Enable Microsoft Entra External for External Users

[dmpai-per]

trafficstars

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [x ] feature request
- [x ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

replace AzureADMyOrg by AzureADandPersonalMicrosoftAccount remove spa=SpaApplication(redirect_uris=["http://localhost:50505/redirect", "http://localhost:5173/redirect"]), remove SpaApplication replace f"https://login.microsoftonline.com/{tenant_id}/v2.0", with f" https://eragchat.ciamlogin.com/{tenant_id}/v2.0",

Any log messages given by the failure

{"code":401,"message":"An error of type 'invalid_request' occurred during the login process: 'AADSTS500207: The account type can't be used for the resource you're trying to access. Trace ID: af9da659-e507-43a0-af23-0544bd400100 Correlation ID: c3a25b39-06da-42a7-8bb0-ee6dbbeef25f Timestamp: 2024-09-07 23:01:16Z'"}

Expected/desired behavior

user should be able to sign in after he signed up

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?) - all OS

azd version?

run azd version and copy paste here. azd version 1.10.1 (commit 31409a33266fb4a5fdbb644bc83988e725d6c7c9)

Versions

latest

Mention any other details that might be useful

current code is built for internal users, I did the following two scenarios to enable external users: Scenario 01) i did not enable authentication where i used (azd env set AZURE_USE_AUTHENTICATION false) and configured the authentication manually using the guide in this link https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service?tabs=external-configuration#tabpanel_1_external-configuration. The result: user was able to sign up and sign in, no logout button, other features related to authentication did not work at all. For example user document upload.

Scenario 02) I changed the code as per above mentioned steps under ### Minimal steps to reproduce. The result: user is able to sign up but not able to sign in, getting the above error

---

Thanks! We'll be in touch soon.

[pamelafox]

cc @zedhaque Could you possibly share the steps you used to enable External ID?

[zedhaque]

@pamelafox - sure, I will put together a External ID how to document and submit a PR. Maybe the manual steps can be automated later.

[dmpai-per]

@zedhaque @pamelafox thanks for that, I managed to get this done manually using this guide

https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service?tabs=external-configuration#tabpanel_1_external-configuration

but it did not allow me to enable other features that rely on the authentication like user document upload and document level access control.

is there ETA for this to be available? with enabling other dependent features.

[zedhaque]

@dmpai-per and @pamelafox

Here is the current draft of the document. I plan to add screenshots for better clarity. It would be great if you could review it, test the steps, and provide any feedback or report any issues you encounter.

https://github.com/zedhaque/azure-search-openai-demo/blob/entra-external-id/docs/entra_external_id.md

[cforce]

Shouldn't "Required Steps" 4.) be "Since the authentication tenant ID is different from your current logged-in tenant ID, run azd auth login --tenant-id <YOUR-TENANT-ID> to log in with your Entra ~~External~~ Tenant ID."

as the Apps is running not on External, juts auth Tenant is external

If this "External" would be another Entra which has already User Identities and Security Groups for them (which are used by this demo ACL mapping) how would the setup need to be adopted. The application tenant in my case is a guest on the other tenant, which means identities can be authenticated but security groups are only present ion the External (parent) tenant Entra and therefore the Parent has to be used for authorization and authentication (folders and single docs per user mapping based on the Entra security groups). I tried that, but never got it working

[dmpai-per]

@zedhaque @pamelafox

App Service Settings Log in to the Azure portal and navigate to your App Service instance. On the "Edit Identity Provider" page, update the issuer URL from https://login.microsoftonline.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0 to https://xxxxx.ciamlogin.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0. Leave the tenant ID c4a0744a-92d7-43ae-850e-07db4eb5c33a unchanged,

what is this tenant ID? "c4a0744a-92d7-43ae-850e-07db4eb5c33a". I believe this needs to be replaced by the External Tenant ID. Could you please confirm?

After: self.authority = f"https://xxxxx.ciamlogin.com" self.valid_issuers = [ f"https://sts.windows.net/{tenant_id}/", f"https://login.microsoftonline.com/{tenant_id}/v2.0", f"https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0", ]

is it {tenant_id}.ciamlogin.com or {xxxxx.ciamlogin.com where xxxxx is the first part of your External Entra ID tenant's primary domain (e.g., your-tenant-name from your-tenant-name.onmicrosoft.com)?

[zedhaque]

App Service Settings Log in to the Azure portal and navigate to your App Service instance. On the "Edit Identity Provider" page, update the issuer URL from https://login.microsoftonline.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0 to https://xxxxx.ciamlogin.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0. Leave the tenant ID c4a0744a-92d7-43ae-850e-07db4eb5c33a unchanged,

what is this tenant ID? "c4a0744a-92d7-43ae-850e-07db4eb5c33a". I believe this needs to be replaced by the External Tenant ID. Could you please confirm?

Thanks! When you run the first azd up in step 5, you will get the correct tenant ID. What I meant to say is that you don’t need to change the one already in the App Service, as it’s correct. But good catch—I'll update the info.

After: self.authority = f"https://xxxxx.ciamlogin.com" self.valid_issuers = [ f"https://sts.windows.net/{tenant_id}/", f"https://login.microsoftonline.com/{tenant_id}/v2.0", f"https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0", ]

is it {tenant_id}.ciamlogin.com or {xxxxx.ciamlogin.com where xxxxx is the first part of your External Entra ID tenant's primary domain (e.g., your-tenant-name from your-tenant-name.onmicrosoft.com)?

This {tenant_id} is correct; it's not the primary domain. See the screenshot below from the documentation. I'll update it with screenshots to make it clearer.

Keep your questions coming :)

[zedhaque]

Shouldn't "Required Steps" 4.) be "Since the authentication tenant ID is different from your current logged-in tenant ID, run azd auth login --tenant-id to log in with your Entra ~External~ Tenant ID."

as the Apps is running not on External, juts auth Tenant is external

Thanks. You are correct in observing the distinction between the app’s tenant and the authentication (Entra External) tenant.

In this setup, we are specifically using an External Entra ID Tenant to manage authentication, distinct from the Workforce Tenant that hosts the app. So, when running the command 'azd auth login --tenant-id <YOUR-TENANT-ID>`, this is intended to log in with the Entra External Tenant ID for authentication, without affecting the app’s running environment in the Workforce Tenant. I'll update the documentation to make this clearer.

As for your second scenario it's lot more complex!!!

[pamelafox]

Great doc @zedhaque! Ideally we'd also make the code changes that enable External ID optionally. We have the code for the setup for either Entra ID or Entra External ID in https://github.com/Azure-Samples/openai-chat-app-entra-auth-builtin in the scripts folder, so I think it should be possible to support via configuration entirely.

[zedhaque]

Thanks @pamelafox. I can try merging those scripts into this repo, so everything is done via configuration. I had a quick look, and it shouldn't be an issue.

[dmpai-per]

@pamelafox @zedhaque Many thanks for addressing this and the quick turn around as well, much appreciated.

quick question please, where can i find the initial/default prompt engineering for Azure OpenAI? I have a case where i need to edit it and disable the user from being able to do that via the "developer advanced settings" in the frontend?

is it possible to add a button to enable/disable internet search if answers cannot be found in the uploaded docs? i know this can be done via the prompt, but can it be added as part of the admin settings as well? so admin has more control on what can and cannot be retrieved.

[eai-douglaswross]

@pamelafox @zedhaque - Have got this running locally using Entra External Tenant using Google as the identity provider and a google account, however cannot get it to work with the backend app service (not Localhost). Made the Identity provider changes you suggested in your document @zedhaque. changing from login.microsoft.com to tenant.ciamlogin.com. Must be some configuration that localhost does not use (i.e. it works) compared to it running on the app service. For example if the localhost works, then is it the redirect urls? or something that is stopping it from working, or a cross tenant issue. The error I get after it asking for email address, and talking with the identity provider is "Requests from this IP are not allowed.", coming from this loaded page: https://login.microsoftonline.com/extservice/cpim?dc=ests-pub-wus2-az1-test1 The external tenant is in West US, however the resource group for this deployed code is in eastus??

[zedhaque]

Hi @eai-douglaswross ,

I haven’t tried your scenario before. What I’d like to know is:

1.	Can you confirm if your app service URL is listed in Entra Admin under Application -> Redirect URLs? This might have changed when you tried subsequent “azd up” commands.
2.	Can you first check if the one-time password email works for the app service before adding Google? This will help isolate the issue.
3.	I don’t think the region or resource group would be an issue. However, the URL you shared, “extservice” (requesting IP not allowed), is something I haven’t seen before.

[christopher-mierbach]

@zedhaque I'm very interested in using Azure External AD with this repo! Any chance that you take again a look into it and deploy scripts. Can't say why, but my attempts fail to set it up based on your provided guideline (the web url gives me a HTTP ERROR 500).

[zedhaque]

@advanced-flow I'm afraid the document is outdated, and I haven't been using App Service since moving to Container Apps. If you provide specific errors and your environment details, I can try to help if I know the answer. Ultimately, the goal is still to submit a PR to this repo—hopefully at the next hackathon!