Multi-Tenant App with dynamic configuration from Azure App Configuration

Question

Hi all,&nbsp;We are developing MS Teams Tab app that will be distributed to multiple tenants.The goal is to let customers create their configuration on a tenant level.For that we found a Azure App Configuration service.To retrieve settings from Azure App Configuration from the Tab, we thought of these steps:Customer Tenant admin creates Azure App Configuration in their own Domain,Customer Tenant admin adds settings in a specific key,Customer Tenant admin assign the&nbsp;App Configuration Data Reader role to all users in tenant.Our Tenant admin add permission in Azure App Registration to access App Configuration on behalf of user.From Tab app, authenticate user with AAD,From Tab app, request resource from App Configuration via REST API.Since App Configuration is behind subscription, we want to clarify if the steps are achievable at all.The questions are:In terms of App permissions, what are the permissions we need to include in App Registration, to access Azure App Configuration (in customers tenant) on behalf of user?Can Azure ID token from "login.microsoftonline.com" be used to request Azure App Configuration resource via HTTP REST API?&nbsp;Thanks in advance!&nbsp;&nbsp;

sayali-msft · Answer

vtyagunov&nbsp;- 1.Permissions we need to include in App Registration, to access Azure App Configuration -Azure AD: Custom Application Consent Policies - Microsoft Tech Community2.Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

sayali-msft · Answer

vtyagunov-We are looking into this I will get back to you soon.

vtyagunov · Answer

Thanks for your instant response!We are waiting for you to share your answers / feedback.

sayali-msft · Answer

vtyagunov -Could you please confirm if your issue has resolved or still looking for any help?

vtyagunov · Answer

Sayali-MSFT&nbsp;Thanks for sharing these resources.We are getting through them to understand more about the flow.&nbsp;Actually, we have one more question:In the react feature flags sample. there are steps for creating new AAD app:In the&nbsp;API permissions&nbsp;section, select&nbsp;Add a permission&nbsp;and choose&nbsp;APIs my organization uses.Pick&nbsp;Azure App Configuration&nbsp;and select the checkboxes and then click&nbsp;Add permissions. This would allow the application to access Azure App Configuration on behalf of the signed-in user.&nbsp;We tried to create an App following these steps, but there was no "Azure App Configuration" item in "APIs my organization uses" section.Could you please clarify, what might be a reason of that item not showing up?&nbsp;As I understood, the cause might be the fact that we don't have a subscription for Azure App Configuration. In fact, the&nbsp;APIs my organization uses&nbsp;section is about our organization's APIs, our Azure App Configuration.But the goal is to use customer's App Azure Configuration, not ours. Could you please confirm if this is achievable?&nbsp;Thanks,Vladimir&nbsp;

Forum Discussion

Multi-Tenant App with dynamic configuration from Azure App Configuration

10 Replies

Resources