Issues with cross tenant authentication using fabric token

[tjroberts]

This is related to the discussion we were having at #42

We are hitting this issue when trying to generate an OBO token using the user token from Fabric. We are trying to get a token that allows our application to access resources like Lakehouses etc. in the user's tenant.

The error is:
{"error":"invalid_grant","error_description":"AADSTS90072: User account '{EUII Hidden}' from identity provider 'https://sts.windows.net/xxx-xxx-xxxx/' does not exist in tenant 'Tenant Name' and cannot access the application 'xxx-xxx-xxxx'(Application Name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account Trace ID: 156ccbd9-066a-4dd0-ac80-3325ceab1200 Correlation ID: a9bdb3f4-2053-4759-a789-7d9f69a224eb Timestamp: 2024-09-06 16:05:31Z","error_codes":[90072],"timestamp":"2024-09-06 16:05:31Z","trace_id":"156ccbd9-066a-4dd0-ac80-3325ceab1200","correlation_id":"a9bdb3f4-2053-4759-a789-7d9f69a224eb","error_uri":"https://login.microsoftonline.com/error?code=90072","claims":"{\"access_token\":{\"token\":{\"essential\":true,\"values\":[\"xxx-xxx-xxxx\"]}}}"}

We are using the following strategy to get the authorization to access the user's resources:

scopes = ["https://analysis.windows.net/powerbi/api/.default"]
app = ConfidentialClientApplication(
    client_id=<our_client_id>,
    authority=f"https://login.microsoftonline.com/{our_tenant_id}",
    client_credential=<our_client_secret>,
)
downstream_api_access_token = app.acquire_token_on_behalf_of(
    user_assertion=<user_token_from_fabric>, scopes=scopes
)
token = downstream_api_access_token["access_token"]

This was working previously but we are getting the error above when the user is tied to another tenant.

Is there anything we need to do in the users tenant to give our application permissions? Is there a way that allows the user to dynamically grant permissions to our application dynamically? Thanks!

[ramizsha]

Hi @tjroberts,
This is happening because the authority you provided includes a specific tenant Id - This authority indicates a single-tenant application whose sign-in audience is restricted to the users in the specified Microsoft Entra tenant.
Please use /organizations instead (see AddMsalConfidentialClientApplication in Backend/src/Program.cs).

[tjroberts]

Thanks @ramizsha that resolved my issue.

[ramizsha]

@tjroberts a correction - it's best if you configure your authority with /tenantId but with tenantId thats included in the token ("tid") and not your tenant.
This will allow you to support B2B scenarios.

[q-benwillis]

@ramizsha Just to clarify is it better to create a new confidential client per tenant id? In the example it's still using a single client with /organizations: https://github.com/microsoft/Microsoft-Fabric-workload-development-sample/blob/main/Backend/src/Program.cs#L100

[ramizsha]

@q-benwillis right - right now this code does not fully support B2B scenarios (auth for guests in tenant).
You can either configure the client application per tenant Id or you can specify the tenant id in the call itself (for example in c# you can use WithTenantId - something like
await confidentialClientApplicationBuilder.AcquireTokenOnBehalfOf(new List<string> { scope }, assertion).WithTenantId("The tenant id in the token").ExecuteAsync();
We will fix this by specifying the tenant Id dynamically when exchanging the token.