Can't connect to azure ad app from different tenants even after setting app as multi tenant

1
votes

I decided to create app from old azure portal and set the app to multi tenant.

I have set the OAuth 2.0 token endpoint (https://login.microsoftonline.com/<my tenant id>/oauth2/token) for token and OAuth 2.0 authorization endpoint (https://login.microsoftonline.com/<my tenant id>/oauth2/authorize) for authorization.

If I try to authorize with any registered Office 365 user id, other than user I use to login to azure, then I get this error:

User account '[email protected]' from identity provider 'https://sts.windows.net/49322bd9-93ea-4911-a8e4-1aa10bc5b680/' does not exist in tenant 'mary' and cannot access the application '8adfad2b-f28a-40a6-8698-8b53ac506132' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

If I manually add this user in azure then I get the access tokens but that shouldn't have been the case. This has to happen runtime since my app is multi tenant. Can you suggest where I might be going wrong ?

1
azureoauthazure-active-directoryazure-ad-graph-api
how you configure OpenIdConnect OWIN Middleware? - cuongle
@CuongLe I am using OAuth and not openId Connect - Mainak

1 Answers

3
votes

You need to use https://login.microsoftonline.com/common/oauth2/authorize endpoint.

This is the common endpoint that allows login from any Azure AD tenant. You should not use your tenant-specific endpoint in a multi-tenant application.

As for getting the access token, you will have to use the signed-in user's tenant id. This way you get an access token that is only valid in their tenant.