We are testing azure active directory single sign on for arcgis enterprise(specially access to ArcGIS Portal) at 10.5.1 on windows 2012 machine.
When adding new portal members to portal, email is used in email and username, in two places. So in that sense, the email also serves as the user id that members will have to put in when logging into the portal.
We have two types of users, user type A who have organization email and user type B, who do not have organization email, but have their own external email ids. We are testing to see if we can add those external users with their external email id to Azure Active Directory and also to Portal and if they can sign in to the portal without having an organization email id.
Everything seems to work great for user A with organization email id. This user can access the portal from machines in the organization domain and also machine that are not in the domain. This user is also able to access the maps through ArcGIS Collector.
But we are seeing error with user type B with external email id.
for example: email@example.com is added to the portal (where username is firstname.lastname@example.org and email is also email@example.com )
Same user B is also added to the Azure Active Directory. but when user B tries to sign in, they are receiving this error below:
"AADSTS50105:The signed user 'portaluser_xyz.com#EXTfirstname.lastname@example.org' is not assigned to a role for the application 'ArcGIS Enterprise'
The error you are receiving is due to the fact that the enterprise application you've configured in AzureAD does not think that the external user is allowed to access that application. I believe you would have to manually assign them to the application since only security groups are supported for group-based assignment. Your Azure support team should be able to help you further or at least spell-out the options a bit more clearly.
Quickstart: Assign users to an app that uses Azure Active Directory as an identity provider | Microsoft Docs
From what i know that was not our issue. Our azure support team has been able to figure out this and now we can sign in using external email ids as well.
Appreciate you responding to my question.
Thank you for responding back to my question.