Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Cannot use personal account to login to KeyVault

See original GitHub issue

Which Version of MSAL are you using ?

Microsoft.Identity.Client 4.16.1
Microsoft.Azure.KeyVault 3.0.5

Platform .NET Core 3.1

What authentication flow has the issue?

Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
Web App
- Authorization code
- OBO
Web API
- OBO

Is this a new or existing app? This is a new app or experiment. Trying to retrieve a key vault certificate via a proof-of-concept console application. User needs to authenticate, access policies are granted to user principals.

Repro

Create app registration
- Select “AzureADandPersonalMicrosoftAccount” as audience
- Set default client type to “Public”
- Add platform “Mobile and desktop applications” with redirect url “http://localhost”
- Add delegated API permission “https://vault.azure.net/user_impersonation” and grand admin consent
Make sure that there is a personal Microsoft account as a guest or member in the tenant.
To this account grant access to a Key Vault (via group or user), and grant certificate list/read permission.
Use minimal code example as below

    public class CertificateRetriever
    {
        private KeyVaultClient _client = new KeyVaultClient(AcquireMSALToken);
        private string _clientId;

        public CertificateRetriever(string clientId)
        {
            _clientId = clientId;
        }

        public async Task<IList<CertificateItem>> GetCertificatesFromKeyVault(string vaultUri)
        {
            var certificates = await _client.GetCertificatesAsync(vaultUri);
            return certificates.ToList();
        }

        private async Task<string> AcquireMSALToken(string authority, string resource, string scope)
        {
            var app = PublicClientApplicationBuilder
                .Create(_clientId)
                .WithDefaultRedirectUri()
                .WithAuthority(AadAuthorityAudience.AzureAdAndPersonalMicrosoftAccount)
                .Build();

            var scopes = new[] { "https://vault.azure.net/.default" };  // Must override scope...?
            var authResult = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
            return authResult.AccessToken;
        }
    }

    class Program
    {
        static async Task Main(string[] args)
        {
            var retriever = new CertificateRetriever("xxxxxxxx-xxxx-xxxx-xxxx-46891353d034");  // App registration
            var certificates = await retriever.GetCertificatesFromKeyVault("https://xxxxxxxxxx.vault.azure.net/");
        }
    }

Expected behavior

User is prompted to login, and can use a personal Microsoft account
Certificates are retrieved successfully

Actual behavior

Unable to select Microsoft account, if the above scope (“https://vault.azure.net/.default”) is specified
The authorization callback is called with an empty string as scope argument. If this empty scope is used, the user can use a personal Microsoft account (and will receive a token), but will then get ‘Unauthorized’ on Key Vault access.

Additional context/ Logs / Screenshots My main question is:

Why is the scope argument empty upon logging on to the key vault?
What determines the restriction for directory accounts only?

Issue Analytics

State:
Created 3 years ago
Comments:13 (8 by maintainers)

Top GitHub Comments

1reaction

bgavrilMScommented, Oct 28, 2020

Yes, @hotmail, @outlook.com, @live.com (and a few more aliases) are “Microsoft” accounts (aka live accounts or MSA accounts or personal accounts). They are all in one big tenant (the MSA tenant).

Work and School accounts are tied to an organization, e.g. joe.blogs@contoso.com is an account in the contoso tenant. Each organization that hosts their directory with AAD gets their own tenant.

In MSAL, you configure the authority as:

only users from your Work and School tenant, then use an authority like https://login.microsotonline.com/<my_tenant_id>
any Work and School tenant (authority https://login.microsoftonline.com/organizations)
only Microsoft personal accounts (i.e. personal accounts) - https://login.microsoftonline.com/consumers
Personal acounts + any Work and School account - https://login.microsoftonline.com/common

In the App registration portal in Azure, you must also configure the audience in a similar way (sorry I don’t remember the exact setting, but I can look if you want).

This wiki page describes the identity providers: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Register-your-application-with-Azure-Active-Directory

This wiki page offers a few details about audience: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Client-Applications#application-audience

0reactions

Crossbow78commented, Oct 28, 2020

The relevance of the app registration’s sign-in audience setting of AzureADandPersonalMicrosoftAccount and the authority ‘override’ to AzureAdMyOrg remains a mystery to me… and why the error message mentions I cannot use a personal account even when both settings are explicitly set to ‘AzureADandPersonalMicrosoftAccount’. Then again, the whole notion of ‘personal’ vs ‘work/school’ accounts is a small disaster in my mind 😉

Is this the correct summary: My “anything@hotmail.com” counts as a personal Microsoft account. But as soon as I invite that as a guest account into my Azure AD, it counts as a “organization” account, which is the only supported type for authorization to a key vault (since you’d need to be able to define the access policies)?