This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 34%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Enabled this [cross-tenant access settings for external collaboration (preview) - "Trust multi-factor authentication from Azure AD tenants"][1] preview feature to allow our multi AAD environment utilizing B2B Guests in our Resource tenant to login with our Home AAD tenant. (can provide more details here privately) During sign on flow - SOME users can reproduce a scenario where they get redirected to the HOME AAD 7+ times in a loop and eventually are presented with : "We couldn't sign you in. Please try again." IDP logs tied to home AAD tenant show valid sign-in events. AAD logs in our resources tenant (b2b guest users live here) sporadically showed Auth Failure with "Authenitcation Requirement" marked as "Single-factor Authentication" - other users no logs hit the resource tenant. - Application Azure SQL Database and Data Warehouse - Sign-in error code 50089 - Failure reason Authentication failed due to flow token expired. - Additional Details Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user. This is most easily reproduced in Sql Server Management Studio ( v18.10) when selecting Authentication: "Azure Active Directory - Universal with MFA" .. This will trigger the IE7 WebPop to AAD (without a tenant passed in) ![174939-image.png][2] ![175091-image.png][3] [1]: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/collaborate-more-securely-with-new-cross-tenant-access-settings/ba-p/2147077 [2]: /api/attachments/174939-image.png?platform=QnA [3]: /api/attachments/175091-image.png?platform=QnA
I had same users install the AzureAD module in powershell as it uses a very similar WebPop via IE7 (win 10 ) ... but that worked, they had no issues authenticating - notable difference is we usually pass the tenant of our guest AAD to that command so if there is some AAD->AAD crazyness going on with HRD - then it wont reproduce it.
Also we just discovered these same users can reproduce in the browser going to myaccount.microsoft.com and choosing Security Info
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 82%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi anonymous user - we'd like to get some additional information on this issue. Would it be possible to please message me directly: sranjit@microsoft.com
Looking forward to resolving this issue!
Thank you,
Sangeeta