I'm currently upgrading an application to enable multi-tenancy and B2B integration.
I got the following types of users working so far:
- internal Azure AD users
- external Azure AD users from another tenant
- personal Microsoft account
- users gmail users
I'm now trying to enable users from any domain to access my application by following this process:
- Send invite to [email protected] - this works
- Redeem invite from [email protected] inbox - this works and I successfully setup the associated Microsoft account
- Login into my application using [email protected] - this does NOT work and I get the following error: AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of abc.com before the application 'My Application' can be provisioned
In this case abc.com is an external partner. The external partners are dynamic and managed through the application via a 'domain white-list'. So I can have abc.com now, and later abcd.com, xyz.com, etc. The users from these white-listed domains are self-registering via an application URL.
Interestingly enough, gmail users work so I'm assuming there's an internal Azure AD white-list for the popular domain?
UPDATE:
The reason why the Gmail accounts are working is because they are indeed created as Microsoft accounts in my Azure AD. The abc.com domain accounts on the other hand are created as 'External Azure Active Directory' accounts. (source property)
UPDATE #2:
After a bit more research I found that it wasn't working because I was using the common endpoint which doesn't support guests. More details here: Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?
Now I switched to using my tenant specific endpoint like below:
Tenant specific endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0
and I can login with the guest users from abc.com
However Microsoft accounts stopped working now.
AuthorizationCodeReceived = async (context) =>
{
...
var cca = new ConfidentialClientApplication(appId, redirectUri,
new ClientCredential(appSecret),
new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
},
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code) fails with the following error:
ErrorCode: invalid_grant
Message=AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
How can I make it work with both guest users from custom domains (abc.com) AND existing Microsoft accounts?