I'm currently upgrading an application to enable multi-tenancy and B2B integration.
I got the following types of users working so far:
- internal Azure AD users
- external Azure AD users from another tenant
- personal Microsoft account
- users gmail users
I'm now trying to enable users from any domain to access my application by following this process:
- Send invite to x@abc.com - this works
- Redeem invite from x@abc.com inbox - this works and I successfully setup the associated Microsoft account
- Login into my application using x@abc.com - this does NOT work and I get the following error: AADSTS65005: Using application 'My Application' is currently not supported for your organization abc.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of abc.com before the application 'My Application' can be provisioned
In this case abc.com is an external partner. The external partners are dynamic and managed through the application via a 'domain white-list'. So I can have abc.com now, and later abcd.com, xyz.com, etc. The users from these white-listed domains are self-registering via an application URL.
Interestingly enough, gmail users work so I'm assuming there's an internal Azure AD white-list for the popular domain?
UPDATE:
The reason why the Gmail accounts are working is because they are indeed created as Microsoft accounts in my Azure AD. The abc.com domain accounts on the other hand are created as 'External Azure Active Directory' accounts. (source property)
UPDATE #2:
After a bit more research I found that it wasn't working because I was using the common endpoint which doesn't support guests. More details here: Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?
Now I switched to using my tenant specific endpoint like below:
Tenant specific endpoint: https://login.microsoftonline.com/{tenant-id}/v2.0
and I can login with the guest users from abc.com
However Microsoft accounts stopped working now.
AuthorizationCodeReceived = async (context) =>
{
...
var cca = new ConfidentialClientApplication(appId, redirectUri,
new ClientCredential(appSecret),
new SessionTokenCache(signedInUserID, context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase));
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code);
},
await cca.AcquireTokenByAuthorizationCodeAsync(scopes, code) fails with the following error:
ErrorCode: invalid_grant
Message=AADSTS50020: MSA guest token redemption attempt on v2 common endpoint.
How can I make it work with both guest users from custom domains (abc.com) AND existing Microsoft accounts?
Cause:
You didn't do user or admin consent for the Multi-tenant app for the
abc.com
tenant. Maybe the settings for that tenant doesn't allow users do consent, only admin can do it.For a multi-tenant app, if users from another tenant want to use it, this may needs user or admin do consent for the application. Then the service principal will be automatically created in that tenant. So that users in that tenant can use the app.
You can see more details about user or admin consent for Multi-tenant app in this documentation.
Solution:
Try to add
&prompt=admin_consent
in your request to force admin consent. You need to use one admin account to log in and do admin consent. If you're the admin in that tenant, you can also Enableuser can do consent
inEnterprise Applications>User settings
.Please let me know if this helps!