InviteRedirectURL not working for AAD guest user invite

0
votes

I have an Azure Active Directory and a SPA App registration.

I am using the Microsoft Graph endpoint to invite a Guest User to the AD.

Graph Invite Api

Doc followed - https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http

request URL - https://graph.microsoft.com/v1.0/invitations (POST request)

request BODY -

{
    invitedUserDisplayName: "John Doe", 
    invitedUserEmailAddress: "[email protected]",
    inviteRedirectUrl: "https://example.com",
    "sendInvitationMessage": true,
    "invitedUserMessageInfo": {
      "customizedMessageBody": ""
    }
 }

This sends an AAD invitation at invitedUserEmailAddress and a redemption link in the mail. (This also adds a guest user entry to the list of users in my AAD with invitation status as pending acceptance)

Now if the user clicks on the redemption link in their mail, they are successfully redirected to inviteRedirectUrl (Invitation status for the user changes from pending acceptance to Accepted in AAD)

My problem - But if a user tries to SignIn directly to https://portal.azure.com or my SPA (without/before accepting the invitation sent to their Email) they are prompted "Review Permissions" page for getting added to AAD but after that they are not redirected to inviteRedirectUrl.

I am tracking the status of the user's invitation status using inviteRedirectUrl (changing the invite status when inviteRedirectUrl is called), which I am unable to do if the user directly tries to SignIn to my SPA.

Is this the desired behavior to not call inviteRedirectUrl if someone tries to sign in directly or can this be remediated somehow?

2
azureazure-active-directorymicrosoft-graph-api
I've also noticed the behaviour is different for accessing an app in the target tenant directly vs clicking the invite accept link. If the user is not an AAD/personal MS account, they actually can't accept the invite by going directly to the app, only through the link. This may be something you can't affect. You can also track invitation approval by querying for the user through Graph API / setting up change notifications etc.juunas

2 Answers

1
votes

I think the behavior is normal and as juunas mentioned in comments, you can use graph api to query the user and know the invitation approval status.

You can request the graph api like: https://graph.microsoft.com/v1.0/users/{userId}?$select=externalUserState. The field externalUserState shows the status of invitation approval status.

1
votes

The SPA is a multi-tenant app, but by selecting the option of "Accounts in any organizational directory", you make sure that the user who is trying to access your SPA app, is a part of some AAD tenant as I mentioned in my earlier comment.

But looking into the error it says "User account '[email protected]' from identity provider 'live.com' does not exist in tenant 'My Tenant' " it getting thrown since you have created a user of multi-tenant app type Accounts in any organizational directory, but then you are trying to login with a user of may be outlook.com or hotmail.com who are part of live.com accounts. To support users from live.com for your Multi-tenant apps, you can select "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox):

select that option would get you the same experience of a user in live account can also access your multi-tenant SPA without being a part of your Tenant. But surely with you multi-tenant app type as "Accounts in any organizational directory", you certainly need the live.com user to be added as a guest user to your tenant or some other AAD tenant to access your SPA.