I am building a multi-tenant Windows Phone 8 app using multiple tenants in Windows Azure AD. The app basically authorizes the user and then accesses the graph API to read certain information in the AD for that particular user. As a beginning point I followed the guidance here: Using Windows Azure AD for native clients to use OAUTH 2.0 to authenticate and then get a token from the Windows Azure end points. I use the following for the authorize endpoint:
and this for the token endpoint: For my testing I am using two different Azure AD tenants with two different domains tenant1.onmicrosoft.com and tenant2.onmicrosoft.com. Application is setup in tenant1's AD as a "native client application". When I log in as a tenant1 admin user, I am able to get a token and access the Graph API information I need. I can also log in as a non-admin user from the tenant1 AD and get access to the Graph API. Things are not working as expected for tenant2. When I log in as tenant2 admin, I get the expected consent page telling me that the app will access tenant2's AD (whatever permissions were set when the app was setup in tenant1's AD). When a user from the tenant2 tries to log in I get the following error, I believe it is coming from the token endpoint:
Why is this so? I would think that once tenant2 admin consented (assuming here the consent is on behalf of all the users in the AD) to access to it's AD, any user from this tenant is also allowed to authorize and have the app successfully access the Graph API? Any help or guidance is really appreciated! Thanks, |
mujno