Close

Guest users in Azure API Management

At my current client we added guest users to Azure Active Directory. As a specific example, we added my motion10.com account as a guest user to the Cito Azure Active Directory. Next we added an application for the API Management Developer Portal to the Cito Azure Active Directory. Then, as a final step, I added an identity for Azure Active Directory under Azure API Management, option Identities.

Note that we entered the tenantId of Cito Azure Active Directory to both the sign-in tenant and the allowed tenants. It makes sense to add the tenants of the guest accounts to Allowed Tenants, but that as well didn’t work.

All fine, so know I wanted to subscribe myself as a guest user to API Management via the Developer Portal. Unfortunately I ran into an error:

When I googled the issue, this is the only tip I found. It says that the administrator of the Motion10 Azure Active Directory must take action, but that didn’t work. Before any user can sign in from a different domain than the original domain where the application was registered, a global administrator of the different domain must grant permission for the application to access directory data. To grant permission, the global administrator should:

– Go to https://connect-test.portal.azure-api.net/aadadminconsent.
– Type in the domain name of the Azure AD tenant that they want to give access to, ie motion10.com.
– Select Submit.

Then I got a valuable tip from another colleague. He asked me to open an incognito window, click [sign in] and scroll down to the Azure Active Directory link. Now you will see the following address in the browser:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=4564d256-…

You will have to replace common with cito.nl (the Azure Active Direcory domain of Cito). That way, the user will be forced to log in via the Cito Azure AD tenant. Address:https://login.microsoftonline.com/cito.nl/oauth2/authorize?client_id=4564d256-…

The user will not be signed in and can subscribe to whatever product he likes.
Gotcha. The next time the user logs in, he will have to change common to cito.nl again. Not nice ;-( I’m still looking for the definite answer, but I am one step further.