Graph Connect sample not working for multi tenancy in .Net core MVC app

Question

I've followed this sample (https://github.com/microsoftgraph/aspnetcore-connect-sample) to get my .net core mvc app to connect to graph using azure AD and get the user picture and job detail.

It let's me log in with one tenancy,and gets everything required but when I try to log in with another tenancy/domain, the AcquireTokenByAuthorizationCode return an error. When running in debug, it looks like when I first login with the first email, it's use the correct OpenIdConnectOption Authority(https://login.microsoftonline.com/common/v2.0). Then when I try logging in with another domain, the authority URL has changed to https://login.microsoftonline.com/{tenantid_of_first_logger}/v2.0, hence returning an error.

The code I followed is the exact same as the code from the sample, just with my own azure AD and app registration. Basically im not able to get the multi tenancy going. has anyone tried running this sample as multi tenancy with success? is there something I have to do with my app registration in Azure AD(again followed the step in the sample to set that up.)

Answer 1

The OIDC authority of common is correct. Once the user enters their email, the correct tenant is used (home realm discovery). Token acquisition, on the other hand, must always come from a specific tenant, not 'common'.

Your statement about "logging in with another domain" is a bit confusing. Do you mean the token acquisition call? Regardless, the error message is crucial to determining the specific cause.

https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes

Answer 2

Use this sample to learn about multi-tenant scenarios in Azure AD

For a deeper dive, go through the multi-tenant sample.