How to authenticate users in Azure Active Directory with dynamic tenants inside single instance of .NET Core web application?

Question

I've created the .NET Core 2.1 web application. After, this app was integrated with Azure Active Directory (Microsoft.AspNetCore.Authentication.AzureAD). There are a couple of tenants inside my active directory and in order to authenticate the user there is a need to provide AD tenant id, AD application client id.

Is there any way to use all tenants for authentication inside my Active Directory ?

public class Startup
{
     // Generated code

     public void ConfigureServices(IServiceCollection services)
     {
          services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
                  .AddAzureAD(options => 
                              Configuration.Bind("AzureAd", options));

          services.Configure<OpenIdConnectOptions> 
                   (AzureADDefaults.OpenIdScheme, options =>
          {
               // OnTicketReceived, OnAuthenticationFailed, OnTokenValidated
          })
     }

     // Generated code
}

This is my appsettings.json file:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com",
    "Domain": "some-domain.com",
    "TenantId": "1a10b000-*******",
    "ClientId": "15a0421d-*******",
    "CallbackPath": "/signin-oidc"
  }
}

Answer 1

For multi-tenant application the app does not know what tenant the user is from, so we can not send requests to a tenant's endpoint. To get the token from AD all the requests will go to /common endpoint (https://login.microsoftonline.com/common)

when Azure AD receives a request on the /common endpoint, it signs the user in and discovers which tenant the user is from. The /common endpoint doesn’t correspond to a tenant and is not an issuer, when we examine the issuer value in the metadata for /common it has a templated URL instead of an actual value: Issuer: https://sts.windows.net/tenantid/

So multi-tenant application can’t validate tokens just by matching the issuer value in the metadata with the issuer value in the token. A multi-tenant application needs logic to decide which issuer values are valid and which are not based on the tenant ID portion of the issuer value.

For example, if a multi-tenant application only allows sign-in from specific tenants who have signed up for their service, then it must check either the issuer value or the tenantid claim value in the token to make sure that tenant is in their list of subscribers.

Please check the below documentation for more information about authenticating users in multi-tenant. Convert app to be multi-tenant and Github sample to authenticate user in multi-tenant

I hope this helps.