1

Yesterday I followed Vittorio Bertocci's tutorial "WS-Federation in Microsoft OWIN Components – a quick start" to set up a test application using Azure AD authentication. This is my first use of Azure AD (I work alone so don't use AD, period). I have just one Azure AD tenant containing one app.

I created a test user in the tenant, david@mycompany.onmicrosoft.com, and could log into the app just fine:

Test user can log in

Then I tried creating a new user, david@mycompany.co.uk who is a user with an existing Microsoft account (the email address is used to log in and manage the Azure Portal so it works elsewhere). The appropriate setting was selected to create this account -> User with an existing Microsoft account

But, I cannot log into the application as this user:

Other users can't log in

Can anyone explain why this is?

If I delete the user from the tenant, then re-create using the option New user in your organsation then the user can log in okay (although they get prompted to change their password).

I don't understand what the difference is, especially when the account works fine elsewhere.

maweeras
  • 2,734
  • 2
  • 17
  • 23
EvilDr
  • 164
  • 1
  • 2
  • 16

2 Answers2

3

It may be that the account is both a valid Microsoft Account (formerly Live ID) AND a valid Organisational Account (Azure AD). This can happen (you have a Live ID for years then your company signs up for Office 365) and leads to all sorts of fun and games because 'home realm discovery' defaults to Azure AD.

In the first login box provided by Azure try typing any address with an '@outlook.com' address - you will be redirected to the Outlook login page (which uses Live IDs). On the Outlook login page enter your 'david@mycompany.co.uk' email and password. I expect you'll login.

I talk about the background (and reason) for this scenario on my blog.

Simon W
  • 320
  • 1
  • 8
  • *"I expect you'll login."*. You nailed it! Funny because I don't even recall signing up to Outlook.com. I've certainly never used it. Anyway, does this mean that *david@mycompany.co.uk* is a LIVE ID, and not an Azure ID? Is there any way to *cleanse* the overlap of accounts? – EvilDr Jan 16 '15 at 09:43
  • As per your interesting blog, *"start investing in converting users to Azure AD."*. How does one even go about starting this process? – EvilDr Jan 16 '15 at 09:45
  • 1
    Setup an Azure AD instance and map the 'mycompany.co.uk' domain to it as the custom domain. Where Microsoft Services support use of Organisational Accounts they will default to use of this directory. Services (such as the consumer Outlook.com) will continue to 'Microsoft Account (Live ID)' logins. Your best bet is to make sure any Live ID accounts are deleted to avoid confusion. – Simon W Jan 16 '15 at 09:56
  • Yes I'm just on with that now. There has been some overlap in the usage of my domains across two different Microsoft tenants, so am just waiting on their service team to help sort it out. Thanks very much – EvilDr Jan 16 '15 at 14:31
  • Sorry for the delay. Microsoft engineers are trying to fix this issue caused by platform "issues". I appreciate that the bounty might get removed but I'll add it again if I can – EvilDr Jan 21 '15 at 11:02
  • typing any address with outlook.com or live.com isnt an acceptable though.. is there maybe a way to force the live login page to come up right away? – krilovich Jan 21 '15 at 16:17
0

There are in fact three options to choose from when creating a user in Azure AD:

  1. New User in your organization (this Azure AD)
  2. User with an existing Microsfot Account (Live ID)
  3. User in another Windows Azure AD directory (not Live)

Are you sure that your david@mycompany.co.uk is in fact a MS Live ID, and not a user in "another Windows Azure AD"?

When specifying "Another Windows Azure AD" option, there is a check to see if the account can be federated against, and a pass/fail is displayed on that page. There could be federation settings that are incorrect in the "other Azure AD".

Below is a cap of me throwing random info into the "Another Windows Azure AD" field, and the resulting lookup failure. Test outside azure ad failure.

I would like to expand on this answer, please let me know if any of this points you in the right direction.

PS: Serverfault community, please feel free to correct me on nomenclature if needed, re: "Live ID", "Azure AD"

blaughw
  • 2,267
  • 1
  • 11
  • 17
  • I thought all the Microsoft ID's were now the same (e.g. Live = Azure)? Anyhow, I can log into most Microsoft sites using *david@mycompany.co.uk*, so surely it must be a valid account? – EvilDr Jan 15 '15 at 10:38
  • So your "david@mycompany.co.uk" is presumably the tenant admin of an Azure tenant? I initially took it to mean that it's an account in another Azure tenant, not necessarily an MS Live ID. – blaughw Jan 15 '15 at 17:23
  • Hi, yes it is. I actually have two Global Admin's for a single Azure company account, of which this is one. – EvilDr Jan 15 '15 at 18:36