@Zhiyuan Zhang If you are accessing multiple applications, federated to same Identity provider, in same browser session, it is expected that session cookies are submitted to the Identity provider for facilitating SSO. Which is happening when you are accessing B_App001 from same browser session where you have logged in with Azure Tenant A with account A001.
Now the question is why it doesn't happen with tenant C and D?
To answer this, you would need to look into the sign-in request submitted when you access C_App001 and D_App001 and check below points:
- Are these applications redirecting to "https://login.microsoftonline.com/< tenant-id >" and going to there respective tenants or https://login.microsoftonline.com/common for tenant discovery based on the UPN suffix.
- Does the request contain the parameter that forces the user to login interactively instead of single sign-on. For example, in case of OAuth request it is
Prompt=Login
and in SAML request it isforceAuthn="true"
.
-----------------------------------------------------------------------------------------------------------
Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.