Yesterday I followed Vittorio Bertocci's tutorial "WS-Federation in Microsoft OWIN Components – a quick start" to set up a test application using Azure AD authentication.
This is my first use of Azure AD (I work alone so don't use AD, period). I have just one Azure AD tenant containing one app.
I created a test user in the tenant, david@mycompany.onmicrosoft.com, and could log into the app just fine:
Then I tried creating a new user, david@mycompany.co.uk who is a user with an existing Microsoft account (the email address is used to log in and manage the Azure Portal so it works elsewhere). The appropriate setting was selected to create this account -> User with an existing Microsoft account
But, I cannot log into the application as this user:
Can anyone explain why this is?
If I delete the user from the tenant, then re-create using the option New user in your organsation
then the user can
log in okay (although they get prompted to change their password).
I don't understand what the difference is, especially when the account works fine elsewhere.
Best Answer
It may be that the account is both a valid Microsoft Account (formerly Live ID) AND a valid Organisational Account (Azure AD). This can happen (you have a Live ID for years then your company signs up for Office 365) and leads to all sorts of fun and games because 'home realm discovery' defaults to Azure AD.
In the first login box provided by Azure try typing any address with an '@outlook.com' address - you will be redirected to the Outlook login page (which uses Live IDs). On the Outlook login page enter your 'david@mycompany.co.uk' email and password. I expect you'll login.
I talk about the background (and reason) for this scenario on my blog.