Forum Discussion

Giuseppe GARZONI's avatar
Giuseppe GARZONI
Iron Contributor
May 17, 2018

Combining a multi-tenant application with B2B guest users

We have set-up a multi-tenant application so that users having a presence in the Azure AD tenants can login seamlessly, after a global admin gives the consent at once. However, due to the nature and ...
Azure AD B2B
Rishabh Srivastava's avatar
Rishabh Srivastava
Iron Contributor
May 31, 2018

 

Hello Giuseppe,

 

Let me take this step by step and I hope I will be able to explain. 

 

- You have a mutlitenant application which needs a authentication token from Azure AD. 

- once your application has the token your application can perform the required tasks.

 

As you also stated about the two domains gmail.com and libero.it, I will explain what happens from azure ad standpoint.

 

If a user from gmail.com or outlook.com will access your application, for the very first time they will  receive a consent prompt to approve the application authorization and after which it will work for sure because they are the owner of their own data.

 

Also, now it completely depends upon the scope that you are using while sending the authentication request to AAD for enterprise accounts.

I agree you are requesting basic profile which should work as expected, but when it comes to graph the process is entirely different. 

 

If your application is trying to access a protected resource through graph api which requires admin consent, users will not be able to approve because it is a change that is happening at the directory level.

In azure AD every object has to be authenticated by its home tenant i.e., where the user object resides.

 

Common auth flow for your scenario.

 

Your application ------ authentication request ----> login.microsoftonline.com --> user will type upn ----> will be redirected to the instance of the AzureAD where the user object resides ------>> Note this request will contain the scope binded by your application. 

 

Now once the user is authenticated,  azure AD has to check whether your application is authorized to access the protected resource via graph --- for which it needs a service principal.

 

Whenever any application is consented by the global admin a service principal object is created, which is listed in the enterprise application column of azure active directory. 

This service principal is responsible for all the consent and oauth delegation bindings.

 

So, if you are using graph to access something which requires admin consent. this will be by design behavior.

Please do check about the details of the scope that is getting requested for accessing every protected resource.

Ignore if duplicate.

 

Regards,

Rishabh

Resources