Cross-tenant access settings for external collaboration (preview) - "Trust multi-factor authentication from Azure AD tenants" setting causing sign in loops and failure for SQL Server Management Studio
Enabled this [cross-tenant access settings for external collaboration (preview) - "Trust multi-factor authentication from Azure AD tenants"][1] preview feature to allow our multi AAD environment utilizing B2B Guests in our Resource tenant to login with our Home AAD tenant. (can provide more details here privately) During sign on flow - SOME users can reproduce a scenario where they get redirected to the HOME AAD 7+ times in a loop and eventually are presented with : "We couldn't sign you in. Please try again." IDP logs tied to home AAD tenant show valid sign-in events. AAD logs in our resources tenant (b2b guest users live here) sporadically showed Auth Failure with "Authenitcation Requirement" marked as "Single-factor Authentication" - other users no logs hit the resource tenant. - Application Azure SQL Database and Data Warehouse - Sign-in error code 50089 - Failure reason Authentication failed due to flow token expired. - Additional Details Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the user or an admin. The app will request a new login from the user. This is most easily reproduced in Sql Server Management Studio ( v18.10) when selecting Authentication: "Azure Active Directory - Universal with MFA" .. This will trigger the IE7 WebPop to AAD (without a tenant passed in) ![174939-image.png][2] ![175091-image.png][3] [1]: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/collaborate-more-securely-with-new-cross-tenant-access-settings/ba-p/2147077 [2]: /api/attachments/174939-image.png?platform=QnA [3]: /api/attachments/175091-image.png?platform=QnA