question

ZhiyuanZhang-2086 avatar image
0 Votes"
ZhiyuanZhang-2086 asked ·

Application doesn't prompt for login (instead, it use the account from different Azure tenant which I have logged in previously)

I have access to four different Azure tenants.

Tenant A includes: account A001, registered app A_App001 (supported account types: my organization only)

Tenant B includes: account B001, registered app B_App001 (supported account types: my organization only)

Tenant C includes: account C001, registered app C_App001 (supported account types: my organization only)

Tenant D includes: account D001, registered app D_App001 (supported account types: my organization only)

Here is the step to replicate the issue:

  1. Log into Azure Tenant A with account A001

  2. Try to login the application B_App001, it will not prompt me for login account (B001). Instead, it uses account A001 directly and fails. (AADSTS90072: User account '{EmailHidden}' from identity provider '{A001's email domain}' does not exist in tenant '{Tenant A}' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'({App001's name}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account)

If I use tenant C and D to do the same test following the previous steps, it prompts me for login information as expected.

Are they any configuration or setting related to this behavior?

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@ZhiyuanZhang-2086 If you are accessing multiple applications, federated to same Identity provider, in same browser session, it is expected that session cookies are submitted to the Identity provider for facilitating SSO. Which is happening when you are accessing B_App001 from same browser session where you have logged in with Azure Tenant A with account A001.

Now the question is why it doesn't happen with tenant C and D?

To answer this, you would need to look into the sign-in request submitted when you access C_App001 and D_App001 and check below points:

  1. Are these applications redirecting to "https://login.microsoftonline.com/< tenant-id >" and going to there respective tenants or https://login.microsoftonline.com/common for tenant discovery based on the UPN suffix.

  2. Does the request contain the parameter that forces the user to login interactively instead of single sign-on. For example, in case of OAuth request it is Prompt=Login and in SAML request it is forceAuthn="true".


Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.




· 5 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Each tenant has its own identity provider, they are all different.

To answer your questions:
1. Application are redirecting to "https://login.microsoftonline.com/< tenant-id >"
2. The request does not contain "Prompt=Login" (we are using OAuth)


The questions is why? They are all different IdPs. I should be prompted for login, isn't it?

For tenant C and D, it works. I always get the prompt windows.
But not happening to tenant B (after login with tenant A).

If you need more information, please let me know. If you need to have a live session with me, we can have a Zoom meeting session that I will be able to show you how I replicate this issue.



0 Votes 0 · ·

@amanpreetsingh-msft
please let us know if you need more information.

0 Votes 0 · ·

I would like to know more about how session (cookies) works with the authentication flow. Do you have any detail information (article or link) which can reference this topic?
There is a link to describe cookies definition:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory-b2c/cookie-definitions
But this does not include all cookies. (maybe this is only for B2C?)

0 Votes 0 · ·

@ZhiyuanZhang-2086 This link includes B2C specific cookies only. I would suggest you to capture a fiddler while accessing B_App001 and C_App001 from same browser session where you have logged in with Tenant A account and compare the request and response along with what cookies are set and passed by these applications. If you want to schedule a meeting for live troubleshooting, please open a support case from Azure Portal.

0 Votes 0 · ·

The Azure tenant is owned by our customer not us.
If it is possible to let me capture our network log (HAR file) and communicate with you in private email?

0 Votes 0 · ·