Azure-Samples · TiagoBrenck · Feb 20, 2020 · Feb 20, 2020 · Feb 20, 2020 · Feb 20, 2020
diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
@@ -240,6 +240,10 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
  You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
+#### Implications of signing-in guest users on `/common` endpoint
+
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign-in the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+
 ### Service principal provisioning for new tenants (onboarding process)
 
 For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.

diff --git a/2-WebApp-graph-user/2-3-Multi-Tenant/README.md b/2-WebApp-graph-user/2-3-Multi-Tenant/README.md
@@ -216,6 +216,10 @@ services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
 
  You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
 
+#### Implications of signing-in guest users on `/common` endpoint
+
+Please note that if you sign-in guest users at the `/common` endpoint, they will be directed to their home tenant for signing-in. So, if your multi-tenant app cares about applying tenant specific conditional access policies, group assignments or app roles to be applied to the guest users, the app should sign-in the guest user on the **tenanted endpoint** (https://login.microsoftonline.com/{tenantId}) instead of the `/common` endpoint.
+
 ### Service principal provisioning for new tenants (onboarding process)
 
 For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.