I'm building multitenant SaaS web based application. Application is registered in my tenant and each customer with their office 365 subscription will get Service principal object in Azure AD.
I'm having problem with login from external account (Microsoft account) in customer tenant.
I created example and tried to see what I can get from access token.
Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADMultipleOrgs".
As far as I understood this should be enough to login with
- Office 365 account from host tenant
- Microsoft account that is registered as external user in host tenant
- Office 365 account from guest tenant
- Microsoft account that is registered as external user in guest tenant
Clarification: - host tenant --> Azure AD instance in which application is registered. In error message bellow tenant A. - guest tenant --> Azure AD instance that is only using application
I have a problem with case no. 4
I get this error message: AADSTS50020: User account 'lovro.p365@...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.