Authentication with Microsoft Azure AD in a multi-tenant app

Question

Following the documentation, registered an application with Accounts in any organizational directory. The Tenant where the application resides is in "Default Directory" and has only one user, [email protected]. Also, the app has user assignment (as pointed out here) set to No

After, created another Tenant (different directory) and invited the external user [email protected]. That's the user I'm getting troubles logging into the previously created app.

Then, enable the OAuth2 support using social_core.backends.azuread.AzureADOAuth2 (from here).

As I try to authenticate now, it works well with [email protected] but with [email protected] gives the following error

Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'a9a22676-8a1c-4297-95d3-8cd89553220e' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

Answer 1

The problem is the URL the user is redirected to. According to the docs, multi-tenant applications should redirect to https://login.microsoftonline.com/organizations.

As we see in the Python Social Auth AzureADOAuth2 class, the BASE_URL is

BASE_URL = "https://{authority_host}/{tenant_id}"

Since authority_host = "https://login.microsoftonline.com/" and tenant_id="common", we'd get the wrong url.

Changing that and signing in with the same user and now I get a request to add the permissions

Reported that issue here too.