Great question—your core intuition here is totally correct: since those guest users are already present as external identities in your AD tenant, they should be able to log in just like internal users using your tenant's authentication flow. The problems you're seeing are almost certainly due to configuration or code logic that's accidentally directing guest users to authenticate against their own home tenants instead of yours.

Let's break down what's happening and how to fix it:

Why You're Seeing These Errors #

1. Guest users stuck on account selection: This usually happens when your ADAL.js setup isn't forcing authentication to your specific tenant, so guests are presented with an option to pick their home tenant (which won't work for your single-tenant app).
2. "App not found in subscription" error: This confirms that some users are being redirected to authenticate against their own tenant, where your app isn't registered—hence the missing app error.

Step-by-Step Fixes #

1. Lock Down ADAL.js to Your Tenant #

Ensure your ADAL.js initialization uses your specific tenant ID (not common, organizations, or other wildcard values). This forces all authentication requests to route through your tenant, even for guest users:

const authContext = new AuthenticationContext({
    tenant: "your-tenant-uuid-here", // Replace with your actual tenant ID
    clientId: "your-app-client-id",
    redirectUri: `${window.location.origin}/auth/callback`,
    // Other config options...
});

If you were using common before, that allowed users to choose any tenant—guests might be picking their home tenant by mistake.

2. Verify App Manifest's Sign-In Audience #

Double-check your app's manifest in Azure AD to confirm it's set to single-tenant mode:

• Look for the signInAudience field, which should be set to AzureADMyOrg (not AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount).
• This setting explicitly restricts login to users in your tenant (including guest users).

3. Validate Token Issuer in Passport Bearer #

Your backend needs to ensure it only accepts tokens issued by your tenant. Add a check for the iss (issuer) claim in the bearer token:

passport.use(new BearerStrategy({ passReqToCallback: true }, (req, token, done) => {
    const decodedToken = jwt.decode(token);
    // Replace with your tenant's issuer URL (format: https://sts.windows.net/your-tenant-id/)
    const validIssuer = "https://sts.windows.net/your-tenant-uuid-here/";
    
    if (decodedToken.iss !== validIssuer) {
        return done(null, false, { message: "Invalid token issuer" });
    }
    // Proceed with user lookup/validation...
}));

This blocks tokens from other tenants that might slip through due to misconfiguration.

4. Confirm Guest User Status #

Even if guests are in your tenant, make sure their accounts are active:

• Check that their UserType is set to Guest in Azure AD Users
• Verify they've accepted your tenant invitation (unaccepted invites can cause authentication failures)

5. Force Tenant Context for Guests #

To eliminate confusion during login, add a domain_hint parameter to your ADAL.js login request. This directs Azure AD to use your tenant's context immediately:

authContext.loginRedirect({
    extraQueryParameter: "domain_hint=your-tenant-domain.com" // e.g., contoso.com
});

This skips the account selection prompt for guests and forces them to authenticate using their guest identity in your tenant.

Final Notes #

Your original logic was sound—guest users in your tenant should work with a single-tenant app. The key fix is ensuring every part of your authentication flow (frontend and backend) is explicitly tied to your tenant. Once you lock down these configurations, your guest users should be able to log in without issues.

内容的提问来源于stack exchange，提问作者Roger Johansson