After a reasonable time beating my head against a wall, I think I’ve come to the conclusion that the CF Access/Teams authentication system only supports single-tenant Azure AD auth.
I need multi-tenant support, such that a user from another zone/tenant/organisation can authenticate with my application.
When trying this I get an error such as:
Selected user account does not exist in tenant 'mydomain.com' and cannot access the application '3a67a705-73a4-4141-81ba-7758dbc3a81b' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
I think that CF Access are using the single-tenant authentication flow, which needs significant changes to support mufti-tenant auth: Build apps that sign in Azure AD users - Microsoft identity platform | Microsoft Docs
Does CF Access support multi-tenant Azure AD? If not, can this be added?