Azure登录多租户AD应用失败

Question

我在租户A中有用户A，在租户B中有一个多租户AD应用B。我试图从用户A的上下文中获取AD应用的令牌

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=a573ddda-b34a-4206-a73b-d67ff6e98aec&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=a573ddda-b34a-4206-a73b-d67ff6e98aec%2F.default&response_mode=fragment&state=12345&nonce=678910

我使用用户A的凭据登录并出现错误

AADSTS700016: Application with identifier 'a573ddda-b34a-4206-a73b-d67ff6e98aec' was not found in the directory 'domainA.onmicrosoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

我已将ID为-a573ddda-b34a-4206-a73b-d67ff6e98aec的AD应用B配置为多租户。知道为什么这可能行不通吗？

Answer 1

如@juunas所述，如果您使用访客用户登录，请使用租户A的tenant id而不是common，这将强制用户针对租户A而不是其住所进行身份验证租户。

如果您的访客用户是第一个登录该应用程序的用户，请确保某些设置类似于以下租户A中的设置，否则，该用户将无法在租户A中同意该应用程序。

1. 导航到租户A中的Azure Active Directory-> User settings-> Manage external collaboration settings->将Guest users permissions are limited设置为No。

1. 导航到租户A中的Azure Active Directory-> Enterprise applications-> User settings->将Users can consent to apps accessing company data on their behalf设置为Yes。

有关成员用户和来宾用户的更多详细信息，请参阅此https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions