Invited user cannot access app in home tenant

Konstantinos Pachopoulos 1 Reputation point
2022-12-30T14:08:16.863+00:00

Hi all,
I am quite new to Azure B2B. I am trying to access a function endpoint with the access token of an invited user and receive "You do not have permission to view this directory or page" (401). The same works for a local tenant user.

I have done the following till now:

  • I created a simple function and registered it as an app in the home tenant
  • I configured "B2B direct connect" with a remote tenant and tried to access the home tenant application. This failed with an error "Error AADSTS50020 - User account from identity provider does not exist in tenant", if I remember correctly. I read, that "B2B direct connect" works only for Teams; correct if I m wrong.
  • I then decided to try the "B2B collaboration" model and the invitation flow. A guest user was created locally for the user of the remote AAD tenant
  • I produced an access token in Postman using the endpoints of the home IdP
  • I tried to consume the function from its endpoint (https://xxxx.azurewebsites.net/api/LoggerFunction?code=xxxxxxx) and got a "You do not have permission to view this directory or page" (401)

What do I need to do in order authorize the guest user identity to consume the function? I ve tried:

  • settings roles for this identity
  • configured explicitly a "Conditional Access" "grant" rule
  • set it to member

but nothing seems to work. Any ideas? Let me know, if you need more info

Kind regards,
Kostas

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,604 questions
Azure Active Directory External Identities
{count} votes

1 answer

Sort by: Most helpful
  1. Konstantinos Pachopoulos 1 Reputation point
    2022-12-30T16:43:13.01+00:00

    I have now deleted the user and re-invited him and it works fine. I am not sure about the reason.

    Maybe somebody can answer the question, if external guests are supposed to have access to all the applications by default? Except that, the thread can be closed

    No comments