Azure login to multi-tenant AD app failing

1
votes

I have user A in tenant A and a multi-tenant AD app B in tenant B. I am trying to get token from user A's context for the AD app

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=a573ddda-b34a-4206-a73b-d67ff6e98aec&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=a573ddda-b34a-4206-a73b-d67ff6e98aec%2F.default&response_mode=fragment&state=12345&nonce=678910

I logged in using user A's credentials and got error

AADSTS700016: Application with identifier 'a573ddda-b34a-4206-a73b-d67ff6e98aec' was not found in the directory 'domainA.onmicrosoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

I have configured AD app B with id - a573ddda-b34a-4206-a73b-d67ff6e98aec to be multi-tenant. Any idea why this might not be working?

1
azureazure-active-directory
Hmm, that's odd. What kind of scopes does the app require? And what are the users' home tenants?juunas
I'm trying to get tokem for default scope "/.default". I did not understand your second question. The user A's tenant is just a dofferent tenant. Should that matter as AD app B is a multi tenant app?user3740951
Default scope for what API? Typically you specify an API's id + /.default to use the statically defined permissions. The reason I'm asking about the user's home tenant is that if user A was a guest user in tenant A, the common endpoint would not be signing them in to tenant A, but rather to their home tenant. That can create issues sometimes, though it might not be what is going on here.juunas
I did add user A as a guest user in tenant A. I actually did not find much documentation on the difference between a guest user and a regular user. Could you point me to some doc? The scope is the app's default scope -> docs.microsoft.com/en-us/azure/active-directory/develop/…user3740951
Could you try testing something by changing your app's authority to https://login.microsoftonline.com/tenant-a-id/v2.0 instead of https://login.microsoftonline.com/common/v2.0? This would force the user signing in to authenticate against tenant A instead of their home tenant.juunas

1 Answers

0
votes

As @juunas mentioned, if you use a guest user to login, use the tenant id of the tenant A instead of common, it will force the user to authenticate against tenant A instead of his home tenant.

And if your guest user is the first login the app, make sure some settings are like below in tenant A, otherwise, the user will not be able to consent for the app in tenant A.

  1. Navigate to the Azure Active Directory in tenant A -> User settings -> Manage external collaboration settings -> set Guest users permissions are limited to No.

enter image description here

  1. Navigate to the Azure Active Directory in tenant A -> Enterprise applications -> User settings -> set Users can consent to apps accessing company data on their behalf to Yes.

enter image description here

For more details about the member user and guest user, see this https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions