From 97f0a317f1f9bdc85a2fdfcdc4da4494e12847e6 Mon Sep 17 00:00:00 2001
From: Tiago Brenck <v-tibre@microsoft.com>
Date: Wed, 19 Feb 2020 17:43:03 -0800
Subject: [PATCH 1/3] Explanation about guest users on MT apps

---
 2-WebApp-graph-user/2-3-Multi-Tenant/README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
index df72a36b..868fc4ed 100644
--- a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
+++ b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
@@ -216,6 +216,10 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
  You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
+#### Implications of signing-in guest users on /common endpoint
+
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying a tenant specific CA policies, group assignments or app roles to be applied to the guest users, the app should sign the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+
 ### Service principal provisioning for new tenants (onboarding process)
 
 For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.

From ee30914923a12fd8940f9980443ff48070b6ee55 Mon Sep 17 00:00:00 2001
From: Tiago Brenck <v-tibre@microsoft.com>
Date: Thu, 20 Feb 2020 08:41:42 -0800
Subject: [PATCH 2/3] applied PR reviews

---
 2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md | 4 ++++
 2-WebApp-graph-user/2-3-Multi-Tenant/README.md                | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
index 9d2da23d..a1bbb1e2 100644
--- a/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
+++ b/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
@@ -240,6 +240,10 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
  You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
+#### Implications of signing-in guest users on /common endpoint
+
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying a tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+
 ### Service principal provisioning for new tenants (onboarding process)
 
 For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
index 868fc4ed..7931ea38 100644
--- a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
+++ b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
@@ -218,7 +218,7 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
 #### Implications of signing-in guest users on /common endpoint
 
-Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying a tenant specific CA policies, group assignments or app roles to be applied to the guest users, the app should sign the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying a tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
 
 ### Service principal provisioning for new tenants (onboarding process)
 

From a6e79e67c6aeae7032cdc26c4b0e10d1cdc8512f Mon Sep 17 00:00:00 2001
From: Tiago Brenck <v-tibre@microsoft.com>
Date: Thu, 20 Feb 2020 09:51:47 -0800
Subject: [PATCH 3/3] fixing grammar

---
 2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md | 4 ++--
 2-WebApp-graph-user/2-3-Multi-Tenant/README.md                | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
index a1bbb1e2..b7f7fd43 100644
--- a/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
+++ b/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
@@ -240,9 +240,9 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
  You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
-#### Implications of signing-in guest users on /common endpoint
+#### Implications of signing-in guest users on `/common` endpoint
 
-Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying a tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign-in the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
 
 ### Service principal provisioning for new tenants (onboarding process)
 
diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
index 7931ea38..c8a5e966 100644
--- a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
+++ b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
@@ -216,9 +216,9 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
  You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
-#### Implications of signing-in guest users on /common endpoint
+#### Implications of signing-in guest users on `/common` endpoint
 
-Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying a tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign-in the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
 
 ### Service principal provisioning for new tenants (onboarding process)