Multi-tenant application with saml2

Simon Skrede 1 Reputation point
2020-05-30T11:16:06.677+00:00

A web application registrered in our tenant, with signInAudience: AzureADandPersonalMicrosoftAccount in the manifest allows logins from the same tenant just fine using https://login.microsoftonline.com/common/saml2, but users logging in from other tenants get the error: User account xxx@harsh.com .com from identity provider live.com does not exist in tenant mytenant and cannot access the application https://my.tenant.id/ in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.; Seems to make no sense at all.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,493 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jai Verma 461 Reputation points
    2020-05-30T13:19:21.037+00:00

    I assume these users are using SPInitiated flow where users goes to application URL and gets redirected to your tenant. I also assumed, these users are already log in into their AAD and hence either have PRT/MSISAuth cookies etc., which they present to your AAD. Since these users are not present in your tenant, you get the above message.

    Is the text of the message is your concerns? Well, that is absolutely inaccurate and misleading. However, the behavior is 100% expected.

    In case you want to allow access to applications registered in your tenant, you need to use B2B. Add these users as guest into your tenant so that your tenant can issue token.

    Your application only trust token issued by your tenant.

    0 comments No comments