MSAL PublicClientApplicationBuilder with AzureAD external user cannot access SharePoint

New Contributor

We have a Windows Application using MSAL with PublicClientApplicationBuilder to access SharePoint with the delegated permissions of the logged on user.


When our code is used with a login of a user who was invited as an external user in another AzureAD and his user is added to the members of a SharePoint site collection, we get an access token which results in HTTP 401. Using a user from the other AzureAD directly to log in does work. It is just with external user, we fail to get access.


When the user logs into SharePoint in the browser, using his external user login, he can access the other tenants SharePoint. So his external user account has permissions on that site collection, but it works only in the browser, not from our MSAL client.


Some details: We created the app registration as multi tenant app in our AzureAD with the needed read and write permissions from the SharePoint delegated permission list.


An admin of the other AzureAD consented the delegated permissions for all users and we did the same in our AzureAD. So no matter which user tries to login and use the app will find consented permissions.


We use this code to get a public client app:



var clientAppId = "our-app-clientID";
var redirectUri = "";

_clientApp = PublicClientApplicationBuilder.Create(clientAppId)
.WithLogging(Log, LogLevel.Verbose, false)
// .WithTenantId("we tried our and the other tenants ID)



The commented line .WithTenantId was just added while we tried to find a solution.


We can see that it makes a difference for the token content. Without that line or with our tenantId we see the users "oid" is the objectId from the user in our AzureAD.


When we use the tenantId of the other AzureAD we get the oid of the external user object in that AzureAD.


So we had hopes that the latter call would succeed, but it fails as well, this time with HTTP 403. So the user token seems to get a bit further, but still not to the SharePoint site collection.


Any idea if this scenario is possible?


Would be nice, if possible and best if we would not have to call WithTenantId because otherwise we would some need to lookup the correct tenantId on the client machine - not sure where to get it from, except asking an admin from the other tenant and putting the value in some app config file or the Windows registry.

0 Replies