"Use a tenant-specific endpoint or configure the application to be multi-tenant" when signing into my Azure website
I'm getting this error after I sign into my Azure website:
AADSTS50194: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
If you are an Azure administrator getting this message, it may be for the the exact reason that is listed in the error message - you can not use the common
API endpoint to MSFT logins to tenant-specific applications.
In my case, I was configuring an app registration with sample code - the sample code needed to be modified with a new endpoint. I.e the following line:
let kAuthority = "https://login.microsoftonline.com/common"
needed to be changed to:
let kAuthority = "https://login.microsoftonline.com/MY_TENANT_NAME"
The tenant name for your Azure organization can be obtained by typing "Tenant Status" into the Azure search bar.
Xamarin: The above note worked for MSAL iOS - for Xamarin MSAL Android/iOS, there was no direct way to set the authority in the main call. It needs to be chained to the interactive login call.
E.g., the sample code here:
authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
.WithParentActivityOrWindow(App.ParentWindow)
.ExecuteAsync();
Needs to be changed to this:
authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
.WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME")
.WithParentActivityOrWindow(App.ParentWindow)
.ExecuteAsync();
It turns out that my account was not actually on Azure AD, so I needed to check "Accounts in any organizational directory" under "Supported account types" on portal.azure.com
Specifically: portal.azure.com > Azure Active Directory > App registrations (preview) > Your App > Authentication > Supported account types > Accounts in any organizational directory
Enable multi-tenant using the below option in azure.
portal.azure.com -> Azure Active Directory -> App registrations -> Select Your App -> Authentication -> Supported account types -> Accounts in any organizational directory (Any Azure AD directory - Multitenant)
this should be enabled when you want to allow public users.
If you are want to authorize the user into organization level(Private Users). Use the below option.
let authUrl = "https://login.microsoftonline.com/common"
change like below:
let authUrl= "https://login.microsoftonline.com/MY_TENANT_NAME"
For some reason YOUR_TENANT_NAME
did not seem to work for me. It has worked for others hence you should still try it.
Instead of the above solutions the following worked for me:
authority: "https://login.microsoftonline.com/Your_Tenant_ID"
You can find Your_Tenant_ID
by typing Tenant Properties in the Azure search bar.