We use Active Directory B2C to allow our client users to login to our web app.
Recently we've had users at 2 different client orgs who have been unable to login. They were able to demonstrate the following.
- They click the login button on our website @ https://www.mycompany.com
- They get redirected to our IdentityServer @ https://id.mycompany.com
- They get further redirected to https://login.microsoft.com
what should happen
- The user should now go through a normal login flow
- supplying their username ([email protected]) which was previously setup in our ADB2C
- supplying their password which they setup during invite process
- get redirected back to our identity server
- get redirected back to our web application
what's actually happening
- The user enters their email address ([email protected])
- Microsoft immediately steps in with the following message
It looks like you're trying to access a resource that belongs to an organization that's not approved by your IT department.
What I think is happening is that because Client.com are using Microsoft Azure Active Directory/Office 365 themselves, their administrative team have set something up that tells Login.Microsoft
"We own the domain 'client.com' and if anyone ever tries to use an [email protected] mail address as the identity of a login attempt to some other tenancy, you should block them"
Is this a "feature" of AD? Clearly, this is something we need to take up with the IT department of the client company, but I'd prefer to go into that conversation armed with better information about what feature we're asking them to white list us in.
Yup, that's something that the client company can configure to restrict their users from accessing SaaS apps, it's called "Tenant Restrictions".
Basically, the tenants admin can choose which tenant their users can login into with their Azure AD accounts.
Have fun reading: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions