AAD/Entra ID Authentication in vscode works only for direct users of the tenant

[itsme112358]

Please include the following with each issue:

1. Describe the bug
When using AAD / Entra ID for Authentication against a Serverinstance and then signing in using an external user you get an error message that the user does not have access to the serverinstance.

Message on the serverinstance's event log:

The issue seems to stem from the device flow that is used which does not check for the server instance's authentication but just asks users to sign in. It is (as far as I know) impossible to explicitly sign in as user of tenant A as external user of tenant B.
Therefore when a user is selected from the available Entra Users, it automatically chooses to authenticate against the selected users tenant.

Possible solution: Use the webclient's redirect Url to find out which tenant to actually authenticate against.

2. To Reproduce
Steps to reproduce the behavior:

1. Set up serverinstance with Entra ID authentication + developer endpoint
2. Invite user from external tenant
3. Sign in with said external user (not necessary, just to ensure Entra ID authentication also works with external users for the webclient).
4. Open AL Project/create empty one
5. Set up launch.json for Entra
6. Download Symbols
7. Select guest user account
8. Receive error

In below example my user (Jakob.Theiner@xxx.com) is added as an external user to the tenant yyy.cloud. There I can use the account without issues to access Business Central. But I cannot use it to develop/debug.
Output of guest/external user

[2024-02-06 12:40:25.23] Using reference symbols cache paths: [c:\repos\RelC\app\.alpackages]
[2024-02-06 12:40:25.32] Acquiring token for authority https://login.microsoftonline.com/common using correlation 481228e8-a75e-4bcf-8226-d99f8bba22fd.
[2024-02-06 12:40:41.16] Authenticated as user 'jakob.theiner@xxx.com' in tenant 'eecdf8ce-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. Please note that these credentials are cached. Clear the credentials cache to authenticate as another user.
[2024-02-06 12:40:41.16] Targeting Dynamics 365 Business Central environment tenant 'default'.
[2024-02-06 12:40:41.19] Sending request to https://xxx/dev/metadata?tenant=default
[2024-02-06 12:40:41.52] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=Application&versionText=22.0.0.0&appId=00000000-0000-0000-0000-000000000000&tenant=default
[2024-02-06 12:40:41.52] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=System&versionText=22.0.0.0&appId=8874ed3a-0643-4247-9ced-7a7002f7135d&tenant=default
[2024-02-06 12:40:41.55] Authorization has failed or the credentials have expired. The credential cache has been cleaned. Any access to reach Business Central would require new authorization.

Output of "native" user

[2024-02-06 12:43:43.12] Using reference symbols cache paths: [c:\repos\xxx\app\.alpackages]
[2024-02-06 12:43:43.13] Acquiring token for authority https://login.microsoftonline.com/common using correlation 0a2193a7-6b5a-4015-8dff-9b86f18dd4e5.
[2024-02-06 12:44:06.44] Authenticated as user 'Jakob.Theiner@yyy.cloud' in tenant '03198994-yyyy-yyyy-yyyy-yyyyyyyyyyyy'. Please note that these credentials are cached. Clear the credentials cache to authenticate as another user.
[2024-02-06 12:44:06.44] Targeting Dynamics 365 Business Central environment tenant 'default'.
[2024-02-06 12:44:06.44] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=Application&versionText=22.0.0.0&appId=00000000-0000-0000-0000-000000000000&tenant=default
[2024-02-06 12:44:06.44] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=System&versionText=22.0.0.0&appId=8874ed3a-0643-4247-9ced-7a7002f7135d&tenant=default
[2024-02-06 12:44:06.44] Sending request to https://xxx/dev/packages?publisher=Aareon&appName=xxx&versionText=x.y.0.0&appId=xxx&tenant=default
[2024-02-06 12:44:06.77] The following dependencies will be queried for propagated dependencies:
System Application by Microsoft (22.0.0.0)
Base Application by Microsoft (22.0.0.0)
Email - SMTP Connector by Microsoft (22.0.0.0)
[2024-02-06 12:44:06.77] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=System Application&versionText=22.0.0.0&appId=63ca2fa4-4f03-4f2b-a480-172fef340d3f&tenant=default
[2024-02-06 12:44:06.77] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=Base Application&versionText=22.0.0.0&appId=437dbf0e-84ff-417a-965d-ed2bb9650972&tenant=default
[2024-02-06 12:44:06.77] Sending request to https://xxx/dev/packages?publisher=Microsoft&appName=Email - SMTP Connector&versionText=22.0.0.0&appId=68e13fa3-217a-4be0-9141-99e5bf0ca818&tenant=default
[2024-02-06 12:44:10.75] All reference symbols have been downloaded.

3. Expected behavior
Download Symbols (and others) work for all valid users in business central, including those from external Entra ID tenants.
AKA: The Tenant that should be asked to authenticate against should not be taken from "generic" device flow sign in prompt but from the Tenant configured in the serverinstance.

4. Actual behavior
Error message that the user does not have access to Business Central.

5. Versions:

• AL Language: v12.5.914975
• Visual Studio Code: 1.86
• Business Central: 22.6
• List of Visual Studio Code extensions that you have installed: AL-Extension only

Note

Since we support and develop for a lot of customers which all have Entra ID enabled, this is essential.
Currently the only way to solve this, is to add another serverinstance with navuserpassword authentication, which also needs to be maintained.

[kalberes]

Is the guest user setup with rights to do development scenarios? Like is it part of the Exten. Mgmt Admin permission set

[itsme112358]

Yes, the user is SUPER

[SBalslev]

The logs provided show two different Microsoft Entra Tenant IDs (thanks for providing the logs in a way we can see they are different).
For users where the home tenant is <> from the Microsoft Entra Tenant ID of the environment (guest users, delegated admins etc.) we need help to know where you are logging into.
In the launch.json: For online environments you can use the tenant property and for on premises you can also use the primaryTenantDomain property.

{
   "name": "Publish: Microsoft cloud sandbox",
   "environmentType": "Sandbox",
   "environmentName": "sandbox",
   "tenant": "abcd1234-1234-1234-1234-1234abcd1234",
...
},
{
   "name": "Attach: Your own server, tenant id same as Microsoft Entra tenant ID",
   "server": "http://bcserver",
   "serverInstance": "BC",
   "authentication": "MicrosoftEntraID",
   "tenant": "abcd1234-1234-1234-1234-1234abcd1234",
...
},
{
   "name": "Attach: Your own server, tenant id different from Microsoft Entra tenant ID",
   "server": "http://bcserver",
   "serverInstance": "BC",
   "authentication": "MicrosoftEntraID",
   "tenant": "OtherTenantIdThanMicrosoftEntraID",
   "primaryTenantDomain": "abcd1234-1234-1234-1234-1234abcd1234",
...
}

More about the launch.json

[PeterBizz]

I have similar issue with regular sinon through AAD (so without vs Code):
Url to AAD endpoint (bb-aad.[Hostname].com)
at OnPrem server setup/defined in Microsoft Entra Tenant ID 1
in this Micorsoft Entra Tenant I am a guest user from a different Tenant ID 2
when I login with the guest user account

(I use my Tenant ID 2 account to sign in . )

I receive 2 requests (MFA) in my Authentication APP
first from the Micrsoft Entra Tenant ID 1:

• It says Approve Sign In request,
• It clearly originates from Tenant ID1 (Icon/background)
• in the authenticator it says user.name_tenant2.com#EXT#@[companynameT1]azure.onmmicrosoft.com

when succesfully authenticated I recieve a 2nd MFA request, now from Tenant ID 2

• It says Approve Sign In request,
• It clearly originates from Tenant ID2 (Icon/background)
• in the authenticator it says user.name@tenant2.com

Approval is processed with no issue but ends with :

AADSTS700016: Application with identifier 'xxxxxxxxxxxxxxx' was not found in the directory '[Entra Tenant 2]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

this is clearly a message from TenantID2 again ( logo, background)

I do not have access to Tenent ID 2 resources ( I am a regular user).
I do have full access to Buseinss Central Instance,
does BC have a similar option like vstudio for [primaryTenantDomain] or do you have another solution for this?

[itsme112358]

@SBalslev
Thank you so much! Worked perfectly :)
Once again a case of rtfm? Is this documented somewhere? XD

[itsme112358]

@PeterBizz

does BC have a similar option like vstudio for [primaryTenantDomain] or do you have another solution for this?

Not as far as I know, but you shouldn't need it.
As long as the server instance and Entra ID applications are configured correctly, it will redirect you to the correct tenant sign in. As a matter of fact that's the exact setup we use for all our hosted customers and it works fine.
Verify that everything is set up correctly according to the docs.
We're on 22.6 currently, started using AAD/Entra ID exclusively after 21.6 though. Your experience may vary with older versions, I can only speak for our setup 😬

Edit: If the server instance is set up with tenant 1, the first prompt should be for Tenant 2 (this makes sure you're you) and the second should be from Tenant 1 (this makes sure the "verified you" has access to Tenant 1 and the tenant's MFA settings etc. are respected). Therefore I'm pretty sure that the server instance is not set up correctly since it seems to try to sign you into an application in tenant 2 that only exists in tenant 1.