Combining a multi-tenant application with B2B guest users

%3CLINGO-SUB%20id%3D%22lingo-sub-194788%22%20slang%3D%22en-US%22%3ECombining%20a%20multi-tenant%20application%20with%20B2B%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194788%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20set-up%20a%20multi-tenant%20application%20so%20that%20users%20having%20a%20presence%20in%20the%20Azure%20AD%20tenants%20can%20login%20seamlessly%2C%20after%20a%20global%20admin%20gives%20the%20consent%20at%20once.%20However%2C%20due%20to%20the%20nature%20and%20the%20audience%20of%20the%20Web%20Application%20we%20are%20offering%2C%20we%20need%20also%20to%26nbsp%3Bgrant%26nbsp%3Baccess%2C%20from%20time%20to%20time%2C%26nbsp%3Bto%20B2B%20guest%20users%20that%20we%20invite%20in%20our%20tenant%20through%20a%20registration%20process%20based%20on%20Graph%20API.%3C%2FP%3E%3CP%3EHere%20is%20where%20the%20issues%20are%20coming%20as%2C%20we%20experienced%20that%20depending%20on%26nbsp%3Bthe%20domain%20guest%20users%20are%20belonging%20to%20they%20can%20or%20cannot%26nbsp%3Bsign-in%20into%20the%20application.%3C%2FP%3E%3CP%3EFor%20example%20guest%20B2B%20users%26nbsp%3Bbelonging%20to%20%40gmail.com%20are%20successfully%20logged%20in%20while%20users%20belonging%20to%20%40libero.it%20are%20not.%3C%2FP%3E%3CP%3EWe%20came%20to%20understand%20that%20%40libero.it%26nbsp%3Bhas%20a%20presence%20in%20the%20Azure%20AD%20Directory%20then%2C%20if%20we're%20right%2C%20a%20global%20admin%20in%20that%20tenant%20should%20give%20consent%20at%20once%20to%20our%20application%2C%26nbsp%3Bunfortunately%20this%20is%20not%20a%20feasible%20solution%20for%20our%20objectives%20as%20we%26nbsp%3Bwill%20have%20an%20heterogeneous%20population%20of%20guest%20users%20and%20it%20would%20not%20be%20manageable%20to%20contact%20each%20single%20global%20admin%20to%20request%20consent%20(i.e.%20for%20two%20or%20three%20users)...could%20it%20be%20possible%20instead%20for%20each%20single%20user%20to%20grant%20such%20permission%20only%20for%20his%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeing%20a%20multi-tenant%20application%26nbsp%3Bwe%20are%20using%20the%20%2Fcommon%20endpoint%20to%20get%20the%20authentication%20token%2C%26nbsp%3Bsuggestions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance%20for%20reading%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiuseppe%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199654%22%20slang%3D%22en-US%22%3ERe%3A%20Combining%20a%20multi-tenant%20application%20with%20B2B%20guest%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199654%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Giuseppe%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20take%20this%20step%20by%20step%20and%20I%20hope%20I%20will%20be%20able%20to%20explain.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20You%20have%20a%20mutlitenant%20application%20which%20needs%20a%20authentication%20token%20from%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20once%20your%20application%20has%20the%20token%20your%20application%20can%20perform%20the%20required%20tasks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20also%20stated%20about%20the%20two%20domains%20gmail.com%20and%20libero.it%2C%20I%20will%20explain%20what%20happens%20from%20azure%20ad%20standpoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20a%20user%20from%20gmail.com%20or%20outlook.com%20will%20access%20your%20application%2C%20for%20the%20very%20first%20time%20they%20will%26nbsp%3B%20receive%20a%20consent%20prompt%20to%20approve%20the%20application%20authorization%20and%20after%20which%20it%20will%20work%20for%20sure%20because%20they%20are%20the%20owner%20of%20their%20own%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20now%20it%20completely%20depends%20upon%20the%20scope%20that%20you%20are%20using%20while%20sending%20the%20authentication%20request%20to%20AAD%20for%20enterprise%20accounts.%3C%2FP%3E%3CP%3EI%20agree%20you%20are%20requesting%20basic%20profile%20which%20should%20work%20as%20expected%2C%20but%20when%20it%20comes%20to%20graph%20the%20process%20is%20entirely%20different.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20application%20is%20trying%20to%20access%20a%20protected%20resource%20through%20graph%20api%20which%20requires%20admin%20consent%2C%20users%20will%20not%20be%20able%20to%20approve%20because%20it%20is%20a%20change%20that%20is%20happening%20at%20the%20directory%20level.%3C%2FP%3E%3CP%3EIn%20azure%20AD%20every%20object%20has%20to%20be%20authenticated%20by%20its%20home%20tenant%20i.e.%2C%20where%20the%20user%20object%20resides.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECommon%20auth%20flow%20for%20your%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20application%20------%20authentication%20request%20----%26gt%3B%20login.microsoftonline.com%20--%26gt%3B%20user%20will%20type%20upn%20----%26gt%3B%20will%20be%20redirected%20to%20the%20instance%20of%20the%20AzureAD%20where%20the%20user%20object%20resides%20------%26gt%3B%26gt%3B%20Note%20this%20request%20will%20contain%20the%20scope%20binded%20by%20your%20application.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20once%20the%20user%20is%20authenticated%2C%26nbsp%3B%20azure%20AD%20has%20to%20check%20whether%20your%20application%20is%20authorized%20to%20access%20the%20protected%20resource%20via%20graph%20---%20for%20which%20it%20needs%20a%20service%20principal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhenever%20any%20application%20is%20consented%20by%20the%20global%20admin%20a%20service%20principal%20object%20is%20created%2C%20which%20is%20listed%20in%20the%20enterprise%20application%20column%20of%20azure%20active%20directory.%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20service%20principal%20is%20responsible%20for%20all%20the%20consent%20and%20oauth%20delegation%20bindings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20you%20are%20using%20graph%20to%20access%20something%20which%20requires%20admin%20consent.%20this%20will%20be%20by%20design%20behavior.%3C%2FP%3E%3CP%3EPlease%20do%20check%20about%20the%20details%20of%20the%20scope%20that%20is%20getting%20requested%20for%20accessing%20every%20protected%20resource.%3C%2FP%3E%3CP%3EIgnore%20if%20duplicate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have set-up a multi-tenant application so that users having a presence in the Azure AD tenants can login seamlessly, after a global admin gives the consent at once. However, due to the nature and the audience of the Web Application we are offering, we need also to grant access, from time to time, to B2B guest users that we invite in our tenant through a registration process based on Graph API.

Here is where the issues are coming as, we experienced that depending on the domain guest users are belonging to they can or cannot sign-in into the application.

For example guest B2B users belonging to @gmail.com are successfully logged in while users belonging to @Libero.it are not.

We came to understand that @Libero.it has a presence in the Azure AD Directory then, if we're right, a global admin in that tenant should give consent at once to our application, unfortunately this is not a feasible solution for our objectives as we will have an heterogeneous population of guest users and it would not be manageable to contact each single global admin to request consent (i.e. for two or three users)...could it be possible instead for each single user to grant such permission only for his account?

 

Being a multi-tenant application we are using the /common endpoint to get the authentication token, suggestions?

 

Many thanks in advance for reading it

 

Giuseppe

 

1 Reply
Highlighted

 

Hello Giuseppe,

 

Let me take this step by step and I hope I will be able to explain. 

 

- You have a mutlitenant application which needs a authentication token from Azure AD. 

- once your application has the token your application can perform the required tasks.

 

As you also stated about the two domains gmail.com and libero.it, I will explain what happens from azure ad standpoint.

 

If a user from gmail.com or outlook.com will access your application, for the very first time they will  receive a consent prompt to approve the application authorization and after which it will work for sure because they are the owner of their own data.

 

Also, now it completely depends upon the scope that you are using while sending the authentication request to AAD for enterprise accounts.

I agree you are requesting basic profile which should work as expected, but when it comes to graph the process is entirely different. 

 

If your application is trying to access a protected resource through graph api which requires admin consent, users will not be able to approve because it is a change that is happening at the directory level.

In azure AD every object has to be authenticated by its home tenant i.e., where the user object resides.

 

Common auth flow for your scenario.

 

Your application ------ authentication request ----> login.microsoftonline.com --> user will type upn ----> will be redirected to the instance of the AzureAD where the user object resides ------>> Note this request will contain the scope binded by your application. 

 

Now once the user is authenticated,  azure AD has to check whether your application is authorized to access the protected resource via graph --- for which it needs a service principal.

 

Whenever any application is consented by the global admin a service principal object is created, which is listed in the enterprise application column of azure active directory. 

This service principal is responsible for all the consent and oauth delegation bindings.

 

So, if you are using graph to access something which requires admin consent. this will be by design behavior.

Please do check about the details of the scope that is getting requested for accessing every protected resource.

Ignore if duplicate.

 

Regards,

Rishabh