I'm building SaaS web based application that needs to be able accept users from multiple Azure AD-s and there external users (usually Microsoft accounts). I created example and tried to see what I can get from access token.
Sample consists from one client application (.js) that uses MSAL library to handle authentication and two APIs that have protected endpoints. I also created three separate Azure AD applications AlanClient, AlanAPI1, AlanAPI2. Both AlanAPI1 and AlanAPI2 have API exposed (Expose an API section in Azure Portal application) and have specified one consumer AlanClient. AlanClient has permission to both APIs. All applications are registered with "accessTokenAcceptedVersion": 2 and "signInAudience": "AzureADandPersonalMicrosoftAccount".
I have multiple cases that I want to cover and as far I tested when I sign in with outlook account that is defined as external User in Azure AD (both Azure AD where application is originally registered and Azure AD that is another "tenant") I don't get any info (in token) about the tenant this account is registered.
Let me explain. I was hoping for something like this
"tid": "value of Azure AD tenant where this account is registered as external user" - If this account is regitered as external user in multiple tenants that use this app I will expect array of tenants or something like this.
Instead I get
"tid": "9188040d-6c67-4c5b-b112-36a304b66dad" which is value of "Microsoft presonal account tenant" as far I know.
EDIT:
Thanks to juunas answer in my client application I changed MSAL config authority from authority: 'https://login.microsoftonline.com/common' to authority: 'https://login.microsoftonline.com/organizations' and also updated manifest value signInAudience with AzureADMultipleOrgs.
Now I have situation where I have Azure AD called "A" and in this azure AD have registered my applications. Tenant A has external user called [email protected] and this workd fine. I can login with this account and I get tid parametar indicated value of tenant A. When I try to do this with Tenant B that has [email protected] as external user this failed with message
AADSTS50020: User account 'lovro.p365@...' from identity provider 'live.com' does not exist in tenant 'A' and cannot access the application AlanClient in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure AD user account.
Just to clarify I successfully singed in with tenant administrator of tenant B and tenant B has this applications in Enterprise applications list.
GitHub example project: https://github.com/alan994/AzureADTest
There is another question about this but conclusion is that this is not supported with nothing except common endpoint in (v2.0)
If you want to utilise the Microsoft accounts that exist in AAD tenants, you have to use the organizations endpoint instead of the common endpoint.
Your app also should not allow personal accounts. So the signInAudience should be the multipleorgs one.
By allowing personal accounts, you are allowing their direct use, with that tenant id that is common for all of them.