Application doesn't prompt for login (instead, it use the account from different Azure tenant which I have logged in previously)

Zhiyuan Zhang 21 Reputation points
2020-01-06T21:43:21.573+00:00

I have access to four different Azure tenants.

Tenant A includes: account A001, registered app A_App001 (supported account types: my organization only)

Tenant B includes: account B001, registered app B_App001 (supported account types: my organization only)

Tenant C includes: account C001, registered app C_App001 (supported account types: my organization only)

Tenant D includes: account D001, registered app D_App001 (supported account types: my organization only)

Here is the step to replicate the issue:

  1. Log into Azure Tenant A with account A001
  2. Try to login the application B_App001, it will not prompt me for login account (B001). Instead, it uses account A001 directly and fails. (AADSTS90072: User account '{EmailHidden}' from identity provider '{A001's email domain}' does not exist in tenant '{Tenant A}' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'({App001's name}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account)

If I use tenant C and D to do the same test following the previous steps, it prompts me for login information as expected.

Are they any configuration or setting related to this behavior?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,568 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,506 Reputation points
    2020-01-07T13:09:03.25+00:00

    @Zhiyuan Zhang If you are accessing multiple applications, federated to same Identity provider, in same browser session, it is expected that session cookies are submitted to the Identity provider for facilitating SSO. Which is happening when you are accessing B_App001 from same browser session where you have logged in with Azure Tenant A with account A001.

    Now the question is why it doesn't happen with tenant C and D?

    To answer this, you would need to look into the sign-in request submitted when you access C_App001 and D_App001 and check below points:

    1. Are these applications redirecting to "https://login.microsoftonline.com/< tenant-id >" and going to there respective tenants or https://login.microsoftonline.com/common for tenant discovery based on the UPN suffix.
    2. Does the request contain the parameter that forces the user to login interactively instead of single sign-on. For example, in case of OAuth request it is Prompt=Login and in SAML request it is forceAuthn="true".

    -----------------------------------------------------------------------------------------------------------

    Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.