Auth0 Home Blog Docs

SSO For Microsoft Office

auth0
sso
microsoft
#1

I am using auth0 to perform SSO for Microsoft Outlook. When I click on button it gives error like
https://login.live.com/err.srf?lc=1033#error=invalid_request&error_description=The+provided+value+for+the+input+parameter+‘redirect_uri’+is+not+valid.+The+expected+value+is+‘https://login.live.com/oauth20_desktop.srf’+or+a+URL+which+matches+the+redirect+URI+registered+for+this+client+application.&state=g6Fo2SBhSmMtbWFoY0FpT3ZGcjVrcFZzX3hHNkxvNTVKNlJ4baN0aWTZMmdhRm8yU0JtZDJkdVZIWk1kV1kzZERoTWFtRkNVbXg2WDJWdFFqTjRUV2xETXpseFNno2NpZNkgZW9GMENjNFlyMEp5bm9UYXB6aEVwUUJsaVVXeUVDTkc.

Please help.

#2

Can you provide a URL for the tutorial/document you followed to set this up, and a .HAR file of the full login transaction?
Make sure to remove any password from the .HAR file before submitting.

#3

@nicolas_sabena
Here is the link for the steps that I have followed.

login.live.com.har (87.0 KB)

#4

I am also facing same issue. I registered my app to apps.dev.microsoft.com and note down app id and secret id. Then I create app in auth0 and visit connection and social and enable microsoft and provide app id and secret id and click on try button and getting same error. Any help?

#5

This error will show up if you didn’t register the callback URL (as mentioned in https://auth0.com/docs/connections/social/microsoft-account#4-enter-your-callback-url).

In @chetanmore14 case, it should be https://kandarp1993.auth0.com/login/callback.

Can you double-check this?

#6

@nicolas_sabena
Thank you for your help. It worked out. Login is working but does not ask for user permission to read their profile. When I try from Connection -> Social and try button on Microsoft, it will ask for permission. In my code, I have added audience and scope as well. Still does not ask.

#7

You should get asked only once for the whole Auth0 tenant, as Microsoft (or any other social provider) sees your Auth0 tenant (and not individual applications defined in the tenant) as the “client” in the conversation.
The “Try” button includes a special parameter (prompt=consent) that forces the consent prompt on most identity providers (not all), but the experience from individual authentication requests coming from applications will be as described above: consent will happen only once per user in the tenant.

1 Like
#8

@nicolas_sabena Thank you.

#9

@nicolas_sabena
I have implemented SSO for office and it works fine with personal account. But if I try with company account which has company domain name, it says account not found. Does it have to do with office account privileges
or do I have to do anything in auth0 application?

#10

Hi @kandarprakeshbhai
The Windows Live / Microsoft Account social connection is only good for social (individual) identities (those managed through account.live.com). For company accounts in Azure AD directories you’ll need to configure an Azure AD-type enterprise connection.

#11

@nicolas_sabena

Thanks for your quick response. Is there any link that I can follow to do so?

#12

Sure! https://auth0.com/docs/connections/enterprise/azure-active-directory/v2

1 Like
#13

@nicolas_sabena
Again thanks for your quick response. I appreciate your help.

#15

@nicolas_sabena

I have setup the app now. When I login using regular ID which I used to create Azure account, it says Authorization Success. But when I use company ID, it throws error like

{“error”:“access_denied”,“error_description”:“AADSTS50020: User account ‘XXX’ from identity provider ‘https://sts.windows.net/5a6794c3-49ae-4a77-83ab-74c59d6569e4/’ does not exist in tenant ‘Default Directory’ and cannot access the application ‘62835020-357c-4daf-bd94-3681fa33ed92’ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.\r\nTrace ID: 54f4d5f4-86f4-4029-831b-16f2c1005f00\r\nCorrelation ID: 09c2514b-133a-4df9-86fd-0fb68c9f0ba2\r\nTimestamp: 2018-12-10 17:18:04Z”}

I have also enabled multiple tenant option ON.

#16

How is the Azure AD connection configured? What is the domain used? Is it using the “common endpoint” or not?
Are you trying to log in using the same domain as the one defined for the connection, or using a different domain?

Did you enable multi-tenancy on the Azure AD site? Is your intention to allow users from outside directories to log in through this connection?

#17

@nicolas_sabena
I have resolved the issue but have another doubt. After login successfully using work email id, I want to fetch contacts. I have end point url to do so but need access token. So how can I get that token?