ASP.NET Core Identity - Multiple Azure AD - problem switching from AD1 to AD2 [AADSTS50020]

Pedro Cabral 25 Reputation points
2023-01-17T22:02:07.5866667+00:00

Hi,

Have a .Net Core Web-App configured with both Individual Accounts and External Login Providers, in this case 2 different Azure AD Tenants – AD1 and AD2, where the Web-App is configured.

If I already have sessions in my browser in both Azure Ads (logged in with office.com for example), I can Register and Login in both without hassle from my app. If I don’t have previous sessions, once I register and login with Azure AD1, I cannot login or register on AD2, as instead of requesting me to pick a Microsoft Account, the browser just takes the user from AD1 and tries to log that one into the new tenant (AD2), producing an error:

AADSTS50020: User account 'john.smith@xxx.onmicrosoft.com' from identity provider 'https://sts.windows.net/<TenantId1>/' does not exist in tenant 'MSFT' and cannot access the application ‘<ClientId2>’(WebApp-Identity) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

 

The behaviour is correct: the Apps are “My Organization only” so Users from Tenant1 shouldn’t access Application in Tenant2. Still I was expecting the browser to ask me which MS Account to pick, or at least give me the option to sign in with a different MS Account (instead of just trying to login with the current one). How can I force the browser to enable the “Pick another account” option?

 

Another odd behaviour: having both Internal Accounts and External Third parties, I can Login with a AD User, and on my WebApp change password (locally). That enables the user to login using the new password and local account instead of the AD1 credentials. Meaning if the user is banned from AD1, he will still have access to the Application if he changes password as if it was a local account.

 

Thx in advance!

Pedro

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,162 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,465 questions
0 comments
Accepted answer
  1. Shweta Mathur 27,456 Reputation points Microsoft Employee
    2023-01-19T06:05:45.5366667+00:00

    Hi @Pedro Cabral ,

    Thanks for reaching out.

    As you mentioned that error you are getting is expected as users from another tenant cannot access the application in another tenant.

    The browser will automatically use the current session's credentials when trying to sign into a new tenant, rather than prompting the user to select a different account.

    To get the list of accounts to pick, you need to force the browser by adding prompt="select_account" to OpenID/OAuth2 request to get the option to "Pick another account".

    Regarding the issue of being able to change password locally and still have access to the application, it is a security concern that local authentication can override Azure AD authentication. To mitigate this, you can consider disabling the ability to change password locally or implementing a mechanism that synchronizes the local password with the Azure AD password.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest