Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Multi Tenant guest users - wrong authority

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.28.1

Wrapper Library

Not Applicable

Wrapper Library Version

Public or Confidential Client?

Public

Description

Having a issue when I configure MSAL to accept guest users from multi tenants. Guest users cannot access the resource because their tenant id is pointing to the base application on the resource tenant (where the app was created) not where it has been consumed.

In a single tenant configuration this works as the authority is specified. However when the b2b multi setup is on /common or / organizations then guest users seem to point back to where the applicatin is hosted. and I cannot get the tenant id from any of the msal endpoints nor Graph API.

Originally, we setup the MSAL config like so:

export const msalConfig = { auth: { clientId: “{clientId}”, authority: “https://login.microsoftonline.com/{tenantID}”,

This is a single tenant setup as the tenantID is specify, guests invited into that tenant can access shared resources

export const msalConfig = { auth: { clientId: “{clientId}”, authority: “https://login.microsoftonline.com/{common||organizations}”,

This is a multi tenancy setup, any organisation with a AAD account can signin and share resources (this all works fine and tested)

however, with this multi-tenant setup if an organisational member invites a guest user, they are a part of that organisation not where the application originates from (our production tenant). The token seems to be coming from the production tenant they cannot access the shared resource. 1. because they aren’t a user of that tenant, 2. the resource is not on that tenant.

MSAL documents that we can change the authority on request, however I cannot seem to find the guest users invitee tenant id. it always links back to our production tenant.

I have found a really good blog entry that talks about the same issue, however its out of date. Could anyone help in anyway possible ?

https://www.syskit.com/blog/supporting-tenant-selection-for-b2b-users-in-a-multitenant-azure-active-directory-application/

https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3223

Thanks in advance

Error Message

Msal Logs

No response

MSAL Configuration

export const msalConfig = {
  auth: {
    clientId: "{clientId}",
    authority:
      "https://login.microsoftonline.com/{common||organizations}",
 },
  cache: {
    cacheLocation: "sessionStorage",
    storeAuthStateInCookie: false
  }
}

Relevant Code Snippets

// sign in function
export const signIn = async () => {
  myMSALObj.loginRedirect(loginRequest);
 
};

// success response login
const handleResponse = (resp) => {
  const welcome = document.getElementById("signInMessageMicrosoftSignin");
  if (resp !== null) {
    username = resp.account.name;
    welcome.textContent = username;
    console.log("username",username)
    return resp;
  }
};

// Redirect: once login is successful and redirects with tokens, call Graph API
myMSALObj
  .handleRedirectPromise()
  .then(handleResponse)
  .then((resp) => {
    if (!resp) return;
    downloadModelFromUrl(resp.accessToken);
    updateStaticLoadingContent(
      document,
      "staticLoadingScreen",
      sharedLoaderContent(document)
    );
  })
  .catch((err) => {
    console.error(err);
  });

Reproduction Steps

create app regisation as a multi tenant application on base tenant
another organization/tenant to consume
other organization can invite guest users
guest invite sent/redeem
give permissions
use web app url with sharing link as a query parameter
use msal to login to auth into the tenant
call the endpoint/ read the file

Expected Behavior

Guest users are able to authorise via the tenant they have been invited into to access the resource

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

No response

Source

External (Customer)

btw this is the response I get from the guest user, as you can see it has a tenant id but its not the tenant id that the guest has been invited to

Issue Analytics

State:
Created a year ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

hectormmgcommented, Aug 22, 2022

@jcharnley thanks for the question and sorry for the delay. I’ll need some time to look into it and get back to you with more information.

0reactions

jcharnleycommented, Sep 11, 2022

I implemented The ARM Api however this does not allow for type guests users, it only works for AAD members. I have found a working solution, I now send over the tenantID as a query parameter in the sharing url, and I update the authority on login request. This can be closed now but could be a idea to look into guest accounts in a multi tenant setup as people will run into this problem