发表新帖
发表新帖

Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?

前端 未结
关注
2 1999
不知归路
不知归路 2021-01-06 00:35

I\'m trying out Azure AD B2B capabilities for my company. I have tried to invite external users through the portal and by using https://graph.microsoft.com/beta/invitations.

2条回答
  • -上瘾入骨i
    -上瘾入骨i (楼主)
    2021-01-06 01:11

    The most prevalent guidance and examples for writing Azure AD multi-tenant apps recommend using the common endpoint instead of tenant specific endpoint.

    Common endpoint: https://login.microsoftonline.com/common/oauth2/authorize
Tenant specific endpoint: https://login.microsoftonline.com/company.com/oauth2/authorize

    The common endpoint allows users from any tenant to log in. It achieves this by doing tenant discovery, meaning that, based on the user's email, it'll automatically redirect the user to their tenant endpoint. However, this also means that user@company.com will always be signed-in as an employee of company.com and never as a guest of some other company they've been added as a guest to via the B2B collaboration feature - In short, the common endpoint doesn't support guests.

    The tenant specific endpoint on the other hand, only allows users from that tenant to log in. While it doesn't do tenant discovery, it still allows users from other tenants to attempt to sign in, but will then check to see if they've been added as guests to the tenant. If they haven't, the sign in will fail - In short, guests users (users added via the B2B collaboration feature), only work in the tenant specific endpoint.

    If you want your multi-tenant application to support guests, you'll need to do tenant discovery yourself and leverage the tenant specific endpoints rather than the common endpoint.

    This means that your application will need to know which Azure AD tenant is associated to each workspace/team/instance/whatever-isolation-level-in-the-all, for example:

    contoso.myapp.com or www.myapp.com/contoso will sign in users via login.microsoftonline.com/contoso.com

    and

    fabrikam.myapp.com or www.myapp.com/fabrikamwill sign in users via login.microsoftonline.com/fabrikam.com

    0 讨论(0)
 看不清?
提交回复
热议问题