0

I have created an user App Registration to enable authentication of both AD users and personal MS accounts with my app. I believe the most relevant settings in the manifest file are:

'signInAudience': 'AzureADandPersonalMicrosoftAccount', 'accessTokenAcceptedVersion': 2

I am able use my personal MS account to log in to the application, but only when the account is added as a guest user on the tenant (on which the App Registration is). Is there any way to enable this functionality without adding the personal MS accounts as guest users on the tenant?

The error message that I get when the Ms account is not added as a guest user: enter image description here

ejlouw
  • 305
  • 4
  • 14

1 Answers1

1

It sounds like you are not using the v2 authorization endpoint. You need to use https://login.microsoftonline.com/common/v2.0 as the authority. The new version of MSAL.js (@azure/msal-browser) uses that by default at least if you don't configure an authority for example. Using that authority should result in using https://login.microsoftonline.com/common/oauth2/v2.0/authorize as the login page. The older "common" endpoint supports any Azure AD tenant, but does not support personal accounts unless they are guests in an AAD tenant (like you see in your error).

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Hi, I am having the same issue as OP. However, I don't understant how to setup the authority as the one you posted. From this [page](https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-react), it is showed that the authority should be ```https://login.microsoftonline.com/{your tenant ID}```, but if I use ```https://login.microsoftonline.com/common/v2.0/xxxxxx-xxxx...xxxxx``` it does not work, I get a "could not resolve endpoints" error. Would you have any idea on why? Thanks! – Bernard Meunier Mar 16 '22 at 19:53
  • 1
    You can replace {your tenant ID} with "common" and that should work (`https://login.microsoftonline.com/common`). MSAL.js adds the v2.0 part to the given URL so it does not need to be specified. – juunas Mar 17 '22 at 06:37
  • Thanks! That fixed it. I appreciate the swift reply! – Bernard Meunier Mar 17 '22 at 14:29