I have configured Azure AD authentication to my JavaScript front-end using ADAL JS library. I can successfully log in using accounts that belong to the Active Directory.
We want to allow all external users to log in the application. As long as you have a Microsoft or Live account, you should be granted access. I'm receiving this error:
AADSTS50020: User account 'xxxx@gmail.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Adding the user as a guest would fix this issue but I don't want that. It has to work automatically. I have configured the application to be multi-tenanted. I think that enabling self-service would be the solution. However, the settings are greyed out for unknown reason and I don't know how to change them.
I have enabled users to request access and also grant access automatically on the application. Screenshot: Enterprise application - Self-service settings
However, in the directory, self-service is not enabled (option Self-service group management enabled is set to No) and there is nothing I can do about it. How can I change these settings?
Screenshot: Groups - General settings
I tried registering another application to https://apps.dev.microsoft.com as said on this thread Azure AD authentication without app registration but I still get the same error message for the new clientId.
In this thread Azure Multi-Tenant Application with Windows Live ID Authentication the solution seems to change the authentication endpoint based on the tenant. This requires to first ask the user what tenant it is using and then redirect to authentication, which seems like a very bad UX.
If your requirement is to accept both personal accounts (hotmail.com/outlook.com) in addition to corporate accounts, then you should not be using ADAL. ADAL/ADAL.JS is designed only to accept corporate accounts and use the - so called - Azure AD 'v1' endpoint.
Here are your options:
AppSource only requires corporate accounts sign-ins. If you only need AppSource certification, you can keep using adal.js to sign-in corporate accounts. Then what you need to do is to set your application to be multi-tenant in Azure Portal so you don't need to add guest accounts. But, again, this option only accepts corporate account sign-ins.
If your requirement is to also accept personal accounts, then you need to use msal.js instead of adal.js - and then register your application in the new portal https://apps.dev.microsoft.com . This new application is known as converged application and uses the Azure AD v2 endpoint. To get started use this guide as a starting point to sign-in users using msal.js.
