We have a Teams App which is created using Teams Toolkit - SSO Enabled Tab option.
This App is single tenant by default and we want to convert it to Multi Tenant.
We are following the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to do the same.
Here when I update the aad.template.json file and change the value of signInAudience to AzureADMultipleOrgs, and then run provisioning using teams toolkit. I get an error - "Failed to update application in Azure Active Directory. Please make sure 'templates/appPackage/aad.template.json' is valid: Request failed with status code 400 Detailed error: Request failed with status code 400. Reason: Values of identifierUris property must use a verified domain of the organization "
On changing the value back to AzureADMyOrg, provisioning is successful.
Anyone faced similar issue
It sounds like it's failing because you don't have a verified domain registered with Azure. It's only required for multi-tenant apps, but that's exactly what you're building. Essentially, you need to have a regular external domain registered with Azure, something like a .com, .io, .net, .whatever public domain.
On the page you linked, it actually says as much:
Since Azure AD app requires an "tenant verified domain" for Application ID URI, you can use your own Custom Domain or Create a new Custom Domain on Azure.
But this looks useful too: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail
This error is because you are not using a verified domain in Application Id Uri of your multi-tenant Azure AD app. Teams Toolkit will by default use Storage to host your Tab app, however Storage endpoint is not a tenant verified domain, and thus you will fail with this error if only update your AAD manifest.
You can follow step 2-4 in Update your Tab applications to create your CDN or use your own tenant verified domain and setup the endpoint in your project.
Related
I'm creating an app registration for Azure AD using my admin account (specifically for Mobile and desktop applications authentication). I intend to create an AAD Conditional Access that will be applied to the created app registration. For some reason the App Registration is not visible on the cloud app selection when I am trying to select it.
Screenshot - Conditional Access > Policy > Cloud apps or actions > Select apps
P.S. It showed on the cloud apps when I tried adding a "Web" platform on the app registration, but still CA is not applied when trying to login using the App Registration. Am I missing anything? Thanks in advance.
Screenshot - AAD - Sign-Ins
Please note that the CA policy is applied when a client calls a service. It's not applied directly to a client (public/native) application.
See the Note tip here.
Since Conditional Access policy sets the requirements for accessing a
service you are not able to apply it to a client (public/native)
application. Other words the policy is not set directly on a client
(public/native) application, but is applied when a client calls a
service. For example, a policy set on SharePoint service applies to
the clients calling SharePoint. A policy set on Exchange applies to
the attempt to access the email using Outlook client. That is why
client (public/native) applications are not available for selection in
the Cloud Apps picker and Conditional Access option is not available
in the application settings for the client (public/native) application
registered in your tenant.
It also explains why CA is not applied when you tried to login using the App Registration -- you didn't call a service.
I have a graph API app and want it to be accessible to every user for authorizing.
The app is made to be a multi-tenant application that should be available to everyone (see screenshot)1.
When a user who is not added to the azure active directory tries to access to grant permissions to the app, they get this error saying "the user is not added to the azure active directory, and the user needs to be added as a tenant to the app"
I am using this link for oauth access https://login.microsoftonline.com/DIRECTORY_ID/oauth2/v2.0/authorize?client_id=CLIENT_ID2&response_type=code&redirect_uri=http://localhost:3000/auth/callback&response_mode=query&scope=offline_access Channel.Create Channel.ReadBasic.All ChannelMessage.Send Team.ReadBasic.All Group.ReadWrite.All&state=12345
error message from graph app
You are using a tenant specific endpoint which will not support personal account. You need to use a common endpoint(login.microsoftonline.com/common/oauth2/v2.0/).
Based on your URL you have shared, you can use below example syntax,
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=CLIENT_ID2&response_type=code&redirect_uri=http://localhost:3000/auth/callback&response_mode=query&scope=offline_access
Also, Please refer to similar question here.
I have configured Azure B2C as IDP via SAML successfully for a single Service Provider. There are many pieces that i don't understand in this setup even though its working.
I will describe what i have so far and then ask questions later.
Let's say I have two Service Providers,SP1/SP2 both require SAML and a page to signup/signin. SP1 requires loyality_id as custom attribute and SP2 requires product_name attribute.
Here's the source code that works.
Credit/Thanks to this blog
Below is the high level summary of the configuration.
SAML for SP1 (Service Provider 1):
Add signing and encryption keys to the B2C tenant
Register Identity Experience Framework applications
Create web app IdentityExperienceFramework in Azure Active Directory
Create native app ProxyIdentityExperienceFramework in Azure Active Directory
Start from starter pack for LocalAccounts as base
Add Saml2AssertionIssuer to the base policy
Add user journey SignInSaml to the base policy
In Extension Policy override "Local Account SignIn" claims provider and add substitute values for "client_id" and "IdTokenAudience" from apps that were created earlier
Policy file with RelyingParty for SP1
This describes the output claims that are added to the SAML response
Signup/signin policies for SP1:
Create built-in signup and sigin policy
Create Application in Azure B2C blade
So far with this setup, I have two Applications in Azure Active Directory for custom policies and one Application in Azure B2C blade for built-in policy.
According to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-create-custom-attributes-profile-edit-custom,
Extension properties can only be registered on an Application object
even though they may contain data for a User. The property is attached
to the application. The Application object must be granted write
access to register an extension property.
What is the "Application" the above paragraph is referring to?
What is the purpose of the apps IdentityExperienceFramework/ProxyIdentityExperienceFramework
To setup for SP2, do I need to create separate Azure Active directory apps for IdentityExperienceFramework/ProxyIdentityExperienceFramework? Or can I use the same ones? How do custom attributes factor in this?
How do I setup custom attributes in this case where SAML is through Custom policy and Signin/Signup is builtin policy
In this case, under what App context are the custom attributes created?
I appreciate any pointers.
Thanks
The application is the one created in the section "Creating a new application to store the extension properties".
The apps purpose is to enable sign-in using local accounts. The same apps can be used accross multiple policies.
Custom attributes are related to the application created in app registrations at Azure AD level, and with the permissions detailed in the configuration docs.
In my Github profile, you can find a different implementation of the B2C as SAML issuer scenario: https://github.com/marcelodiiorio/My-Azure-AD-B2C-use-cases.
Tell me if you have more questions.
I created a "Web app / API" app in our organization's "xxx.onmicrosoft.com" Azure Active Directory. The app's "Multi-tenanted" property has been set to "Yes".
We configured OpenID Connect (we use https://github.com/mitreid-connect/) to use the following URLs:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token
Please note that we used "common" in the URLs and we didn't use "xxx.onmicrosoft.com" because we want people from outside "xxx.onmicrosoft.com" to be able to authenticate and access our app.
With those settings, the people from xxx.onmicrosoft.com can properly authenticate and access the app.
However, when I use my personal live.com account (with username xxx#gmail.com) to access the app, I get AADSTS50020 error. I am able to properly authenticate with my xxx#gmail.com account, but I do not get redirected to the Reply URL. I'm stuck on Microsoft's Web page with the following error msg:
AADSTS50020: User account 'xxx#gmail.com' from identity provider
'live.com' does not exist in tenant 'xxx.onmicrosoft.com' and cannot
access the application '391e7103-ZZZZ-zz87-xxxx-7xxxxxd5xxxx' in that
tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active
Directory user account.
What configuration do I need to change if I want people from any identity provider to be able to access my app ?
Like it has been stated here, I expected that people from anywhere could access my app without requiring more configuration on my side.
I'm asking this question because I'm in the process of getting certified for AppSource and this currently blocks me from being able to do so.
AppSource only requires work accounts to sign-in. You are using an #gmail account - which is a personal account - and because you are using the Azure Active Directory v1 endpoint in addition to common (https://login.microsoftonline.com/common), it can't accept personal accounts to sign-in directly - only work accounts.
You have three options:
If sign-in personal accounts is not a requirement for your application, then you can continue using the v1 endpoint and use a work account to sign-in/test your application. This will make you ready for AppSource certification.
If you need/ want to allow personal accounts in your application in addition to work accounts, then you can consider using the v2 endpoint (https://login.microsoftonline.com/common/v2.0) for Azure Active Directory. The v2 endpoint allow both personal accounts and work accounts to sign-in with no effort.A note is the v2 endpoint has some limitations: if you can live with these limitations (for example, your application only needs to sign-in users and eventually make queries against Graph API), then in general it should be fine to use, but if you need extra features like protecting your own Web API with scopes, then this feature is not released at this point (as November 2017). Please read this document for an updated list of limitations of the v2 endpoint.
A third (but less recommended option for AppSource) is to keep using the v1 endpoint and make your application to be single tenant - which is to change the endpoint from https://login.microsoftonline.com/common to https://login.microsoftonline.com/{yourtenantid}, and then use B2B invitations API to invite every external users (including work and personal accounts) to be part of your Azure AD tenant/organization. More information about B2B here as well.
The option '3' above have some consequences for management as well for AppSource: by using this option, you are required to have one Azure Active Directory tenant (if you don't have a tenant already, you can get one using these instructions), and the users being invited will be guests accounts of this tenant - this mean that you need to invite every external user to your application/ tenant. A multi-tenant application allows any user from any organization to sign-in to your application with less management on your side. In general for SaaS applications, multi-tenant configuration is recommended.
For AppSource, also the option '3' leads to a less-immersive user experience (Partner led trial), where the end user won't be able to access your application's demo right away - mainly because that they have to wait for the invitation's email and accept it (user has to accept being guest of your tenant) so that they can access your application.
For more information about AppSource requirements and trial options - please see this article.
I just try to create azure ad application from code using AAD graph client. For single tenant application it works fine and create application. But if i try to set AvailableToOtherTenants property to true it throws me error like "An Error Occured While Processing this request". Am I supposed to set any additional properties for multitenant application creation?
For a native application, the multi tenant is "by design" enabled.
For a web application, AvailableToOtherTenants should work
An other thing to notice : Be sure to precise "common" as your tenant id, not your tenant id name or guid
Another thing that you want to check if that your application URI starts with the URI of your AAD, so if you have an AAD called Contoso, the URI of your application could be https://contoso.onmicrosoft.com/my-application.
While the application URI doesn't matter for single-tenant applications, for multi-tenant applications it has to start with the AAD tenant URI.