40

I'm getting this error after I sign into my Azure website:

AADSTS50194: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

DharmaTurtle
  • 3,906
  • 4
  • 28
  • 41
  • 1
    you might want to elaborate on the kind of application / flow you were using – Jean-Marc Prieur Nov 28 '18 at 18:56
  • 1
    you should accept Coruscate5 answer. You should never use multitenant AAD registration app if you do not need to. – zolty13 Apr 16 '20 at 14:53
  • 1
    @zolty13 good point. – DharmaTurtle Apr 16 '20 at 21:36
  • @zolty13, I don't know how you came to this conclusion with such little information. There is nothing wrong with multi-tenant applications if you expect users to get sign-in from different tenants. A public app is a good example. – sy-huss May 29 '20 at 10:54
  • @sy-huss DharmaTurtle has not written about Multitenant AAD, so for me it is obvious that he do not need multitenant app. Enabling multienant causes side effects. Changing endpoint is enought to solve the problem. Probably Dharma used wrong endpoint which was proposed in some kind of tutorial or article. I have done the same mistake – zolty13 May 29 '20 at 11:41
  • @zolty13, I am curious what side effects this has caused based on your experience? – sy-huss May 29 '20 at 11:47
  • You enable to has user from different AAD in your app. If you do not need you should not enable this option – zolty13 May 29 '20 at 11:57

4 Answers4

44

If you are an Azure administrator getting this message, it may be for the the exact reason that is listed in the error message - you can not use the common API endpoint to MSFT logins to tenant-specific applications.

In my case, I was configuring an app registration with sample code - the sample code needed to be modified with a new endpoint. I.e the following line:

let kAuthority = "https://login.microsoftonline.com/common"

needed to be changed to:

let kAuthority = "https://login.microsoftonline.com/MY_TENANT_NAME"

The tenant name for your Azure organization can be obtained by typing "Tenant Status" into the Azure search bar.

Xamarin: The above note worked for MSAL iOS - for Xamarin MSAL Android/iOS, there was no direct way to set the authority in the main call. It needs to be chained to the interactive login call.

E.g., the sample code here: 

authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
                      .WithParentActivityOrWindow(App.ParentWindow)
                      .ExecuteAsync();

Needs to be changed to this: 

authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
                      .WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME")
                      .WithParentActivityOrWindow(App.ParentWindow)
                      .ExecuteAsync();
Coruscate5
  • 1,455
  • 13
  • 24
  • I was using the `react-aad-msal` package in my react app, and this was exactly the my issue. Their sample code references the common authority. I needed to check my authority in the Azure Portal and replace the common one. – Mike Cole Jan 27 '20 at 20:17
  • 5
    Just now (February 2021) this answer helped me, as long as I replace "YOUR_TENANT_NAME" with what the Azure console currently labels "Tenant ID". In other words, "Tenant Name" is a particular string, and "Tenant ID" is a different string, and the one to put in the authority URI (in my case) was "Tenant ID". It looks like: `xxedxxxx-xxxd-xxxx-xxxx-07bdxbxxxc4x` – pestophagous Feb 05 '21 at 19:25
  • @pestophagous - it appears both will work. I can swap the Tenant Name and the Tenant ID as the authority, and the behavior appears to be the same. May depend on your Azure setup – Coruscate5 May 04 '21 at 17:34
19

It turns out that my account was not actually on Azure AD, so I needed to check "Accounts in any organizational directory" under "Supported account types" on portal.azure.com

Specifically: portal.azure.com > Azure Active Directory > App registrations (preview) > Your App > Authentication > Supported account types > Accounts in any organizational directory

DharmaTurtle
  • 3,906
  • 4
  • 28
  • 41
  • @Frank hard to say without more details, but I think you might be asking the wrong question. My answer here doesn't directly relate to OAuth, so I'm not sure where to find a consumer key/secret. – DharmaTurtle Aug 30 '19 at 16:19
  • Thanks for your response. Finally, I figured it out. The consumer key is called "Application (client) Id" under app registration (click the registered app to see app overview). The consumer password is the secrete set under certificates & secrets – Frank Aug 30 '19 at 19:51
6

Enable multi-tenant using the below option in azure.

portal.azure.com -> Azure Active Directory -> App registrations -> Select Your App -> Authentication -> Supported account types -> Accounts in any organizational directory (Any Azure AD directory - Multitenant)

this should be enabled when you want to allow public users.

enter image description here

If you are want to authorize the user into organization level(Private Users). Use the below option.

let authUrl = "https://login.microsoftonline.com/common"

change like below:

let authUrl= "https://login.microsoftonline.com/MY_TENANT_NAME"
Sathia
  • 2,184
  • 2
  • 20
  • 37
  • 4
    But then anybody with an organizational account might use this app. This is not the best option if you plan to deploy your app only for your company's users. – Kiril Dec 28 '20 at 15:24
1

Further more to @Coruscate5's post, which has helped me, you can set WithAuthority for iOS as follows.

var builder = PublicClientApplicationBuilder.Create(OAuthSettings.ApplicationId)**.WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME");**

This is important if you were following the Build Xamarin apps with Microsoft Graph guide and you aren't authenticating to a multi-tenant application.

This is how you get your tenant name:

https://docs.microsoft.com/en-us/onedrive/find-your-office-365-tenant-id
Jeremy Caney
  • 4,585
  • 13
  • 32
  • 54
chirond
  • 11
  • 1