Authenticating and identifying users cross-tenant

Azure AD is a fantastic piece of software that allows you to sync with your companies AD and then use that information to lock down your applications.  However, if you’re a relatively advanced user, you have probably created your own “sub tenant” and then pulled users from the “master tenant” to give them access to different applications.  This works great when you’re using Azure’s authentication OOTB (via GUI) and you just want to restrict access to your application.

However, if you want to authenticate any user from the master tenant in your sub tenant application you are probably running into configuration issues.  This article will show you the couple of steps you must perform to enable multi-tenant authentication and identity.

This article does not go into depth on the REST API of Azure AD and Azure AD Graph.  You can find some documentation on that here.

Assumptions

This article will assume you have a master tenant that syncs all the user information from the company’s in-house AD.  It also assumes you have created another tenant alongside that master tenant.

azure-ad-multiple-tenants

 

In this case, Comcast is the master tenant and Customer Services is the sub tenant.

It is also assumed you have an application created in the sub tenant.

Turn on multi-tenant in your AAD application

First, turn on multi-tenant.

azure-ad-multiple-tenants-turn-on

After you change that settings, when you click Save it’s probably going to give you an error message like this:

The App ID URI is not available. The App ID URI must be from a verified domain within 
your organization's directory.

To enable multi-tenant, your App ID URI must be in the format

<scheme>://<AAD domain>/<application name or some other ID>

You can find out your AAD domain by going to the root of your tenant and clicking Domains.  The default domain for my sub tenant is csapistaging.onmicrosoft.com.  Since my example here is for an intake application, my ID would look something like

https://csapistaging.onmicrosoft.com/intakeApp

Once that is set as my App ID URI, I can now save my application.

Use /common in your AAD requests

When you make the REST API calls and redirects to authenticate the user, you have two options:

  1. Specify the tenant ID in the URI. e.g. https://login.microsoftonline.com/f5c59e09-jf83-1234-f89f-0f33d0e34ede/
  2. Use the “common” keyword. e.g. https://login.microsoftonline.com/common/

To use multi-tenant, you must use the common keyword in the URI.

References

https://nicksnettravels.builttoroam.com/post/2017/01/26/Making-your-Azure-Active-Directory-application-Multi-tenanted.aspx

http://stackoverflow.com/questions/31434176/cannot-turn-on-multi-tenant-for-azure-ad-authentication

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: