Azure AD App got the wrong user to authenticate

1
votes

I have two azure tenants (Tenant A and Tenant B).

I have one registered app (App001) in tenant B with "Supported account types" set to "My organization only".

Here are steps to replicate the issue:

  1. Log into Tenant A's portal (portal.azure.com) with account A001
  2. Open new tab and try to log into app (App001). It doesn't prompt me to enter account B001 at all. It logs in with account A001 and get this error: AADSTS90072: User account '{EmailHidden}' from identity provider '{A001's email domain}' does not exist in tenant '{Tenant A}' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'({App001's name}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account

Getting this error is expected because the app's setting does not allow different tenant/directory's user to authenticate.

The question/problem is why it did not prompt me to enter accounts for Tenant B? Any place I should take a look at the settings?

1
azureazure-active-directory
have you tried in a incognito browser mode?Thiago Custodio
Is your app using the tenant-specific authority? I.e. is it using e.g. https://login.microsoftonline.com/tenant-id?juunas
Depending on how you configured the auth flow, the browser keeps the sessions alive all major browsers today share session between tabs. Most likely you are not being asked to login again, because the redirect to login.microsoftonline.com sees you already have a live session and immediately redirects you back to the application. You can check cookies for that domain, and follow the login flow in the browser network tab (just set preserve log to enable, so it keeps all the redirects)sjkp
@ThiagoCustodio with incognito browser mode, it works. That is it is a clean start (no cookie). But the question is why? It should prompt me for user name/password, isn't it? I have tried the same steps for other tenants, no problem at all. Looks like something to do with the setting of Tenant B or App001. Just don't know where/what to look for.Zhiyuan Zhang
@juunas yes. it is using tenant/specific authority.Zhiyuan Zhang

1 Answers

1
votes

Your account A001 cookie has been used to lon into app (App001).

The error occours because app (App001) doesn't exist in your Tenant A.

You should log into app (App001) with an incognito window (or log out of account A001 firstly). And then you will be asked to type in your credential. Now you could use account B001 to login.