Authentication with Microsoft Azure AD in a multi-tenant app

Question

Following the documentation, registered an application with Accounts in any organizational directory. The Tenant where the application resides is in "Default Directory" and has only one user, tiagomartinsperes@gmail.com. Also, the app has user assignment (as pointed out here) set to No

After, created another Tenant (different directory) and invited the external user me@tiagoperes.eu. That's the user I'm getting troubles logging into the previously created app.

Then, enable the OAuth2 support using social_core.backends.azuread.AzureADOAuth2 (from here).

As I try to authenticate now, it works well with tiagomartinsperes@gmail.com but with me@tiagoperes.eu gives the following error

Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'a9a22676-8a1c-4297-95d3-8cd89553220e' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

Answer 1

The problem is the URL the user is redirected to. According to the docs, multi-tenant applications should redirect to https://login.microsoftonline.com/organizations.

As we see in the Python Social Auth AzureADOAuth2 class, the BASE_URL is

BASE_URL = "https://{authority_host}/{tenant_id}"

Since authority_host = "https://login.microsoftonline.com/" and tenant_id="common", we'd get the wrong url.

Changing that and signing in with the same user and now I get a request to add the permissions

Reported that issue here too.