B2B with Microsoft Graph

0
votes

As you probably know, I am creating a multi-tenant azure application, which is using the B2B functionallity.

I am testing the B2B functionality and after some research I got a working sample.

Small summary: User authenticates against common authority, first token is acquired via common authority with the authorization code and from then, everytime I need a service client, I try to obtain those tokens from the 'current tenants' authority.

When I request 'Me', it only works against the home tenant. When I request me with a trusted tenant, I got an error that my user identifier does not exist in the directory. Probably because user does not actually exist in the trusted tenant.

When I request Users, it works fine. I can get both, home tenant users and trusted tenant users.

Is this normal behaviour? Is this something I need to handle programmatically or would this been solved by using the AD graph? (So when I know I need user info, just query the home tenant?) Or is this a bug?

Any thoughts on this would be greatly appreciated!

2
azureazure-active-directorymicrosoft-graph-apib2b
An important thing of B2B are the invitations. Did you invite user from one AAD into another?Dawid Rutkowski
Yes, user a from tenant a has been invited to tenant b. When changing the authority when requesting tokens for tenant b, I am not able to request Me, although I am able to request Users from tenant b. This is solved by querying against the home tenant for Me. So for now, I fixed it that way. But now I am having another issue,when I recycle my application, the tokencache is cleared (uses httpcache). This is not a problem to request the users from the tenant, he fails to request it silently, but the token from acquire token does the job. This does not work for 'Me', I always have to logout/loginIdentity

2 Answers

0
votes

Guests added to a directory via the B2B Collaboration feature will not work correctly on multi-tenant apps or the Microsoft Graph if you're using the common endpoint.

The common endpoint will always authenticate the user against his/her home tenant, not against any tenant where (s)he is a guest.

In order to successfully query /me for a guest, you'll need to have them sign-in through the tenant specific endpoint for the tenant where they're a guest.

See my answer to this other post for a more in-depth explanation / context: Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?

0
votes

I have noticed that when you want to switch between tenants, you need to re-authorize against the current tenant. I got it working this way: 1. First sign-in needs to be done against the common endpoint. 2. Every time I need a token for certain resource, I try to get the token silently.

=> This can throw 2 different AdalSilentTokenAcquisitionException

  • Nothing found in cache, also no refresh token found => In this case, I redirect the user to the login page again.
  • When you switch between tenants, and it is the first time you want to login using a tenant where you've been trusted, you can get a error like: User or admin should be given consent for this application. Although the admin from his home tenant has added the application in the directory for the home tenant. Anyone who knows why this consent is needed? So tenant A and tenant B admins have both been given consent. Why does a trusted user from B in A still needs to consent someway?

I was able to trigger the consent flow by redirecting the user to the authorization request URL. So when I got an AdalSilentTokenAcquisitionException, and the error code is "failed_to_acquire_token_silently" then I had to redirect the user to the URL generated by the authContext (authenticationContext.GetAuthorizationRequestUrlAsync) when the cache had been cleared, no refresh token will be found, then redirect the user to resign.