locked
Azure AD B2B Authentication error for users with custom domains - AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of... RRS feed

  • Question

  • I'm currently upgrading an application to enable multi-tenancy and B2B integration.

    I got the following types of users working so far:

    • internal Azure AD users
    • external Azure AD users from another tenant
    • personal Microsoft account
    • users gmail users

    I'm now trying to enable users from any domain to access my application by following this process:

    1. Send invite to x@abc.com - this works
    2. Redeem invite from x@abc.com inbox - this works and I successfully setup the associated Microsoft account
    3. Login into my application using x@abc.com - this does NOT work and I get the following error:AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of abc.com before the application 'My Application' can be provisioned

    In this case abc.com is an external partner. The external partners are dynamic and managed through the application via a 'domain white-list'. So I can have abc.com now, and later abcd.com, xyz.com, etc. The users from these white-listed domains are self-registering via an application URL.

    Interestingly enough, gmail users work so I'm assuming there's an internal Azure AD white-list for the popular domain?

    UPDATE:

    The reason why the Gmail accounts are working is because they are indeed created as Microsoft accounts in my Azure AD. The abc.com domain accounts on the other hand are created as 'External Azure Active Directory' accounts. (source property)

    UPDATE #2:

    After a bit more research I found that it wasn't working because I was using the common endpoint which doesn't support guests. More details here: Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?

    Now I switched to using my tenant specific endpoint like below:

    Tenant specific endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0
    

    and I can login with the guest users from abc.com

    However Microsoft accounts stopped working now.

                            AuthorizationCodeReceived = async (context) =>
                        {
                            ...
    
                            var cca = new ConfidentialClientApplication(appId, redirectUri,
                               new ClientCredential(appSecret),
                               new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
                            await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
                        },
    

    await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code) fails with the following error:

    ErrorCode: invalid_grant
    Message=AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
    

    How can I make it work with both guest users from custom domains (abc.com) AND existing Microsoft accounts?


    • Edited by Florin D. Preda Thursday, June 28, 2018 4:39 PM update based on progress
    Wednesday, June 27, 2018 12:53 PM

All replies

  • I see your query has been addressed in the stack overflow by Wayne Yang here. Suggest you to go through his post and let us know if you need any further assistance.  

    ---------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here.

    • Proposed as answer by vijisankar Wednesday, June 27, 2018 4:35 PM
    Wednesday, June 27, 2018 4:35 PM
  • I have updated my questions based on that response.
    Thursday, June 28, 2018 2:45 PM
  • How can I make it work with both guest users from custom domains (abc.com) AND existing Microsoft accounts?


    This could be resolved by specifying the 'domain_hint' parameter which tells Azure AD which domain the user account should be from.  This will prevent the error page from showing if the user is logged in with a account from a different domain, also it will filter the list of accounts that have been remembered so the user will only be prompted to select ones ending with the domain that you have specified.

    For example:

    Navigate to /config/authsettings for your Application. Click Edit to enable making changes.
    Set additionalLoginParams to the following (This is a JSON array value): ["domain_hint=domain.com"]

     

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here

    Thursday, June 28, 2018 5:42 PM
  • @Florin:

    Just checking in if you have had a chance to see the previous response. If that answers your query, do click “Mark as Answer” and Up-Vote for the same. If you have any further query, then do let us know.

    Saturday, July 7, 2018 3:22 PM