I followed these steps in an attempt to create an Azure App that allows login from multiple Azure AD Tenants:
Create a new App Service and turn on Authentication
1) In Azure Portal: I created a brand-new empty Azure App Service and dialed its URL up in my browser to be sure it was working properly.
2) I navigated to my new App Service, then the "Authentication / Authorization" blade.
3) I turned On the "App Service Authentication" switch.
4) I chose "Log in with Azure Active Directory" from the "Action to take when request is not authenticated" dropdown.
5) Under "Authentication Providers" on the same blade, I clicked on "Azure Active Directory", which navigated me down to the "Azure Active Directory Settings" blade.
6) Within this blade, I selected "Express" on the "Management Mode" radio button. Selection of Active Directory was grayed-out but it was the one I wanted to use -- the current one.
Create a new Azure AD App that's associated with my App Service
7) I clicked on "Azure AD App" and it prompted me to create an Azure AD App, which by default had the same name as my App Service name, so I kept it.
8) Still on the "Azure Active Directory Settings" blade, I clicked the "Manage Application" button under the "Manage Azure Active Directory Application" heading. I was navigated one more blade down, where the heading was the name of the Azure AD App I just created.
9) Once here, I clicked the "Settings" button, then "Properties" in the Settings blade.
10) Within "Properties" I set the "Multi-Tenanted" radio button to "Yes".
11) Also within "Properties": as is said to be required for multi-tenant to work: I also changed the "App ID URI" to something unique, and also from a Verified URL within my organization. In my case I used:
https://<<MyTenantName>.onmicrosoft.com/login-ProofOfConcept
Test the Security Functionality
12) With everything presumably set up, I first tried logging-in to my new application with a user that existed within my current B2C Tenant. I dialed the URL up for my App Service, I got prompted by microsoftonline to Authenticate, I authenticated, and then I got straight into my application with no problem.
Here's The Problem
13) Then, I logged-out and tried to login again -- but this time as a user that's in another Azure AD, which is just one I spun-up under my personal gmail account. I was expecting it to "just work" but after I authenticated as this other user, this error was displayed onscreen:
AADSTS50020: User account '[email protected]' from identity provider 'live.com' does not exist in tenant '[MyTenantName]' and cannot access the application '[MyApplicationGUID]'([AzureADApplicationName]) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
This is precisely the behavior I was hoping to avoid by enabling Multi-Tenant. I was hoping that it would just "login" this user, who is the member of an existing Azure AD. Is there a configuration-step I missed?
https://login.microsoftonline.com/[Local-B2CTenantGUID-Of-MyWebSite]/oauth2/authorize?response_type=code+id_token&redirect_uri=https://[MyWebSite-FriendlyName].azurewebsites.net/.auth/login/aad/callback&client_id=[ApplicationGUID-Of-MyWebSite]&scope=openid+profile+email&response_mode=form_post&nonce=06e5352b601c4256936d33a3ea84e605_20190511011408&state=redir=%2FSo, I manually changed the[Local-B2CTenantGUID-Of-MyWebSite]part of that URL to "common". Still no luck. - publius1123