Unauthorized error when following "Desktop app calls Web API" instructions

[dpaulino]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Follow the instructions completely. Then change the tenant to common in both App.config and appsettings.json. Then, sign in with personal microsoft account

Any log messages given by the failure

"An error occurred while getting /api/todolist > Unauthorized"

Expected/desired behavior

No errors.

OS and Version?

Windows 10 19042

Versions

Mention any other details that might be useful

I understand that the instructions say "this sample does not work with personal microsoft accounts". What do I have to do in order to protect an API using personal microsoft accounts? This sample is everything that I need, except that I just need to accept personal MSAs from users. Please help!

---

Thanks! We'll be in touch soon.

[jmprieur]

@dpaulino it will work provided you change the audience of your web API to be Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)

• which chapter did you try ?
• did you see chapter 3: 3.-Web-api-call-Microsoft-graph-for-personal-accounts

[dpaulino]

@dpaulino it will work provided you change the audience of your web API to be Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)

• which chapter did you try ?

• did you see chapter 3: 3.-Web-api-call-Microsoft-graph-for-personal-accounts

I used chapter 1 instructions.

That's already the audience of the web API. In fact, the instruction already specifies that audience. But it doesn't work. I'm getting unauthorized error.

Is the issue related to my tenant? I'm using my default tenant. Should I create a new tenant?

And I haven't seen chapter 3 yet. I can try it.

[dpaulino]

For clarity, here is where the instruction says what audience to use: https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API#register-the-service-app-todolistservice-active-directory-dotnet-native-aspnetcore-v2. So how come I'm getting an unauthorized error when I use my personal microsoft account?

[jmprieur]

@dpaulino
Could you please debug the web API by using the TodoListService launch profile, which is kestrel, not IIS, and look at the logs that appear in the console.
you should be able to see an error and we'd understand what happens.

I'm assuming that the token is not validated (and that you don't enter into the controller Get method:

You might also want to add PII logging, for instance in the contructor of the Startup.cs, add:

IdentityModelEventSource.ShowPII = true;

[dpaulino]

I figured out the issue. By sheer luck, I discovered that Azure AD's free-tier has a Single Sign-On limitation. You can only have 10 app registrations for SSO to work. I had 11. I reduced this down to 8, and then this sample code magically started working.

I'm extremely frustrated by this whole experience. The error messages I'm getting from Microsoft Identity made no mention of the SSO limitation. I'm just thankful that in my desperation, I was browsing through AAD's settings pages to see if I missed a setting somewhere.

Perhaps you may want to add a warning like this in your docs: "Be aware that Azure AD has a limit of 10 app registrations when it comes to SSO authentication. This sample code will ask you to create 2 new app registrations, so please make sure you are not over the 10-app limit after creating them." Or something like that.

So this issue is resolved, but I recommend adding the warning. Feel free to close this ticket as you see fit.

[jmprieur]

Thanks for the update @dpaulino
I didn't know either. I wonder if this is recent.

@jennyf19 @henrik-me : let's try to improve the error message if we can at the level of Microsoft.Identity.Web (and possibly MSAL (@jennyf19 @henrik-me @bgavrilMS @trwalke @pmaytak)

cc: @lnalepa @SaeedAkhter-MSFT for the feedback ...

[bgavrilMS]

Not sure what fails here, but we need bug in either MSAL or Id.Web to improve the experience.