Forum Discussion

Srihari_333's avatar
Srihari_333
Copper Contributor
Dec 01, 2023

Multi tenant Teams app with Custom claims and Certificate for signing

I'm creating a multi-tenant Teams app on .Net - Using this app for now (https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/csharp).  OBO (OnBehalfOf) flow seems to be r...
microsoft teams
ChetanSharma-msft's avatar
ChetanSharma-msft
Icon for Microsoft rankMicrosoft
Dec 04, 2023
Hello Srihari_333 - Sorry for delay in response.
Please let us know if you are getting any error after removing the assertion from the body.
If yes, you can revert it back.

Regarding multitenant,
If your app is enabled for multi-tenant, your application will work for M365 tenant otherwise you need to run the Graph API from the application registration tenant only.

Please let us know if you need any further help here.
Srihari_333's avatar
Srihari_333
Copper Contributor
Dec 06, 2023

ChetanSharma-msft 

I have removed the assertion and getting this error now.
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.". Below are the steps I followed for signing (https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#configure-a-custom-signing-key)
1. Created a cert and uploaded to the web app
2. Made graph call as mentioned in the article with service principal set to app registration in the Teams/M365 tenant id. And this was successful.
3. Made graph call as mentioned in the article with service principal set to app registration in the Host Tenant id. And got bad request.

 

Is the 3rd step necessary? Any other steps I'm missing?

 

I have attached the file SSOAuthHelper.cs file changes I made.

  • Srihari_333's avatar
    Srihari_333
    Copper Contributor
    Dec 08, 2023
    I tried both POST and PATCH calls for custom signing
    Post - https://graph.microsoft.com/v1.0/servicePrincipals/{id}/microsoft.graph.addKey
    Patch - https://graph.microsoft.com/v1.0/servicePrincipals/{id}

    Getting 403 error with Post - "Forbidden - 403 - 376ms. Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab". In the modify permissions tab, I have got all the permissions. Also, I got admin privileges as well.

    With Patch request, getting 400 error - "Property keyCredentials is invalid."

    I generated the JSON request using the PowerShell script in this article - https://learn.microsoft.com/en-us/entra/identity-platform/jwt-claims-customization#configure-a-custom-signing-key. Please let me know if I'm missing any steps or how do I get the custom signing setup?

Resources