Multi Tenant guest users - wrong authority

[jcharnley]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.28.1

Wrapper Library

Not Applicable

Wrapper Library Version

0

Public or Confidential Client?

Public

Description

Having a issue when I configure MSAL to accept guest users from multi tenants. Guest users cannot access the resource because their tenant id is pointing to the base application on the resource tenant (where the app was created) not where it has been consumed.

In a single tenant configuration this works as the authority is specified. However when the b2b multi setup is on /common or / organizations then guest users seem to point back to where the applicatin is hosted. and I cannot get the tenant id from any of the msal endpoints nor Graph API.

Originally, we setup the MSAL config like so:

export const msalConfig = {
auth: {
clientId: "{clientId}",
authority:
"https://login.microsoftonline.com/{tenantID}",

This is a single tenant setup as the tenantID is specify, guests invited into that tenant can access shared resources

export const msalConfig = {
auth: {
clientId: "{clientId}",
authority:
"https://login.microsoftonline.com/{common||organizations}",

This is a multi tenancy setup, any organisation with a AAD account can signin and share resources (this all works fine and tested)

however, with this multi-tenant setup if an organisational member invites a guest user, they are a part of that organisation not where the application originates from (our production tenant). The token seems to be coming from the production tenant they cannot access the shared resource. 1. because they aren't a user of that tenant, 2. the resource is not on that tenant.

MSAL documents that we can change the authority on request, however I cannot seem to find the guest users invitee tenant id. it always links back to our production tenant.

I have found a really good blog entry that talks about the same issue, however its out of date. Could anyone help in anyway possible ?

https://www.syskit.com/blog/supporting-tenant-selection-for-b2b-users-in-a-multitenant-azure-active-directory-application/

https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3223

Thanks in advance

Error Message

Msal Logs

No response

MSAL Configuration

export const msalConfig = {
  auth: {
    clientId: "{clientId}",
    authority:
      "https://login.microsoftonline.com/{common||organizations}",
 },
  cache: {
    cacheLocation: "sessionStorage",
    storeAuthStateInCookie: false
  }
}

Relevant Code Snippets

// sign in function
export const signIn = async () => {
  myMSALObj.loginRedirect(loginRequest);
 
};

// success response login
const handleResponse = (resp) => {
  const welcome = document.getElementById("signInMessageMicrosoftSignin");
  if (resp !== null) {
    username = resp.account.name;
    welcome.textContent = username;
    console.log("username",username)
    return resp;
  }
};

// Redirect: once login is successful and redirects with tokens, call Graph API
myMSALObj
  .handleRedirectPromise()
  .then(handleResponse)
  .then((resp) => {
    if (!resp) return;
    downloadModelFromUrl(resp.accessToken);
    updateStaticLoadingContent(
      document,
      "staticLoadingScreen",
      sharedLoaderContent(document)
    );
  })
  .catch((err) => {
    console.error(err);
  });

Reproduction Steps

1. create app regisation as a multi tenant application on base tenant
2. another organization/tenant to consume
3. other organization can invite guest users
4. guest invite sent/redeem
5. give permissions
6. use web app url with sharing link as a query parameter
7. use msal to login to auth into the tenant
8. call the endpoint/ read the file

Expected Behavior

Guest users are able to authorise via the tenant they have been invited into to access the resource

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

No response

Source

External (Customer)

btw this is the response I get from the guest user, as you can see it has a tenant id but its not the tenant id that the guest has been invited to

[hectormmg]

@jcharnley thanks for the question and sorry for the delay. I'll need some time to look into it and get back to you with more information.

[jcharnley]

I really appreciate this, let me know if you need further information.

[hectormmg]

@jcharnley if I understood correctly, you will either need to supply the tenanted authority (if you know the tenant before hand) or queyr the ARM API and prompt the user to select the tenant they want to sign into. https://docs.microsoft.com/en-us/rest/api/resources/

[jcharnley]

thanks @hectormmg i've been speaking with Sergio on this too. I will proceed with the ARM solution and see how that goes first. I will keep you updated. Thanks again

[ghost]

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @hectormmg please follow up.

[ghost]

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @hectormmg please follow up.

[jcharnley]

I implemented The ARM Api however this does not allow for type guests users, it only works for AAD members. I have found a working solution, I now send over the tenantID as a query parameter in the sharing url, and I update the authority on login request. This can be closed now but could be a idea to look into guest accounts in a multi tenant setup as people will run into this problem