Microsoft authentification for single tenant

I’m trying to configure Microsoft authentification. It works fine if App in azure registered to support “Accounts in any organizational directory (Any Azure AD directory - Multitenant)”, but it doesn’t work with “Accounts in this organizational directory only (Single tenant)”.

  • [ ] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

  • [ ] Regression (a behavior that stopped working in a new release)
  • [ ] Bug report
  • [ ] Performance issue
  • [x] Documentation issue or request

Current behavior

I get an error “Application ‘…’ is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ‘10/15/2018’. Use a tenant-specific endpoint or configure the application to be multi-tenant.”

Expected behavior

It should be possible to use single tenant application by adding tenantId to configuration.

Minimal reproduction of the problem

  1. Try to configure microsoft authentification and in “Authentication” choose “Accounts in this organizational directory only (Single tenant)”
  2. Add redirect url to https://{squidexurl}/identity-server/signin-microsoft
  3. Create client secret in “Certificates & secrets”
  4. Configure squidex to use microsoft authentification by adding to config
    {
    “name”: “IDENTITY__MICROSOFTCLIENT”,
    “value”: “{CLIENT}”,
    “slotSetting”: false
    },
    {
    “name”: “IDENTITY__MICROSOFTSECRET”,
    “value”: “{SECRET}”,
    “slotSetting”: false
    }

Environment

  • [x] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: [VERSION]

Browser:

  • [x] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Others:
The problem is in authority URI. It’s https://login.microsoftonline.com/common/oauth2/v2.0/authorize for both types but for single tenant it should be https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

Is it only the authority url?

If you are a c# developer it would be great if you would test it out by yourself and create a PR. I do not have a multi tenant azure AD directory available right now.

The relevant code: https://github.com/Squidex/squidex/blob/master/src/Squidex/Config/Authentication/MicrosoftAuthenticationServices.cs

I’ve only found this example https://stackoverflow.com/questions/48480995/asp-net-core-identity-azure-authentication-middleware?rq=1
But it actually weird that Microsoft doesn’t support it out of the box.

It seems it’s called AzureAd authentication and should be added separately to application
https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.azureadauthenticationbuilderextensions.addazuread?view=aspnetcore-2.1

But the first example looks easier to implement.

Is it possible to ad AzureAd authentication?

As I said: PRs are welcome. It has very low priority for me right now.

I’ve managed to use Oauth2 authentication instead.
Short how to:

Squidex settings:
Copy tenant, client and secret from the created app and put to config
{
“name”: “IDENTITY__oidcAuthority”,
“value”: “https://login.microsoftonline.com/[tenant]/v2.0”,
“slotSetting”: false
},
{
“name”: “IDENTITY__oidcClient”,
“value”: “[client]”,
“slotSetting”: false
},
{
“name”: “IDENTITY__oidcSecret”,
“value”: “[secret]”,
“slotSetting”: false
}

2 Likes

Hit the same issue. @Sebastian I have sent you a PR.

Thanks a lot. I have accepted it, a build for 4.0.3 is in the pipeline.

1 Like