How can I sign in for a specific tenant in an azure multi-tenant application?

1
votes

How can I sign in for specific tenant in a azure multi-tenant application?

I have following scenario:

  1. A registered an Azure Application for multi-tenant scenario (Web App)
  2. Two App Roles “Admin” and “User”
  3. Two or more Azure Directories with at least one User. E.g.
  4. -- Mary@CompA
  5. -- Joe@CompB
  6. -- Scott@CompC
  7. All these user are assigned in their directory to the “Admin” app role
  8. Then I added Mary@CompA to the directories CompB and CompC as a guest user and assign the app role “User”

I can successfully sign in with all users to my application. All the users sign in with their own directory and have “Admin” rights.

But how can I sign in with Mary for tenant/directory CompB or CompC (with “User” rights only)?

Alternatively how can I query all the tenants/directories a user is member of. In Azure management portal, it is possible for me to switch to a directory, that i'm a member of.

I found another question that is a possible duplicate.

1
azureazure-active-directory

1 Answers

1
votes

This can be done very easily by modifying the "tenant" endpoint you use for login and token acquisition.

The OAuth 2 endpoint for Azure Active Directory is: https://login.microsoftonline.com/{tenant}/oauth2/

When you are creating a multi-tenant application, you set {tenant} to common which allows for "tenant discovery". If a user is a member of multiple tenants, it will pick their home tenant as the default login. If you want the user to specifically sign into a different tenant where they are a member, you need to specify that in the {tenant} field. You will NOT be able to use common here, so you must have some presumed knowledge of which tenants the user is a part of. This could be as easy as allowing the user to specify their tenant as a part of the login process on your web app.

To put it in the words of your example, for Mary:

  • https://login.microsoftonline.com/common/oauth2/ will sign her into her home tenant, CompA
  • https://login.microsoftonline.com/CompA/oauth2/ will do the same, CompA
  • https://login.microsoftonline.com/CompB/oauth2/ will sign her into CompB as a normal user
  • https://login.microsoftonline.com/CompC/oauth2/ will sign her into CompC as a normal user

I hope this helps!