B2B Multi Tenant and guest users authority

Copper Contributor

Hi 


I am having a issue when I configure MSAL to accept guest users from multi tenants. Guest users cannot access the resource because their tenant id is not linked to the tenant they were invited into, but to the base application on the resource tenant (where the app was created).

 

In a single tenant configuration this works as the authority is specified. However when the b2b multi setup is on /common or / organizations then guest users seem to point back to where the applicatin is hosted. and I cannot get the tenant id from any of the msal endpoints nor Graph API.

 

Originally, we setup the MSAL config like so:

 

export const msalConfig = {
auth: {
clientId: "{clientId}",
authority:
"https://login.microsoftonline.com/{tenantID}",

 

This is a single tenant setup as the tenantID is specified, guests invited into that tenant can access shared resources

export const msalConfig = {
auth: {
clientId: "{clientId}",
authority:
"https://login.microsoftonline.com/{common||organizations}",

This is a multi tenancy setup, any organisation with a AAD account can signin and share resources (this all works fine and tested)

however, with this multi-tenant setup if an organisational member invites a guest user, they are a part of that organisation not where the application originates from (our production tenant). The token seems to be coming from the production tenant they cannot access the shared resource. 1. because they aren't a user of that tenant, 2. the resource is not on that tenant.

MSAL documents that we can change the authority on request, however I cannot seem to find the guest users invitee tenant id. it always links back to our production tenant. 

 

Could anyone help in anyway possible ?

Thanks in advance

 

Steps:

 

1. create app regisation as a multi tenant application on a tenant
2. another organization/tenant can adopt and consume by login via their own AAD  
3. organization members can invite guest users
4. guest invite sent/redeem process
5. give permissions to app, group, file
6. use web app url with sharing link as a query parameter
7. use msal to login to auth into the tenant
8. call the endpoint/ read the file

 

btw this is the response I get from the guest user, as you can see it has a tenant id but its not the tenant id that the guest has been invited to

https://user-images.githubusercontent.com/25176118/185430358-f5af8a5f-5964-462a-88ee-b5c0903c28d3.pn...

 

0 Replies