Share via

How does AAD verify guest authentication

DR 21 Reputation points
2020-08-10T21:24:59.833+00:00

How does an AAD tenant verify a guest (guest1@mydomain.com) is authenticated from the proper AAD tenant? I tried to look around for info, but kept getting railroaded into guest user properties, how to make guest accounts, and some other info sites on MS websites. Probably just missing a keyword here. I assume there are GUIDs or some sort of certificates exchanged between the tenants to verify the authenticity of a tenant.

Scenario: kevin@mydomain.com wants to share SharePoint resources to donna@theirdomain.com so a guest account is created allowing donna@theirdomain.com can access those resources. If theirdomain.com is moved from one tenant to another does mydomain.com's AAD see this, or is it completely transparent to mydomain.coms AAD? Do AAD guest accounts for theirdomain.com need to be deleted and new ones made due to guids no longer matching up?

An article pointing to how this works would be awesome!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,946 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. DR 21 Reputation points
    2020-08-12T15:14:02.497+00:00

    So after doing some digging, it sounds like it is sort of how I was expecting. Guest users authenticate against a external AAD instances by authenticating against their hosting AAD or MS Account instance. The hosting AAD or MS Account instance provides a guest token that is then given to the external AAD instance and is then validated and access is given based on different parts of that validation.

    Here is a breakdown of ID Tokens

    Some requirements for the validations (The ones I'm currently interested in):

    • oid - an object id unique and cannot be changed. It can be used across multiple applications or accounts.
    • sub - another unique id specific to this account. Again this id cannot be changed, however it can only be used for a singular application.
    • tid - a guid specific to an AAD Tenant. This can not be changed
    • preffered_username / email - both can be changed

    Please correct me if I'm wrong, but these are my takeaways from this process.

    1. The tenant ID is also likely validate as well, and if that's differs from the original tenant ID the user was registered from then the token wouldn't be rejected.
    2. oid is created upon the original guest user authentication (or maybe even at the user accounts original creation?), and thus an account with the same email on another aad tenant would have a different one and again the token would be rejected.
    3. sub is created likely at authentication to an app, which means again the token would be rejected if the email was used on a different AAD tenant.
    4. Emails can change, so if my company or an external company gets a new domain those emails can changed without having to re-share those resources or creating a new guest account.
    4 people found this answer helpful.
  2. James Hamil 22,436 Reputation points Microsoft Employee
    2020-08-17T20:57:02.657+00:00

    Hi, I believe you are correct! Thank you for linking documentation for other users. Please let me know if I can answer anything else.

    0 comments