26.957+00:00

Yes, I tried after clearing cookies. The same error occurs.

Yes, the error is only happening with personal accounts. With organizational accounts I get a completely different error depending on how I set the API permissions in my app registration in Azure AD.

"ERROR. Scopes: https://management.azure.com/.default. Error message: invalid_client. AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: 480eb9fb-36f6-4381-92f6-af4b9e3bf1d7(Opal). Resource value from request: https://management.azure.com. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000003-0000-0000-c000-000000000000.
Trace ID: 1930e55e-c4d8-402d-8924-cd0b2b922300
Correlation ID: f798622c-a4d1-4fb2-ad4b-077c265c6c7e
Timestamp: 2022-02-08 16:01:20Z."

So perhaps those permissions were too few.

Next, I tried following this guide (https://learn.microsoft.com/en-us/graph/permissions-reference) and set the permissions I thought the Azure SDK methods I am using would need. But perhaps I was too liberal because I got this error instead: "ERROR. Scopes: https://management.azure.com/.default. Error message: invalid_client. AADSTS650054: The application '' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
Trace ID: 9c1c7cdf-bf7f-4408-9f4e-d1364b360000
Correlation ID: 836ab643-ca40-4520-961c-e69337b2f836
Timestamp: 2022-02-07 17:31:40Z."
CarlZhao-MSFT 20,696 Reputation points

2022-02-14T03:12:24.36+00:00
@alma eyre

Modifying the following two points will solve your problem:

Change the /tenant id endpoint to the /common endpoint

Change the https://management.azure.com/.default scope to: https://graph.microsoft.com/.default scope.

Shweta Mathur 13,076 Reputation points Microsoft Employee

2022-02-08T11:00:08.157+00:00

Hi @alma eyre ,

Thanks for reaching out.

Could you please confirm below so that we can understand the issue in detail.

Did you tried to login using different browsers or clear the cookie.

The issue is only happening when you are trying to login using personal account or with other accounts as well.

Thanks,
Shweta
alma eyre 11 Reputation points

2022-02-08T16:33:26.957+00:00

Yes, I tried after clearing cookies. The same error occurs.

Yes, the error is only happening with personal accounts. With organizational accounts I get a completely different error depending on how I set the API permissions in my app registration in Azure AD.

"ERROR. Scopes: https://management.azure.com/.default. Error message: invalid_client. AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: 480eb9fb-36f6-4381-92f6-af4b9e3bf1d7(Opal). Resource value from request: https://management.azure.com. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000003-0000-0000-c000-000000000000.
Trace ID: 1930e55e-c4d8-402d-8924-cd0b2b922300
Correlation ID: f798622c-a4d1-4fb2-ad4b-077c265c6c7e
Timestamp: 2022-02-08 16:01:20Z."

So perhaps those permissions were too few.

Next, I tried following this guide (https://learn.microsoft.com/en-us/graph/permissions-reference) and set the permissions I thought the Azure SDK methods I am using would need. But perhaps I was too liberal because I got this error instead: "ERROR. Scopes: https://management.azure.com/.default. Error message: invalid_client. AADSTS650054: The application '' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
Trace ID: 9c1c7cdf-bf7f-4408-9f4e-d1364b360000
Correlation ID: 836ab643-ca40-4520-961c-e69337b2f836
Timestamp: 2022-02-07 17:31:40Z."
CarlZhao-MSFT 20,696 Reputation points

2022-02-14T03:12:24.36+00:00

@alma eyre

Modifying the following two points will solve your problem:

Change the /tenant id endpoint to the /common endpoint

Change the https://management.azure.com/.default scope to: https://graph.microsoft.com/.default scope.

Answer 1

Hi @alma eyre ,

As mentioned in your other thread as well,

If you want to use Azure service management API to get the list of subscriptions and resource groups, user_impersonation is the scope that you need to request to work with the Azure Management API.

You can add permission as mentioned below Application-> API permissions -> Add a permission -> select Azure Service Management API -> select the user_impersonation

Also, you need to make sure the user has role i.e Contributor assigned in the subscription.

Hope this will helps.

Thanks,
Shweta

-----------------------------------

Please remember to "Accept Answer" if answer helped you.

Interactive Browser Credential "You can't sign in here with a personal account. Use your work or school account instead."

1 answer

Activity