New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AAD/Entra ID Authentication in vscode works only for direct users of the tenant #7660
Comments
Is the guest user setup with rights to do development scenarios? Like is it part of the Exten. Mgmt Admin permission set |
Yes, the user is SUPER |
The logs provided show two different Microsoft Entra Tenant IDs (thanks for providing the logs in a way we can see they are different).
|
I have similar issue with regular sinon through AAD (so without vs Code): I receive 2 requests (MFA) in my Authentication APP
when succesfully authenticated I recieve a 2nd MFA request, now from Tenant ID 2
Approval is processed with no issue but ends with : AADSTS700016: Application with identifier 'xxxxxxxxxxxxxxx' was not found in the directory '[Entra Tenant 2]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. this is clearly a message from TenantID2 again ( logo, background) I do not have access to Tenent ID 2 resources ( I am a regular user). |
@SBalslev |
Not as far as I know, but you shouldn't need it. Edit: If the server instance is set up with tenant 1, the first prompt should be for Tenant 2 (this makes sure you're you) and the second should be from Tenant 1 (this makes sure the "verified you" has access to Tenant 1 and the tenant's MFA settings etc. are respected). Therefore I'm pretty sure that the server instance is not set up correctly since it seems to try to sign you into an application in tenant 2 that only exists in tenant 1. |
Please include the following with each issue:
1. Describe the bug
When using AAD / Entra ID for Authentication against a Serverinstance and then signing in using an external user you get an error message that the user does not have access to the serverinstance.
Message on the serverinstance's event log:
The issue seems to stem from the device flow that is used which does not check for the server instance's authentication but just asks users to sign in. It is (as far as I know) impossible to explicitly sign in as user of tenant A as external user of tenant B.
Therefore when a user is selected from the available Entra Users, it automatically chooses to authenticate against the selected users tenant.
Possible solution: Use the webclient's redirect Url to find out which tenant to actually authenticate against.
2. To Reproduce
Steps to reproduce the behavior:
In below example my user (Jakob.Theiner@xxx.com) is added as an external user to the tenant yyy.cloud. There I can use the account without issues to access Business Central. But I cannot use it to develop/debug.
Output of guest/external user
Output of "native" user
3. Expected behavior
Download Symbols (and others) work for all valid users in business central, including those from external Entra ID tenants.
AKA: The Tenant that should be asked to authenticate against should not be taken from "generic" device flow sign in prompt but from the Tenant configured in the serverinstance.
4. Actual behavior
Error message that the user does not have access to Business Central.
5. Versions:
Note
Since we support and develop for a lot of customers which all have Entra ID enabled, this is essential.
Currently the only way to solve this, is to add another serverinstance with navuserpassword authentication, which also needs to be maintained.
The text was updated successfully, but these errors were encountered: