Best way to manage multitenant invited users, cant login properly with guest users

Miguel Morales Gonzalez 6 Reputation points
2022-07-01T07:33:00.187+00:00

Hello, Im having quite a lot of trouble with Invited users and multitenant management.
My company software is multitenant,

-------
Context
I've got a custom TenantEntity which has this properties:
TenantId
Name
Identifier
AzureTenantId
InvitedDomains (domain,AzureId)
------
Lets say that I have a Directory/Tenant called Iris created in the Azure portal.

In this tenant I have an app registered called WebCommon which is multitenant,

Then I go ahead an make login into the azure portal with another tenant called Test, in this tenant I invite an user xxxUser that originally belongs to the Iris Tenant

This user will be added to the Test Tenant Users as xxxUser#ext#@test .onmicrosoft.com.

I have no way to do login with xxxUser#ext#@test .onmicrosoft.com because it alway says that the password is incorrect

I have tried to reset it but even with all privilegies etc it was impossible to do so.

Also when I do login with xxxUser@Iris , there's not any option like (Which domain do you want to login) or something like that in the microsoft login popup.

Is there any way to resolve this

216921-image.png
216840-image.png
Invited tenant in which I cannot make login with user1234 using the invited domain, I have to use the original domain
https://login.microsoftonline.com/common/

PD:
I even tried activating azure Premium 2, but even with full privilegies etc its impossible to change the password of the guest accounts,

Really i've trying quite a lot with multitenant/azure and the experience so far is very poor.

216848-image.png
216849-image.png

I had to do the InvitedDomains development because its the only way i've got to retrieve the TenantInfo from which tenant i've been invited as a guest user.
When I make login with the "invited" account, there are no claims etc that could show me to which tenants i've been invited, because as I was saying I can only make login with the original
domain not the #ext#etc.

216913-image.png
216934-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,578 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Sandeep G-MSFT 13,396 Reputation points Microsoft Employee
    2022-07-04T07:01:39.603+00:00

    @Miguel Morales Gonzalez

    Thank you for reaching out to us.

    As per your query you want to know how to login to guest tenant using guest user credentials.

    Let’s take a scenario where you are direct member (home tenant) of” contoso.onmicrosoft.com”. You have contoso.com domain which is verified in the tenant. User UPN is user@Company portal .com

    Now, let’s say there is another tenant “fabrikam.onimcrosoft.com” and you have invited user user@Company portal .com as guest to tenant “fabrikam.onimcrosoft.com”

    Now when you see in “fabrikam.onimcrosoft.com” guest user will be shown as user_contoso.com#Ext#@fabrikam.onmicrosoft.com.

    If you want to login to “fabrikam.onmicrosoft.com” with “contoso.com” user account, then you will have to use UPN as user@Company portal .com.
    There are 2 ways you can access “fabrikam.onmicrosoft.com” with guest user account user@Company portal .com

    Option1

    • You an login normally to portal.azure.com with user@Company portal .com credentials.
    • Once you login, you can click on account your account logo on top right corner.
    • Click on Switch directory and click on “switch” option in front of the directory to which you want to access.

    Option 2

    • You can login to URL https://portal.azure.com/<name of tenant>.
    • Enter the credentials of user@Company portal .com and you will be able to access fabrikam.onmicrosoft.com tenant.

    Do let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Miguel Morales Gonzalez 6 Reputation points
    2022-07-04T08:59:37.103+00:00

    Hello @Sandeep G-MSFT , thanks for your reply.

    Maybe I haven't explained myself very well because English is not my mother tongue.

    I will attach a video so maybe its more easy to understand the situation.

    https://streamable.com/2y5ghr

    As you can see in the video, there are 2 tenants, migueltestjgjg and miguelsegundapruebajg.

    in the migueltestjgjg.onmicrosoft.com there's an user account miguelmoralesgonzalez@migueltestjgjg.onmicrosoft.com.

    This user account has been invited in to the tenant miguelsegundapruebajg.

    So, taking that into account.

    When I make login in to the application showed in the video "IrisTenantWeb", I would like a way to differenciate in to which domain the miguelmoralesgonzalez wants to make login
    because he belongs to two tenants.

    I've tried making login wih miguelmoralesgonzalez@migueltestjgjg.onmicrosoft with default and then change to miguelsegundapruebajg to default,
    and the user claims were exactly the same, I compared them and there's no way to tell if the user is invited to x domain.

    I also tried using Microsoft.Graph to use the API and retrieve the app to which that user belongs etc, but I cannot access the data of two domains of which the user belongs

    migueltestjgjg
    217293-image.png

    miguelsegundapruebajg
    217313-image.png

    217304-image.png
    217294-image.png

    Finally I was able to reset the password of the invited account miguelmoralesgonzalez in the miguelsegundapruebajg domain.
    I think it really is not working properly because the default password when its created its not the same as the original one, also, resetting the password is quite hard.
    Because I had to activate 2 microsoft enterprise trials in order to achieve it.

    "Fake" domains invited to azure I wasn't able to reset the password event with Az Premium 2.

    Now I can make login with miguelmoralesgonzalez@miguelsegundapruebajg If I put the domain, but I would like it to have the access into the same domain(the original).

    Maybe its not possible, idk

    217267-image.png

    0 comments No comments