question

SimonSkrede-0861 avatar image
0 Votes"
SimonSkrede-0861 asked ·

Multi-tenant application with saml2

A web application registrered in our tenant, with signInAudience: AzureADandPersonalMicrosoftAccount in the manifest allows logins from the same tenant just fine using https://login.microsoftonline.com/common/saml2, but users logging in from other tenants get the error: User account xxx@outlook.com from identity provider live.com does not exist in tenant mytenant and cannot access the application https://my.tenant.id/ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.; Seems to make no sense at all.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

I assume these users are using SPInitiated flow where users goes to application URL and gets redirected to your tenant. I also assumed, these users are already log in into their AAD and hence either have PRT/MSISAuth cookies etc., which they present to your AAD. Since these users are not present in your tenant, you get the above message.

Is the text of the message is your concerns? Well, that is absolutely inaccurate and misleading. However, the behavior is 100% expected.

In case you want to allow access to applications registered in your tenant, you need to use B2B. Add these users as guest into your tenant so that your tenant can issue token.

Your application only trust token issued by your tenant.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.