Forum Discussion
Multi tenant Teams app with Custom claims and Certificate for signing
I'm creating a multi-tenant Teams app on .Net - Using this app for now (https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp).
OBO (OnBehalfOf) flow seems to be recommended in this case. I'm trying to make graph call to get access token with custom claims mapped.
1. Added certificate to the Azure Web App and App registration.
2. Modified the app to use Microsoft.Identity.Web library. Updated to generate a JWT signed token with the cert and use that as client-assertion and added to auth header as well.
3. When I had acceptMappedClaims value as true, the app worked for multiple tenants and able to return custom claims.
I'm trying to configure signing key in Azure AD using Graph API call as mentioned in this - https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#configure-a-custom-signing-key.
//var body = $"assertion={idToken}&requested_token_use=on_behalf_of&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={configuration[ClientIdConfigurationSettingsKey]}@{configuration[TenantIdConfigurationSettingsKey]}&client_secret={configuration[AppsecretConfigurationSettingsKey]}&scope=https://graph.microsoft.com/User.Read";
var body = $"assertion={idToken}&client_assertion={token}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&requested_token_use=on_behalf_of&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={configuration[ClientIdConfigurationSettingsKey]}@{configuration[TenantIdConfigurationSettingsKey]}&scope=https://graph.microsoft.com/User.Read";
OBO Flow sample passes id token as assertion and client secret. For certificate, it is mentioned to use client_assertion. So modified the line in SSOAuthHelper.cs and added client assertion. Comment has the unmodified line.
1. Does the idToken needs to be removed from the body?
2. And tried custom signing through the graph call mentioned in the article. Does this need to be run against the app registration in tenant in which the app is hosted or should it be the M365 tenant?
Really appreciate any help on this and please let me know if you need more details.
5 Replies
Srihari_333 - Thanks for reporting your issue. We will check this and update you soon.
ChetanSharma-msftMicrosoft
Hello Srihari_333 - Sorry for delay in response.
Please let us know if you are getting any error after removing the assertion from the body.
If yes, you can revert it back.
Regarding multitenant,
If your app is enabled for multi-tenant, your application will work for M365 tenant otherwise you need to run the Graph API from the application registration tenant only.
Please let us know if you need any further help here.I have removed the assertion and getting this error now.
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.". Below are the steps I followed for signing (https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#configure-a-custom-signing-key)
1. Created a cert and uploaded to the web app
2. Made graph call as mentioned in the article with service principal set to app registration in the Teams/M365 tenant id. And this was successful.
3. Made graph call as mentioned in the article with service principal set to app registration in the Host Tenant id. And got bad request.Is the 3rd step necessary? Any other steps I'm missing?
I have attached the file SSOAuthHelper.cs file changes I made.
