Azure DevOps Rest API - how to select Azure Active Directory Tenant for OAuth flow

Question

looking at "Authorize access to REST APIs with OAuth 2.0" at https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops

An Azure DevOps organization is connected to an Azure Active Directory tenant
-> let's call it 'devops-ad-tenant'.

A user has an Active Directory Home Tenant
-> let's call it 'user-ad-home-tenant'.

A user can be a guest user withing another Active Directory Tenant
-> let's call it 'user-ad-guest-tenant'.

If the 'devops-ad-tenant' is equal to the 'user-ad-home-tenant', everything works out fine.

If the 'devops-ad-tenant' is equal to the 'user-ad-guest-tenant', the OAuth flow succeeds, but the flow happens within the context of the 'user-ad-home-tenant' and this user is from a Azure DevOps perspective not the user from 'user-ad-guest-tenant'.

I am having trouble to use something like a "domain_hint" when initiating the OAuth flow.

Any thoughts?

Fei Xue - MSFT Fei Xue - MSFT · Accepted Answer · 2019-11-26T02:54:38

This behavior of get the token is used for the home directory is by design since the customer may be as guest for multiple Azure Active Directories. And as the document you shared for the Azure DevOps OAuth authentication, currently there is no such option to choose which directory for the usage of token acquired.

If you want Azure DevOps support this feature, you can submit the feedback from Develop Community - Azure DevOps.

Azure DevOps Rest API - how to select Azure Active Directory Tenant for OAuth flow

2 Answers