I'm working on integrating Office 365 APIs into a web application that has different URLs for each organization (e.g. there could be an installation at http://organization1.com and an installation at http://organization2.com). Right now, for development, we have an Office 365 developer tenant and an associated Azure site. On Azure, we registered an application with a local URL as the return URL (e.g. http://localhost), and we use the Client ID and secret to authenticate calls to the API.
However, once we deploy this into production, we're going to have instances of the web application at many different URLs (one per organization), and organizations will have their own Office 365 account and associated Azure account. Does this mean that organizations will need to add the application themselves into their Azure directory, or is there a way for us to create an application that can be used with arbitrary tenants and return URLs?
What would be the best practice for a situation like this?
There are two approaches:
get the customer to create the application in Azure AD and get the client ID and secret key and store it in your app somewhere...either in the UI and securely store it somewhere based on the loaded tenant
OR
in Visual Studio change the setting (can do this in the Azure AD application in your tenant) to support "multiple Organizations". This is set when you go to Add Connected Service and select App Properties...
Related
We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
I have registered an app in Microsoft App registration portal (https://apps.dev.microsoft.com/) using my personal outlook id. I have used the same App id and password to create Webapp bot in Azure portal under my enterprise login. Now I want to transfer the ownership of the application to my enterprise email, but i don't have any option for that.
How can I transfer the ownership from my personal outlook id to enterprise id.
Even though you are creating the application using a liveID , the application object is always getting created within an azure active directory instance. You may not be able to move this application object from one directory to another and you would have to register a new one again with the same parameters. If it is a multi tenant application , then you may be able to create a service principal for this one within your company directory with your enterprise ID and provide access to it. I believe your enterprise ID and liveID are both in two different directories. I would suggest to create a new application entry if it is possible. You may have to do some changes in your infrastructure however , it may reduce the complexity in the environment .
I am currently use a multi-tenanted application, and have authentication working for a single azure AD. I would like to have multiple ADs connected to the authentication of the authentication page. How can I do so from within the Azure administrator console?
If I understood your question: you setup a multi-tenant app in the properties of the application in Azure, but currently your application only accepts user of one tenant to sign-in.
If this is the case, then what you have to do is to also adjust your application's code to be multi-tenant. In order to enable multi-tenancy on your application:
Double check you have set Multi-Tenanted property to Yes on your application registration's information in the Azure Portal (by default, applications created in the Azure Portal are configured as single-tenant)
Update your code to send requests to the 'common' endpoint (update the endpoint from https://login.microsoftonline.com/{yourtenant} to https://login.microsoftonline.com/common)
For some platforms, like ASP.NET, you need also to update your code to accept multiple issuers
For more information about multi-tenancy, see: How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern.
will setting "Application is Multitenat" make my application work with other tenants which are not registered in my azure subscription. which are not part of my active directory. will setting this option work with any #######.onmicrosoft.com. the image you see is from azure active directory web app page. i have register my web application to consume the office 365 api as describe in page https://github.com/OfficeDev/O365-WebApp-MultiTenant
In context of Azure AD:
A single tenant application is only available to users of Azure Active Directory (Azure AD) where this is created.
A multi tenant application is not only available to users of Azure AD where it is created but it also available in other Azure ADs. Users in other Azure ADs have to explicitly grant consent to the application in their Azure AD. When an application is added to another Azure AD, that application essentially becomes a user in that Azure AD as a Service Principal.
A single tenant application means application is hosted specific for a single client. Reasons may be specific business needs OR regulatory compliance OR they can be n numbers of real scenarios you can imagine.
In multi tenant application is available to group of clients. Reasons here can be common business needs, no regulatory compulsion, less cost in supporting maintenance & usage as same application is used for multiple clients.
Practical Example is below (Directly taken as it is from MSDN):
One of the first architectural decisions that the team at Tailspin had to make about how the Surveys application could best support multiple subscribers was whether it should be a single-tenant or multi-tenant application. Figure 1 shows the difference between these approaches at a high-level. The single-tenant model has a separate physical instance of the application for each subscriber, while the multi-tenant model has a single physical instance of the application shared by many subscribers.
It’s important to note that the multi-tenant model still offers separate views of the application’s data to its users. In the Surveys application, Client B must not be able to see or modify Client A’s surveys or data. Tailspin, as the owner of the application, will have full access to all the data stored in the application.
For more details : refer Hosting a Multi-Tenant Application on Windows Azure
I have added a web application in Microsoft AZURE AD for accessing the Office 365 Exchange services and enabled multi-tenant option. Now the problem is I want to make it available to other applications/organizations.
Currently I am able to install the app in the same domain.
But how will I be able to install this app into some other domain ?
Note : This is an unpublished app and I am trying to make it available to test in different domains.
Ravi, with "unpublished" are you referring to the app catalog? As long as potential users can navigate to the application, even by following a direct link, at authentication time they will be given the opportunity to consent - which will result in the application being provisioned in their own organization. Just share with your testers a direct link to your application.
Set the multi tenant option in Azure Portal to true. You can let your customers to get the build app from an FTP site until you deploy it to marketplace.
If it is an outlook app, you can install it as an exchange app in your customer o365 tenant.