"Use a tenant-specific endpoint or configure the application to be multi-tenant" when signing into my Azure website
If you are an Azure administrator getting this message, it may be for the the exact reason that is listed in the error message - you can not use the common
API endpoint to MSFT logins to tenant-specific applications.
In my case, I was configuring an app registration with sample code - the sample code needed to be modified with a new endpoint. I.e the following line:
let kAuthority = "https://login.microsoftonline.com/common"
needed to be changed to:
let kAuthority = "https://login.microsoftonline.com/MY_TENANT_NAME"
The tenant name for your Azure organization can be obtained by typing "Tenant Status" into the Azure search bar.
Xamarin: The above note worked for MSAL iOS - for Xamarin MSAL Android/iOS, there was no direct way to set the authority in the main call. It needs to be chained to the interactive login call.
E.g., the sample code here:
authResult = await App.PCA.AcquireTokenInteractive(App.Scopes) .WithParentActivityOrWindow(App.ParentWindow) .ExecuteAsync();
Needs to be changed to this:
authResult = await App.PCA.AcquireTokenInteractive(App.Scopes) .WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME") .WithParentActivityOrWindow(App.ParentWindow) .ExecuteAsync();
It turns out that my account was not actually on Azure AD, so I needed to check "Accounts in any organizational directory" under "Supported account types" on portal.azure.com
Specifically: portal.azure.com > Azure Active Directory > App registrations (preview) > Your App > Authentication > Supported account types > Accounts in any organizational directory
Enable multi-tenant using the below option in azure.
portal.azure.com -> Azure Active Directory -> App registrations -> Select Your App -> Authentication -> Supported account types -> Accounts in any organizational directory (Any Azure AD directory - Multitenant)
this should be enabled when you want to allow public users.
If you are want to authorize the user into organization level(Private Users). Use the below option.
let authUrl = "https://login.microsoftonline.com/common"
change like below:
let authUrl= "https://login.microsoftonline.com/MY_TENANT_NAME"