UNSOLVED Azure AD Tenant id payload claim in access token
I am building a Saas app using the OpenID Connect Provider with Azure AD. Essentially I want to allow any Azure AD user to log in, and the app to know which azure tenant they are logging in from, so I can group all users with this tenant id into a saas customer group.
I have followed the steps in https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad, with the following changes to set it up as a Saas app:
- Change the Issuer to https://login.microsoftonline.com/common/v2.0 to allow multi-tenancy.
- Enable debug to view logs
I am able to successfully log in with any valid Azure Active Directory user, but wasn't able to find an identifier of the logged in user's home tenant in Azure AD in either the access or id tokens provided. I checked the Fusionauth logs to see if it was in the user object, and the only tenant_id that was shown was the fusion auth tenant that the app belongs to.
I have seen other Saas/multitenancy suggestions/ read the pertaining to using separate tenants for each saas user. Wouldn't this add extra complexity as I would need a separate fusionauth app registration for each new tenant.
Any help here would be much appreciated, and would give impetus for us to upgrade to the paid version of fusionauth.