77

I'm getting this error after I sign into my Azure website:

AADSTS50194: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

DharmaTurtle
  • 6,858
  • 6
  • 38
  • 52
  • 1
    you might want to elaborate on the kind of application / flow you were using – Jean-Marc Prieur Nov 28 '18 at 18:56
  • 1
    you should accept Coruscate5 answer. You should never use multitenant AAD registration app if you do not need to. – zolty13 Apr 16 '20 at 14:53
  • 1
    @zolty13 good point. – DharmaTurtle Apr 16 '20 at 21:36
  • @zolty13, I don't know how you came to this conclusion with such little information. There is nothing wrong with multi-tenant applications if you expect users to get sign-in from different tenants. A public app is a good example. – sy-huss May 29 '20 at 10:54
  • 1
    @sy-huss DharmaTurtle has not written about Multitenant AAD, so for me it is obvious that he do not need multitenant app. Enabling multienant causes side effects. Changing endpoint is enought to solve the problem. Probably Dharma used wrong endpoint which was proposed in some kind of tutorial or article. I have done the same mistake – zolty13 May 29 '20 at 11:41
  • @zolty13, I am curious what side effects this has caused based on your experience? – sy-huss May 29 '20 at 11:47
  • You enable to has user from different AAD in your app. If you do not need you should not enable this option – zolty13 May 29 '20 at 11:57

8 Answers8

82

If you are an Azure administrator getting this message, it may be for the the exact reason that is listed in the error message - you can not use the common API endpoint to MSFT logins to tenant-specific applications.

In my case, I was configuring an app registration with sample code - the sample code needed to be modified with a new endpoint. I.e the following line:

let kAuthority = "https://login.microsoftonline.com/common"

needed to be changed to:

let kAuthority = "https://login.microsoftonline.com/MY_TENANT_NAME"

The tenant name for your Azure organization can be obtained by typing "Tenant Status" into the Azure search bar.

Xamarin: The above note worked for MSAL iOS - for Xamarin MSAL Android/iOS, there was no direct way to set the authority in the main call. It needs to be chained to the interactive login call.

E.g., the sample code here: 

authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
                      .WithParentActivityOrWindow(App.ParentWindow)
                      .ExecuteAsync();

Needs to be changed to this: 

authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
                      .WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME")
                      .WithParentActivityOrWindow(App.ParentWindow)
                      .ExecuteAsync();
Coruscate5
  • 2,253
  • 17
  • 28
  • I was using the `react-aad-msal` package in my react app, and this was exactly the my issue. Their sample code references the common authority. I needed to check my authority in the Azure Portal and replace the common one. – Mike Cole Jan 27 '20 at 20:17
  • 22
    Just now (February 2021) this answer helped me, as long as I replace "YOUR_TENANT_NAME" with what the Azure console currently labels "Tenant ID". In other words, "Tenant Name" is a particular string, and "Tenant ID" is a different string, and the one to put in the authority URI (in my case) was "Tenant ID". It looks like: `xxedxxxx-xxxd-xxxx-xxxx-07bdxbxxxc4x` – pestophagous Feb 05 '21 at 19:25
  • @pestophagous - it appears both will work. I can swap the Tenant Name and the Tenant ID as the authority, and the behavior appears to be the same. May depend on your Azure setup – Coruscate5 May 04 '21 at 17:34
  • Our tenant name has a space in it, the guid seems a better option. – strattonn Jun 09 '21 at 22:36
  • Same for us - our tenant name has two spaces in it and Azure rejects it. We needed instead to use our Tenant ID. – Velojet Jun 20 '21 at 03:26
22

It turns out that my account was not actually on Azure AD, so I needed to check "Accounts in any organizational directory" under "Supported account types" on portal.azure.com

Specifically: portal.azure.com > Azure Active Directory > App registrations (preview) > Your App > Authentication > Supported account types > Accounts in any organizational directory

DharmaTurtle
  • 6,858
  • 6
  • 38
  • 52
  • @Frank hard to say without more details, but I think you might be asking the wrong question. My answer here doesn't directly relate to OAuth, so I'm not sure where to find a consumer key/secret. – DharmaTurtle Aug 30 '19 at 16:19
  • 1
    Thanks for your response. Finally, I figured it out. The consumer key is called "Application (client) Id" under app registration (click the registered app to see app overview). The consumer password is the secrete set under certificates & secrets – Frank Aug 30 '19 at 19:51
7

For some reason YOUR_TENANT_NAME did not seem to work for me. It has worked for others hence you should still try it.

Instead of the above solutions the following worked for me:

authority: "https://login.microsoftonline.com/Your_Tenant_ID"

You can find Your_Tenant_ID by typing Tenant Properties in the Azure search bar.

ChiggyB
  • 105
  • 2
  • 8
6

As explained here, if you're using an app with Microsoft.AspNetCore.Authentication.MicrosoftAccount, Microsoft Account OAuth provider's default uses a common endpoint:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

This is assumed to be a multitenant app and has the permission level "Accounts in any organizational directory".

If you want a single tenant app, then you have to specify the authorization and token endpoint in Startup.cs:

services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
{
    microsoftOptions.AuthorizationEndpoint = "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize";
    microsoftOptions.TokenEndpoint = "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token";
    microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"];
    microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"];
});

The URLs for the endpoints can be found in the Endpoints tab of the App Registration overview page on Azure, and the OAuth 2.0 authorization endpoint and token endpoint will have your tenant ID already in the URL.

Documentation on the MicrosoftAccountOptions.

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
PacifismPostMortem
  • 105
  • 1
  • 4
  • 9
  • Honestly, this deserves its own Question and Answer. I searched way too long for case of using [..].MicrosoftAccount. – Dominik Jan 24 '23 at 17:12
3

Add the authority field to your client's auth config.

The authority field needs to be set to:

https://login.microsoftonline.com/<tenant id>
  • Replace <tenant id> with your Tenant id; for example:
    https://login.microsoftonline.com/f1c6ef1a-4230-4db1-a5e7-67c20e92d0d6
  • To get your "Tenant Id", type in Azure admin portal search "Tenant properties"

Javascript Example

For Javascript apps, there's the @azure/msal-browser official package. Note you need to provide the authority field in the config.auth object like so:

import * as msal from '@azure/msal-browser';

// ...

let config = {
    auth: {
      clientId: "<application id>", 
      authority: "https://login.microsoftonline.com/<tenant id>",
    },
};

let publicClientApplication = new msal.PublicClientApplication(config);

// ...

PS - for the rest of the code, check out this MSDN tutorial. It shows how to sign in to the code for your single-page application

Jossef Harush Kadouri
  • 32,361
  • 10
  • 130
  • 129
  • When I do this - I get a pop up saying I am not an admin on my tenant and that I cannot log in. Does the user has to be an admin on the tenant? – Shiva Naru Feb 24 '23 at 22:37
2

Further more to @Coruscate5's post, which has helped me, you can set WithAuthority for iOS as follows.

var builder = PublicClientApplicationBuilder.Create(OAuthSettings.ApplicationId)**.WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME");**

This is important if you were following the Build Xamarin apps with Microsoft Graph guide and you aren't authenticating to a multi-tenant application.

This is how you get your tenant name:

https://learn.microsoft.com/en-us/onedrive/find-your-office-365-tenant-id
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
chirond
  • 21
  • 1
1

In my case adding the tenant_id in the msal_config.json of the tutorial did work:

"authorities" : [
    {
      "type": "AAD",
      "audience": {
        "type": "AzureADandPersonalMicrosoftAccount",
        **"tenant_id": "YOUR_TENANT_ID"**
      },
      "default": true
    }
  ]
Guillermo Pérez
  • 11
  • 2
0

I stumbled upon here with the same error but using python to authenticate my API calls.

Specifically I was using authOAuthDesktopMobileAuthCodeGrant class from bingads.authorization

The init for authOAuthDesktopMobileAuthCodeGrant shows the following, note that tenant attribute is defaulted to "common".

def __init__(self, client_id, oauth_tokens=None, env=PRODUCTION, oauth_scope=MSADS_MANAGE, tenant='common'):

Therefore, in order to not default to /common like others have highlighted above. I had to set this tenant component here to my app's tenant ID

authentication = OAuthDesktopMobileAuthCodeGrant(
        client_id=client_id,
        tenant="{YOUR_TENANT_ID}",
        env='production'

Hope this is useful to others who are working out of python.

FeBludger
  • 27
  • 6