I have tenant A and tenant B. I have user in tenant A who is also a guest user in tenant B. In tenant B I have ASP.NET Core Blazor Server application with authentication registered for single organization.
In Program.cs file authentication and authorization is set up according to MS docs:
builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, "AzureAd")
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = options.DefaultPolicy;
})
...
builder.Services.AddControllersWithViews().AddMicrosoftIdentityUI();
...
app.UseAuthentication();
app.UseAuthorization();
Now when in the incognito mode user logs to the application it works correctly - in HttpContext all data related to user comes from tenant B for example object id.
The problem is when user is logged in for example in other app with tenant A then authentication also finishes with success but all user data in HttpContext is from tenant A.
It seems strange to me because in appsettings.json app is configured to handle only users from tenant B. I would expect some kind of redirect of user to get data from tenant B.
Is that correct behaviour? If yes, then how to distinguish these both situations and how to identify such user in tenant B?