Calling Microsoft Graph API from a multi-tenanted application

[WenningQiu]

My application supports multiple tenants so it registers a unique authentication scheme for each tenant; as a result is does not register the default scheme 'OpenIdConnect'.

The application calls Microsoft Graph API (await _graphServiceClient.Me.GetAsync()) after authentication and receives the exception below. What is the right way to configure the application so that Microsoft Graph calls can go through? (Perhaps it is just a matter of registering the default scheme 'OpenIdConnect'?)

IDW10503: Cannot determine the cloud Instance. The provided authentication scheme was ''. Microsoft.Identity.Web inferred 'OpenIdConnect' as the authentication scheme. Available authentication schemes are 'azureadCookies,azuread,azureadBearer,b2clocalCookies,b2clocal,b2clocalBearer,csgCookies,csg,csgBearer'. See https://aka.ms/id-web/authSchemes.

   at Microsoft.Identity.Web.TokenAcquisitionAspnetCoreHost.GetOptions(String authenticationScheme, String& effectiveAuthenticationScheme) in /_/src/Microsoft.Identity.Web.TokenAcquisition/AspNetCore/TokenAcquisitionAspnetCoreHost.cs:line 89
   at Microsoft.Identity.Web.TokenAcquisition.<GetAuthenticationResultForUserAsync>d__16.MoveNext() in /_/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs:line 248
   at Microsoft.Identity.Web.DefaultAuthorizationHeaderProvider.<CreateAuthorizationHeaderAsync>d__4.MoveNext() in /_/src/Microsoft.Identity.Web.TokenAcquisition/DefaultAuthorizationHeaderProvider.cs:line 83
   at Microsoft.Identity.Web.GraphAuthenticationProvider.<AuthenticateRequestAsync>d__6.MoveNext() in /_/src/Microsoft.Identity.Web.GraphServiceClient/GraphAuthenticationProvider.cs:line 90
   at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<GetHttpResponseMessage>d__34.MoveNext() in /_/src/HttpClientRequestAdapter.cs:line 460
   at Microsoft.Kiota.Http.HttpClientLibrary.HttpClientRequestAdapter.<SendAsync>d__20`1.MoveNext() in /_/src/HttpClientRequestAdapter.cs:line 170
   at Microsoft.Graph.Me.MeRequestBuilder.<GetAsync>d__149.MoveNext() in /_/src/Microsoft.Graph/Generated/Me/MeRequestBuilder.cs:line 508
   at CSG.SingleSignOn.AzureSsoService.Controllers.AzureController.<ProcessLogin>d__14.MoveNext() in C:\work\git\infra\SingleSignOn\Src\WorkerService\AzureSsoService\Controllers\AzureController.cs:line 255

[jmprieur]

When calling the Microsoft Graph API, explicitly specify the authentication scheme being used:
See https://github.com/AzureAD/microsoft-identity-web/tree/master/src/Microsoft.Identity.Web.GraphServiceClient#update-the-code:

var messages = await _graphServiceClient.Users
                .GetAsync(b => b.Options.WithAuthenticationScheme("yourAuthenticationScheme"));
int NumberOfUsers = messages.Value.Count;

[WenningQiu]

@jmprieur Thanks! That gets my first Microsoft Graph call through!

[roklenardic]

I have the same issue with the DownstreamApi client which has recently been upgraded from DownstreamWebApi one. The old one allowed the AuthenticationScheme to be passed to each Get/Post/Put... method while the new one does not. Given that we have multiple auth schemes and the default one is not the one needed for the downstreamapi client, how can we configure this now?