Auth0 Home Blog Docs

SSO For Microsoft Office

auth0
sso
microsoft

#1

I am using auth0 to perform SSO for Microsoft Outlook. When I click on button it gives error like
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+‘redirect_uri’+is+not+valid.+The+expected+value+is+‘https://login.live.com/oauth20_desktop.srf’+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=g6Fo2SBhSmMtbWFoY0FpT3ZGcjVrcFZzX3hHNkxvNTVKNlJ4baN0aWTZMmdhRm8yU0JtZDJkdVZIWk1kV1kzZERoTWFtRkNVbXg2WDJWdFFqTjRUV2xETXpseFNno2NpZNkgZW9GMENjNFlyMEp5bm9UYXB6aEVwUUJsaVVXeUVDTkc.

Please help.


#2

Can you provide a URL for the tutorial/document you followed to set this up, and a .HAR file of the full login transaction?
Make sure to remove any password from the .HAR file before submitting.


#3

@nicolas_sabena
Here is the link for the steps that I have followed.

login.live.com.har (87.0 KB)


#4

I am also facing same issue. I registered my app to apps.dev.microsoft.com and note down app id and secret id. Then I create app in auth0 and visit connection and social and enable microsoft and provide app id and secret id and click on try button and getting same error. Any help?


#5

This error will show up if you didn’t register the callback URL (as mentioned in https://auth0.com/docs/connections/social/microsoft-account#4-enter-your-callback-url).

In @chetanmore14 case, it should be https://kandarp1993.auth0.com/login/callback.

Can you double-check this?


#6

@nicolas_sabena
Thank you for your help. It worked out. Login is working but does not ask for user permission to read their profile. When I try from Connection -> Social and try button on Microsoft, it will ask for permission. In my code, I have added audience and scope as well. Still does not ask.


#7

You should get asked only once for the whole Auth0 tenant, as Microsoft (or any other social provider) sees your Auth0 tenant (and not individual applications defined in the tenant) as the “client” in the conversation.
The “Try” button includes a special parameter (prompt=consent) that forces the consent prompt on most identity providers (not all), but the experience from individual authentication requests coming from applications will be as described above: consent will happen only once per user in the tenant.


#8

@nicolas_sabena Thank you.


#9

@nicolas_sabena
I have implemented SSO for office and it works fine with personal account. But if I try with company account which has company domain name, it says account not found. Does it have to do with office account privileges
or do I have to do anything in auth0 application?


#10

Hi @kandarprakeshbhai
The Windows Live / Microsoft Account social connection is only good for social (individual) identities (those managed through account.live.com). For company accounts in Azure AD directories you’ll need to configure an Azure AD-type enterprise connection.


#11

@nicolas_sabena

Thanks for your quick response. Is there any link that I can follow to do so?


#12

Sure! https://auth0.com/docs/connections/enterprise/azure-active-directory/v2


#13

@nicolas_sabena
Again thanks for your quick response. I appreciate your help.


#14

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)


#15

@nicolas_sabena

I have setup the app now. When I login using regular ID which I used to create Azure account, it says Authorization Success. But when I use company ID, it throws error like

{“error”:“access_denied”,“error_description”:“AADSTS50020: User account ‘XXX’ from identity provider ‘https://sts.windows.net/5a6794c3-49ae-4a77-83ab-74c59d6569e4/’ does not exist in tenant ‘Default Directory’ and cannot access the application ‘62835020-357c-4daf-bd94-3681fa33ed92’ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.\r\nTrace ID: 54f4d5f4-86f4-4029-831b-16f2c1005f00\r\nCorrelation ID: 09c2514b-133a-4df9-86fd-0fb68c9f0ba2\r\nTimestamp: 2018-12-10 17:18:04Z”}

I have also enabled multiple tenant option ON.