-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Cannot use personal account to login to KeyVault #1932
Comments
Hi @Crossbow78 - please try to use use: |
I have exactly that same API permission defined in my app registration. And I've replaced the scope override in code with: var scopes = new[] { "https://vault.azure.net/user_impersonation" }; // Must override scope...? But it gives me exactly the same result, only allowing me to select Azure tenant accounts. Are you able to reproduce? What else could I try? |
This is not an MSAL issue, as MSAL does not control the dialog between the user and the Identity Provider. MSAL only pops up the browser and caches the tokens. I'm getting the same error as you by the way, so I don't think it's a configuration issue on the App Registration. It's quite possible that KeyVault does not allow MSA logins. |
Note that I can use the ADAL (*) library for authentication and it will work fine with a personal account and I receive my certificates, but the interactive flow is a lot less practical (I'm just copying url's from and to a console window to get past)... Also, I still don't understand why I have to override the empty (*) Microsoft.IdentityModel.Clients.ActiveDirectory 5.2.8 |
I'm not sure what you mean by using ADAL, as ADAL targets the v1 endpoint of AAD, which does not support personal accounts. The flow where the user gets an url and a code in the console and they pick it up is called DeviceCodeFlow, and it is supported by both ADAL and MSAL. I don't know why the KeyVault SDK doesn't advertise a scope, I assume it is because they are still focused on integratin with ADAL. We are hopeful that this will change soon and some of our PMs are reaching out (CC @aiwangmicrosoft ), as ADAL is deprecated. I think it is reasonable to open issues on the KeyVault SDK or service to see why this limitation exists. @jmprieur - would you know why KeyVault does not allow MSA auth? |
@Crossbow78 : do you use the same clientID in your ADAL and MSAL application? (would you have reused a well known clientID for your ADAL application?, which you don't use in the MSAL application)? What you should do is use a tenanted authority, rather than common. |
I seem to have encountered a similar problem. Using essentially the same code as in the original post (for the public client application), when attempting to login with my MSA I get the following error on entering the user name (e-mail address): Info: (False) MSAL 4.21.1.0 MSAL.UAP N/A [10/26/2020 00:18:40 - 286091f6-871c-4cff-9993-19a0374ffd62] Info: (False) MSAL 4.21.1.0 MSAL.UAP N/A [10/26/2020 00:18:40 - 286091f6-871c-4cff-9993-19a0374ffd62] === Token Acquisition (InteractiveRequest) started:
Verbose: (False) MSAL 4.21.1.0 MSAL.UAP N/A [10/26/2020 00:18:40 - 286091f6-871c-4cff-9993-19a0374ffd62] [Instance Discovery] Tried to use network cache provider for login.microsoftonline.com. Success? False at Microsoft.Identity.Client.Internal.AuthCodeRequestComponent.VerifyAuthorizationResult(AuthorizationResult authorizationResult, String originalState) I was previously trying to use Azure AD authentication (REST API, OAuth2 1.0) but decided to try MSAL after having other issues with that approach. At least when using AAD I was on all occasions able to enter my MSA's ID and password before any problems occurred, unlike with MSAL where I've never got as far as being able to enter the password (same MSA). With the same AD and app configuration at the Azure end, why would I be getting this username error only when switching over to using MSAL? |
What is the sign-in audience of your application @Crossbow78 when you use an authority with a tenant, this enables guest accounts to sign-in, and your MSA might be a guest account of the tenant, which would work. When using "common" or "organization", the guest scenario does no longer apply, and your MSA is considered as an MSA, which I don't think is supported by KeyVault yet (Azure Resource Management does not yet support MSA) |
Sorry, I should have been clearer. Yes; the authority you need to use needs to have a tenant (tenanted) |
Closing as the question is answered |
The relevance of the app registration's sign-in audience setting of Is this the correct summary: |
Yes, @Hotmail, @outlook.com, @live.com (and a few more aliases) are "Microsoft" accounts (aka live accounts or MSA accounts or personal accounts). They are all in one big tenant (the MSA tenant). Work and School accounts are tied to an organization, e.g. joe.blogs@contoso.com is an account in the contoso tenant. Each organization that hosts their directory with AAD gets their own tenant. In MSAL, you configure the authority as:
In the App registration portal in Azure, you must also configure the audience in a similar way (sorry I don't remember the exact setting, but I can look if you want). This wiki page describes the identity providers: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Register-your-application-with-Azure-Active-Directory This wiki page offers a few details about audience: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications#application-audience |
Which Version of MSAL are you using ?
Platform
.NET Core 3.1
What authentication flow has the issue?
Is this a new or existing app?
This is a new app or experiment. Trying to retrieve a key vault certificate via a proof-of-concept console application. User needs to authenticate, access policies are granted to user principals.
Repro
Create app registration
Make sure that there is a personal Microsoft account as a guest or member in the tenant.
To this account grant access to a Key Vault (via group or user), and grant certificate list/read permission.
Use minimal code example as below
Expected behavior
Actual behavior
scope
argument. If this empty scope is used, the user can use a personal Microsoft account (and will receive a token), but will then get 'Unauthorized' on Key Vault access.Additional context/ Logs / Screenshots
My main question is:
The text was updated successfully, but these errors were encountered: