Can users from an unmanaged Azure AD directory, sign into an Azure AD multi-tenant application which resides in a different directory?

Question

I\'m trying out Azure AD B2B capabilities for my company. I have tried to invite external users through the portal and by using https://graph.microsoft.com/beta/invitations.

Answer 1

As you can see from below, Azure support gave me the same conclusion: The common endpoint does not work for guest users. The workaround I ended up with is to add all users as guest users in my tenant and use the tenant specific endpoint. I also noticed that guest users get a different objectId than their home user, which means we needed to store the relation between guest and home user when external tenants where used to determine group membership etc.

Here is the final response I got from Azurte support:

Symptom

You are sending B2B invites for several customers to enable them to use your multi-tenant application "NameOfApplication" that has been created on the Azure AD directory nameOfTenant.onmicrosoft.com

Invited email verified users that reside on unmanaged directories are unable to access the application with an "Access Denied" error. The underlying error message :

AADSTS65005: The application NameOfApplication is currently not supported for your company .no. Your company is currently in an unmanaged state and needs an Administrator to claim ownership of the company by DNS validation of .no before the application NameOfApplication can be provisioned.

Cause

The issue here lies with the endpoints being used to proceed with user authentication.

In the case of b2b invites and the common tenant endpoint it is implied that tenant discovery will be used. This also means that the users will be authenticated in their original tenants and not use the guest account that was created in the tenant where the application actually exists.

Conclusion: the common endpoint does not, at this point in time, support guest accounts.

If tenant specific endpoints are used, then the guest accounts generated by the b2b process will be used but only users from that specific tenant will be authenticated. This means that users from other tenants might still try to authenticate but if they haven’t been added as guests to the original tenant, the authentication will fail.

Conclusion: guest users (from b2b) will only work in the tenant specific endpoint

Resolution

There is unfortunately no other method to resolve this matter unless by developing your application to perform a customized tenant discovery operation and from there being able to use the tenant specific endpoint for each.

Quoting from you own words:

“…I use the tenant specific endpoint and convert all users to guests in that tenant. Users in managed external tenants that we get directory read access to can then be added as guests when they become members of groups (in their tenant) that we monitor. That way we still allow these companies to control access to our systems from within their system. All other users will be added as guests manually (social accounts, unmanaged external tenants, and from managed external tenants that we do not have read directory access to)…”