Adal authenticate to a different authority

Question

I am writing a script which basically (simply put) lists the logged-on user's azure subscriptions. I'm starting by authenticating to "https://login.windows.net/common/oauth2/authorize" using adal. From there, I get a list of the tenants this user is a member of by hitting https://management.azure.com/tenants. This works fine. Then I need to log in to each of these tenants to list the subscriptions inside them.

My question: Is there a way using adal to say "I'm already logged in to login.windows.net, please automatically log me in to tenant xyz"? Or do I need to call acquiretoken(with the same creds as the first call to login.windows.net) explicitly for each tenant the user is member of?

Answer 1

That is not really the case. You are not logged in "login.windows.net", as such authority does not exist... you are logged in the home tenant of the account you used to authenticate the first time. Now, such account might be present as a guest in the other tenants you own... which is why there are ways of getting tokens for those other tenants without having to re-enter credentials. But that does not mean that you are logged in "login.windows.net", that's an important misconception that might lead you astray further down your design. That said. Currently the main way of getting a token for a different tenant without prompting again for creds is to call acquiretoken with PormptBehavior.Never - that will pick up your sign in cookie behind the scenes and sign you in without the need for user interaction. This trick only works while the cookie is still around, which means you have to do it after you perform the first authentication.