I am trying to build a scalable multi-tenant b2b SAAS in Azure AD using Angular in the front end and node + Azure MS SQL sharded db design.
I've spend a week going through the MS documentation and examples (tailspin, survey apps) and have started testing the multi-tenant behaviour in an angular7 app that has nothing other than authentication with adal-angular4 on it which I've used for ~5 other projects that are currently in production.
So far, I can't for the life of me figure out the reason behind this unpredictable behaviour. I have 3 tenants: A - B - C
A is the developer tenant + my admin account, B is another company's tenant + my normal user account and C is a AD Free tier tenant with my personal account.
I have done nothing else to my app in Azure AD on the developer AD other than switch that multi-tenant setting to on and changing Oauth2implicitflow to true.
If I login with Tenant A into the app, all is good, in the console I can see tenant A's GUID under TID.
If I login with Tenant B - it asks for permissions the first time and then lets me in (why??).
- If I login with Tenant C 'work' account it throws no errors, does not ask for permission, returns back to the page without actually being logged in and with nothing on the console.
- If I login with Tenant C 'personal' account it tells me the tenant live.com is not provisioned for the app.
My questions are:
- Why did it even let Tenant B to log into the app? They were definitely not provisioned to be able to access it and on the console the tid is clearly of the second tenant meaning (I think) that the account is NOT a guest on tenant A to be able to login.
- I have no idea why the tenant C throws no error on the Azure side but instead just returns back to the page without actually being logged in.
- Is there any documentation that I'm missing on which tenants can sign up into the app? I have looked at Tenant sign-up and onboarding article but it doesn't really address the issue.
Based on the documentation that I have read, the behaviour of Tenant B and C trying to log into the app makes no sense.
When the first user consents to permissions (and is able to do so), a service principal for the app is created in their tenant and they are logged in. This is how multi-tenant apps are designed to work. This means any tenant can login to your app.
Your app back-end needs to check tenant ids of users to see they are one of the valid ones. Your front-end can of course check as well, though it cannot replace the back-end checks.