I'm developing a C# .NET 6.0 desktop application which should be able to authenticate both personal (e.g. outlook.com) and work or school accounts using the device code flow in MSAL.NET.
In the Microsoft Azure Portal I have registered the application and configured the supported account types as "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". In the advanced settings in the "Authentication" page I have also enabled the "Allow public client flows" option.
According to release notes the version 4.5.0 of MSAL.NET supports both account types in the device code flow.
I have been following this GitHub example while implementing the device code flow in my application. In the README.md of this example it is explicitly stated that "This sample will not work with a Microsoft account (formerly Windows Live account).". I'm assuming this refers to the outlook.com accounts among others.
The authentication indeed does not work for an outlook.com account. After entering the code into the microsoft.com/devicelogin login page and providing the outlook.com account and password the process stops in this error message:
Using an account that belongs to the same Azure AD tenant in which the application is registered works without issues.
What are the requirements for enabling authenticating for both account types in the device code flow?
According to the constraints listed in the device code flow documentation the authority needs to be tenanted. I tried to modify the instantiation of the IPublicClientApplication (which I copied from the aforementioned example in GitHub) like so:
PublicClientApplication = PublicClientApplicationBuilder
.Create("<Application (client) ID>")
.WithAuthority(@"https://login.microsoftonline.com/<Directory (tenant) ID>")
.WithDefaultRedirectUri()
.Build();
This resulted in a different error message in the login screen:
However adding the users in the tenant as external users is not an acceptable way of resolving this issue. I need to be able to authenticate any account type without adding them to the tenant.
According to this message on GitHub the end point in this case should be https://login.microsoftonline.com/{authority}/oauth2/v2.0/devicecode. I tried to reconfigure the JSON file (also copied from the aforementioned example in GitHub) like so:
{
"Authentication": {
// Azure Cloud instance among:
// - AzurePublic (see https://aka.ms/aaddevv2). This is the default value
// - AzureUsGovernment (see https://docs.microsoft.com/azure/azure-government/documentation-government-developer-guide)
// - AzureChina (see https://docs.microsoft.com/azure/china/china-get-started-developer-guide)
// - AzureGermany (See https://docs.microsoft.com/azure/germany/germany-developer-guide)
"AzureCloudInstance": "AzurePublic",
// Azure AD Audience among:
// - AzureAdMyOrg (single tenant: you need to also provide the TenantId
// - AzureAdMultipleOrgs (multi-tenant): Any work and school accounts
// - AzureAdAndPersonalMicrosoftAccount (any work and school account or Microsoft personal account)
// - PersonalMicrosoftAccount (Microsoft personal account only)
// "AadAuthorityAudience": "AzureAdMultipleOrgs",
"Tenant": "common",
// ClientId (ApplicationId) as copied from the application registration (which depends on the cloud instance)
// See docs referenced in the AzureCloudInstance section above
"ClientId": "<Application (client) ID>"
},
// Web API. Here Microsoft Graph. The endpoint is different depending on the cloud instance
// (See docs referenced in the "AzureCloudInstance" section above.
"WebAPI": {
"MicrosoftGraphBaseEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/devicecode"
}
}
This didn't have any impact and resulted in the same error message of the code being expired.
