Question

TinuTO on Fri, 04 Jul 2014 11:37:00


I have two Azure Active Directories - AAD1 & AAD2 - both under same account. I have added a web application to AAD2, so that anyone accessing that web application will be redirected to a single sign-on page. A user from AAD2 - aad2user@aad2.onmicrosoft.com is able to login using his credentials to the web application. I now want a user from AAD1 to access the same web application. So, I added that user to AAD2 (as a global administrator). The azure portal active directory page now shows me the list of users for AAD2 which includes the latest user (AAD1) I have added. Despite, this when I try and login using the credentials of the AAD1 user I encounter an error saying - "The account xxx@aad1 is not configured to sign-in to this company". Do I need to do anything else in-order to allow access from one Azure AD to another Azure AD application?

Replies

Craig McMurtry on Fri, 04 Jul 2014 16:21:57


I'll get this answered for you. 

Craig McMurtry on Fri, 04 Jul 2014 17:07:41


The user's userPrincipalName is directing the security token service to issue a token for that user from the user's "home" directory, and that directory has no service principal configured to issue tokens to the external application.  Therefore, you are observing the outcome that you have reported.  What is the business requirements that you wish to satisfy.  We may be able to figure out how to address the scenario in a different way. 

TinuTO on Sat, 05 Jul 2014 08:42:37


Hi Craig,

Thanks for the reply. We are trying to enable users from different active directories to be able to access our application via a single-sign-on page. This is just a first step, since in the subsequent steps we would also like to enable access to users from other windows azure active directories that do not belong to our account - like an Office365 user of another organisation. There is also an option to add users with an existing microsoft account, which we are interested in. I also tried that out, and although a Microsoft account user gets added, he/she faces the same above error during login. 

Also, another approach or rather the only approach that I can think of is making the web application multi-tenant within our AD - http://msdn.microsoft.com/en-us/library/azure/dn151789.aspx & https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet

Can you also confirm if the above approach would work?

Tinu


TinuTO on Sat, 05 Jul 2014 11:39:30


The above multi-tenant approach seems to have worked. The Web App Multi-tenant OpenId sample in the above link manages to achieve what I wanted. It uses OAuth2 to serve up a request to provision a web application within different tenants given the clientid of the web application and the consent by the user of the target tenant. So to summarize - my web application resides in AAD2. And the code in the sample helps me to programmatically provision the web application as an application in the tenant in AAD1. So users with AAD1 can directly access the web application by giving a consent to do the same. Not only this, but the code also helps me to enable access to users of any other windows azure active directory which is not a part of my subscription to login to the web application. So it all works! Anyways, thanks Craig for the help!