How to Configure MSAL Auth to Azure Active Directory B2B with Multiple Identity Providers

Question

I have 2 B2B App Services hosted on Azure. I’d like to use Azure Active Directory (via Enterprise Applications) to manage access to invited users only with multiple roles (Admin, Manager, Salesperson).

Our business partners range from single owner proprietorships to small corporations, so we need to support personal email accounts, organizations that already have provisioned their users with Microsoft accounts, organizations that have provisioned their users with Google Workspace accounts, and some users within our own organization (full users in our tenant). As I said, we want the access to be invite only (I think this means they are added as guest users in our tenant and sent an invite). Unsurprisingly, the users themselves don't know which type of account they have.

I’m using MSAL (redirect) to authenticate the users. Users from our organization, and users with personal accounts can authenticate fine. Members are added to groups within the app’s respective Enterprise Application, MSAL is reading the role, and their access is granted/limited as expected. Users with existing organizational Microsoft accounts, and users with Google Workspace accounts are not able to authenticate, and I’m quite certain it’s something with my configuration.

A few complications to our configuration. We have set “Block Access Outside the US”, and “Require MFA” policies. For these 2 Enterprise Applications, we have added exceptions to these policies via Conditional Access.

For the applications, the MSAL sign in redirect url is configured to: https://login.microsoftonline.com/.

Here are the issues we are experiencing:

1. Google authentication: The users sign in fine, but instead of being redirected to the application they are sent to a Microsoft Authenticator page where they are asked to set up 2FA, despite our Enterprise Application having 2FA as an exception via Conditional Access.
2. Microsoft Organization authentication (non-personal account): AADSTS90072: User account ‘name@organization.onmicrosoft.com' from identity provider 'https://sts.windows.net/nnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn/‘ does not exist in tenant ‘Tenant, Inc' and cannot access the application '0000000c- 0000-0000-c000-000000000000'(Microsoft App Access Panel) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account

I have added Google as an external identity provider - do I need to also add Microsoft, even though it was previously the default? Do I need to remove the tenant ID in the MSAL Redirect URL, or is that the only way that it knows which app is requesting authentication? While the error message above indicates that the account needs to be added as an external user, everything I’ve read would indicate that adding them as a guest user is the correct process, as the rest of their account info is already in their “Home” tenant. How will the authentication process know which enterprise identity provider it will need to use? Just based on the email address?

We have tried removing Google External Identity and using just Microsoft authentication (only supporting organizations that have Microsoft accounts), and still get issue #2.

We are expecting a successful authentication like we get for some users, personal accounts, and existing users in our tenant.

I'm still confused why, after signing in via Google, I get redirected to the Microsoft Authenticator page to set up 2FA. If Auth is provided by Google (and my sign in DID work), wouldn't Google also provide the 2FA?

Next, I was combing through audit and sign in logs, and the non-MSFT provider logins were not recorded in there. Are they logged in another location?