对多个租户进行 AAD 身份验证

我有一个 dotnet 7.0 应用程序（Web 应用程序），我希望能够通过任何 Azure AD 租户的 SSO 对用户进行身份验证。在 Azure 进行身份验证后，我想查看用户的电子邮件地址和/或某种唯一的用户 ID。

我已在 Azure 门户中的 Azure Active Directory 下创建了一个新的应用程序注册。应用程序注册与我在发行商处的 MPN 帐户相关联。我尝试过使用两种受支持的帐户类型：“多租户”和“任何 Microsoft 帐户”。

我可以成功验证我自己租户的用户身份。但是，当用户尝试向外部租户进行身份验证时，Azure 会向用户抛出错误：

AADSTS50020: User account '[email protected]' from identity provider 'https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/' does not exist in tenant 'mydomain.com' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(myapp) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

但是我不想在自己的租户中添加用户作为外部用户，因为我还不知道所有用户，而且会太多。我怎样才能让我的应用程序也对来自外部域的用户进行身份验证？

程序.cs：

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect; // nuget: Microsoft.Identity.Web
using Microsoft.AspNetCore.Authorization;
using Microsoft.Identity.Web; // nuget: Microsoft.Identity.Web
using System.Security.Claims;

var builder = WebApplication.CreateBuilder(args);
var authenticationBuilder = builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme);
authenticationBuilder.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.MapGet("/", (ClaimsPrincipal user, HttpResponse response) => 
{
    response.ContentType = "text/html";
    if (user.Identity?.IsAuthenticated ?? false)
        return $"Hello {user.GetDisplayName()}. <a href='/logout'>Logout</a>.";
    else
        return $"Hello. You are not authenticated. Please <a href='login'>log in</a>.";
});
app.MapGet("/logout", async context =>
{
    await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
    await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
});
app.MapGet("/login", [Authorize] (ClaimsPrincipal user, HttpResponse response) => response.Redirect("/"));
app.UseRouting();
app.UseAuthorization();
app.Run();

appsettings.json，其值取自 Azure AD 中的应用程序注册：

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "mydomain.com",
    "ClientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "CallbackPath": "/signin-oidc"
  },
  "AllowedHosts": "*"
}