Error : AADSTS50059: No tenant-identifying information found in either the > request or implied by any provided credentials

Question

I am implementing Microsoft.Identity Login in my web app to allow any organization users (outside my Tenant Id) to login. The configuration in my appsettings.json is as below.

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "domain.com",
  "ClientId": "GUID_CLIENT_ID_FROM_ENTRA",
  "TenantId": "organizations",
  "CallbackPath": "/signin-oidc",
  "ClientSecret": "CLIENT_SECRET",
  "SkipUnrecognizedRequests": true
}

The code used to retrieve Access Token is as below :

RestClient _client = new RestClient("https://login.microsoftonline.com");
var request = new RestRequest("/" + _configuration["AzureAd:TenantId"] + "/oauth2/token", Method.Post);
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "client_credentials");
request.AddParameter("client_secret", _configuration["AzureAd:ClientSecret"]);
request.AddParameter("client_id", _configuration["AzureAd:ClientId"]);
request.AddParameter("resource", "20e940b3-4c77-4b0b-9a53-9e16a1b010a7");
 
var response = await _client.ExecuteAsync(request);

When I am using the TenantId of the organization where the "App" has been registered on Entra Admin portal, the above code works but as soon as I change the TenantId to "organizations", it fails with the below error -

AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials

I have configured my App to allow " Change the setting to Accounts in any organizational directory" as mentioned here

Please advise on a solution.

Answer 1

I'm afraid this should be the expected behavior to set a specific tenant id instead of using organizations or common. You are now using client credential flow OAuth v1.0 (you have "grant_type", "client_credentials" and "resource", "20e940xxx) so that I'm not able to provide with you an official document to explain it. For client credential flow generating access token via OAuth 2.0, we have description like below.

tenant Required The directory tenant the application plans to operate against, in GUID or domain-name format.

In fact, it shall be easy to understand it. Client credential flow doesn't require a user to sign in first and generate an access token. And this flow will generate an access token for the list of the API permissions we consent in the target AAD application. If we didn't define an exact tenant id, it won't know where the client ID belongs to, and it's not able to authorize the API permissions as well, which making the token meaningless.

Let's see a test result. If I set the exact tenant in the request, I can get a token with roles claim which representing the API permissions I grant, if I just use common or organizations, the token I got will not have roles claim, like screenshot below.