I created a multi-tenant registration app in Azure, supporting two types of tenants: one for internal users and another for external users.
My front-end application has a single login button and it can authenticate both internal and external users through my multi-tenant registration app.
I configured the authentication settings in my front-end according to Azure's guidelines, using the MSAL library.
My front-end aplication sends the request to endpoint that serves across all Microsoft Entra tenants.
My question is: If a new user who is not registered in any tenant wants to sign up through my front-end application, how can I ensure they are registered in the correct tenant?
For example, if the new user is internal, the user will be registered in the internal users' tenant; otherwise, the user will be registered in the external users' tenant.
I created a multi-tenant registration app in Azure, supporting two types of tenants: one for internal users and another for external users.
My front-end application has a single login button and it can authenticate both internal and external users through my multi-tenant registration app.
I configured the authentication settings in my front-end according to Azure's guidelines, using the MSAL library.
My front-end aplication sends the request to https://login.microsoftonline/common endpoint that serves across all Microsoft Entra tenants.
My question is: If a new user who is not registered in any tenant wants to sign up through my front-end application, how can I ensure they are registered in the correct tenant?
For example, if the new user is internal, the user will be registered in the internal users' tenant; otherwise, the user will be registered in the external users' tenant.
Share Improve this question asked Mar 6 at 18:25 Agner Souza BezerraAgner Souza Bezerra 3282 silver badges10 bronze badges 3 |1 Answer
Reset to default 2Note: In a multi-tenant app registration, users from any Azure AD tenant (including external anizations) can authenticate via the
https://login.microsoftonline/commonendpoint.
- However, this doesn't allow new external users (those who don't already exist in any Azure AD tenant) to self-register when they try to log in.
- They can only authenticate if they have an existing Azure AD or Microsoft account.
Using a multi-tenant Azure AD application, you cannot show an option for new external users to sign up directly.
- When external users try to authenticate through a multi-tenant application, if they don't have an Azure AD account in any tenant, they cannot register on the login screen. They can only authenticate if they already have an Azure AD account or use a Microsoft Account (e.g., Outlook).
As mentioned by you, you have to make use of register external users using Azure AD B2C and set up a User Flow .
- To allow external user sign-up, you must use Azure AD B2C, which supports self-registration with customizable user flows.
- Otherwise make use of Azure AD B2B (Business-to-Business). However, this requires an invitation, and external users need to accept the invite to authenticate.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744956755a4603238.html
@company), direct them to your internal Azure AD tenant endpoint (https://login.microsoftonline/{tenant-id}). Otherwise, use thehttps://login.microsoftonline/commonendpoint for external users. Azure AD will create the user in the appropriate tenant upon their first successful authentication. – Rukmini Commented Mar 7 at 5:34