Login from Microsoft account not working for Multitenant Azure AD application

2
votes

I'm building multitenant SaaS web based application. Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.

I'm having problem with login from external account (Microsoft account) in customer tenant.

I created example and tried to see what I can get from access token.

Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".

As far as I understood this should be enough to login with

  1. Office 365 account from host tenant
  2. Microsoft account that is registered as external user in host tenant
  3. Office 365 account from guest tenant
  4. Microsoft account that is registered as external user in guest tenant

Clarification: - host tenant --> Azure AD instance in which application is registered. In error message bellow tenant A. - guest tenant --> Azure AD instance that is only using application

I have a problem with case no. 4

I get this error message: AADSTS50020: User account 'lovro.p365@...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.

1
azureazure-active-directoryoffice365microsoft-identity-platform

1 Answers

2
votes

The scenes of 2 and 4 should be the same.

I have tested both and everything is OK.

You could use OAuth 2.0 auth code grant flow to have a test with it.

Construct a request to login.microsoftonline.com with your app configurations.

This URL will look like:

https://login.microsoftonline.com/[tenant A]/oauth2/v2.0/authorize?client_id=[client id of the Azure AD app registered in host tenant]&response_type=code&redirect_uri=[redirect uri of the Azure AD app]&nonce=1234&resource=https://graph.microsoft.com.

After signing in with credentials of Microsoft Account in tenant A, you will get a "code" in the address bar. Use this code to request access token:

POST /[tenant]/oauth2/v2.0/token HTTP/1.1

client_id=[client id of the Azure AD app registered in host tenant]
&scope=https://graph.microsoft.com/user.read
&code=[code got from the previous step]
&redirect_uri=[redirect uri of the Azure AD app]
&grant_type=authorization_code

Then we could get the access token for Microsoft Account as a guest user in tenant A.