Open MikaBerglund opened 3 years ago
cloudtidings
commented
3 years ago Hi @MikaBerglund is feature available? I am looking for a option for the user to type the Tenant before the authentication, as some users accounts would have access to many tenants
MikaBerglund
commented
3 years ago No, it's not yet available. It's still on the backlog. For the moment, you can allow users to log in from multiple tenants by creating your application as a multi-tenant application. However, then you allow users to log in from any tenant, so if you want to control which tenants they log in from, you have to take care of that in your application, after the user has logged in.
cloudtidings
commented
3 years ago However, then you allow users to lo
You mean ask the user to logon twice? What I am looking for the user to type the tenant before the user clicks on logon. It would be useful if we could pass the tenant name in the authentication. I am using a blazor server app and the below code is on the Startup.cs (ConfigureServices). Is there a way to change the authority later ?
.AddBlazoradeMsal((sp, o) =>
{
var root = sp.GetService<IConfiguration>();
var config = root.GetSection("AzureAd");
o.ClientId = config.GetValue<string>("clientId");
o.TenantId = config.GetValue<string>("tenantId");
o.Authority = config.GetValue<string>("authority");
o.DefaultScopes = new string[] { "openid", "User.Read" };
o.PostLogoutUrl = "/loggedout";
o.RedirectUrl = "/login";
o.InteractiveLoginMode = InteractiveLoginMode.Popup;
o.TokenCacheScope = TokenCacheScope.Session;
}) ;No, they don't have to log in twice. In a multi-tenant application, users can log in to the same application using an account from any tenant.
MikaBerglund
commented
3 years ago If we have multiple tenants that users can choose from, then we also need to configure an application in each of these tenants, because you always need an application in the tenant that users sign in to, unless you have a multi-tenant application.
cloudtidings
commented
3 years ago then we also need to configure an application in each of these tenants, because you always need an application in the tenant that users sign in to, unless you have a multi-tenant app
Yes. I am building a multi-tenant app. But because a user can have many tenants, I need to them to be able to select the tenant before working on the app
MikaBerglund
commented
3 years ago They select the tenant by choosing which login they use. The domain in every login is connected to an Azure AD tenant. If you don't have a vanity domain associated with a AAD tenant, then you log in using firstname.lastname@yourcompany.onmicrosoft.com. If you have associated a vanity domain with a tenant, then you log in with firstname.lastname@yourcompany.com.
The tenant that you then configure in the application's configuration is the tenant where you have registered your multi-tenant application, which can be different from the tenant that your users log in from. The tenant and application ID (client ID) always go hand in hand.
svrooij
commented
1 year ago You can have an account user@domaina.com which is a guest user (and assigned an application role) in a second tenant domainc.onmicrosoft.com.
Then the tokens you get change if you send either domaina.com (or organizations which defaults to the home tenant) as tenant or domainc.onmicrosoft.com.
The iss scope will change depending on the choice. That way you can use one account to access a multi-tenant application as if you got a second account in the customers tenant.
Sometimes it would be useful to be able to use multiple application configuration options and provide a mechanism where the application could select which configuration to use when authenticating users. An application could also allow the user to select how they want to log in.
Some use cases for this configuration
This can be implemented in for instance Azure AD B2C, where users would select the IdP from a list of providers, but having it configurable directly in the application would make it a more integral experience to the user.