Create new Microsoft Teams App multitenant

%3CLINGO-SUB%20id%3D%22lingo-sub-691023%22%20slang%3D%22en-US%22%3ECreate%20new%20Microsoft%20Teams%20App%20multitenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691023%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EI%20want%20to%20create%20a%20personal%20tab%20in%20Microsoft%20Teams%20with%20multitenant%20REST%20API.%3C%2FP%3E%3CP%3EMy%20REST%20API%20have%20a%20client%20autentication%20(%3CSTRONG%3EMSAL%3C%2FSTRONG%3E)%20that%20make%20some%20action%20with%20Graph%20API%20and%20%3CSTRONG%3Eapplication%3C%2FSTRONG%3E%20permission.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20would%20like%20to%20use%20my%20REST%20API%20application%20as%20a%20%3CSTRONG%3Emultitenant%3C%2FSTRONG%3E%2C%20thus%20avoiding%20to%20release%20the%20application%20for%20each%20client.%3CBR%20%2F%3EI%20tried%20to%20authenticate%20myself%20with%20the%20%22Common%22%20tenant%20but%20I%20can't%20log%20in.%3CBR%20%2F%3EI%20tried%20to%20insert%20a%20different%20tenant%20from%20the%20one%20in%20which%20I%20registered%20the%20application%2C%20but%20I%20have%20an%20authentication%20error.%3C%2FP%3E%3CP%3EI%20can't%20use%20user%20permissions%20because%20in%20some%20cases%20I%20need%20to%20do%20operations%20with%20elevated%20privileges.%3C%2FP%3E%3CP%3EI%20therefore%20wonder%20if%20it%20is%20necessary%20to%20generate%20an%20App%20Registration%20for%20each%20client.%20In%20this%20case%2C%20how%20can%20I%20do%20this%20while%20installing%20the%20application%3F%3CBR%20%2F%3EMy%20application%2C%20through%20App%20Studio%2C%20consists%20of%20a%20ZIP%20file%20containing%20the%20manifest%20and%20the%20icons.%3C%2FP%3E%3CP%3EWhat%20is%20the%20best%20way%20to%20create%20a%20single%20backend%20that%20satisfies%20a%20multitenant%20application%3F%20Or%20how%20can%20I%20register%20a%20new%20%22App%20Registration%22%20when%20installing%20the%20application%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%3C%2FP%3E%3CP%3EAndrea%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-691023%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-693944%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20new%20Microsoft%20Teams%20App%20multitenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-693944%22%20slang%3D%22en-US%22%3E%3CP%3ECoincidentally%20I%20have%20the%20exact%20same%20problem%2C%20just%20tried%20a%20common%20tenant%20app%20and%20get%20the%20following%20from%20the%20Domains%20%26amp%3B%20Permissions%20section%20in%20App%20Studio%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E*AAD%20application%20id%20of%20the%20app.%20This%20id%20must%20be%20a%20GUID.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20common%20tenant%20appId%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E*Resource%20url%20of%20app%20for%20acquiring%20auth%20token%20for%20SSO.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EUrl%20of%20the%20multi%20tenant%20app%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ADAL.js%20app%20itself%20doesn't%20have%20a%20tenant%2C%20like%20the%20OP%20mentioned%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3E%7B%20tenant%3A%20'common'%20%7D%3C%2FSTRONG%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20result%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAUTHADAL%3A%20Event%3A%20adal%3AtokenRenewFailure%2C%20code%3A%20AADSTS500011%3A%20The%20resource%20principal%20named%20%3CSTRONG%3E%3CURL%20of%3D%22%22%20the%3D%22%22%20multi%3D%22%22%20tenant%3D%22%22%20app%3D%22%22%3E%3C%2FURL%3E%3C%2FSTRONG%3E%20was%20not%20found%20in%20the%20tenant%20named%20%3CSTRONG%3E%3CTENANT%20i%3D%22%22%3E%3C%2FTENANT%3E%3C%2FSTRONG%3E.%20This%20can%20happen%20if%20the%20application%20has%20not%20been%20installed%20by%20the%20administrator%20of%20the%20tenant%20or%20consented%20to%20by%20any%20user%20in%20the%20tenant.%20You%20might%20have%20sent%20your%20authentication%20request%20to%20the%20wrong%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%20important%20to%20say%20the%20app%20works%20fine%20outside%20of%20the%20MS%20Teams%20IFRAME%20and%20the%20consent%20has%20been%20given%20to%20the%20entire%20organization%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1444363%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20new%20Microsoft%20Teams%20App%20multitenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1444363%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F67452%22%20target%3D%22_blank%22%3E%40Andrea%20Tosato%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20write%20one%20blog%20to%20address%20the%20same%20scenario.%20More%20details%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsteamssubba.blogspot.com%2F2020%2F06%2Ftab-multi-tenant-authentication.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsteamssubba.blogspot.com%2F2020%2F06%2Ftab-multi-tenant-authentication.html%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOverall%2C%20you%20need%20to%20create%20custom%20domain%20and%20use%20for%20multi%20tenant%20case.%20*****.azurewebsites.net%20is%20not%20supported%20for%20multi%20tenant%20case%20because%20of%20security%20issues.%20That%20is%20the%20reason%20you%20will%20face%20below%20issue%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EThe%20resource%20principal%20named%26nbsp%3B%3CSTRONG%3E%3CURL%20of%3D%22%22%20the%3D%22%22%20multi%3D%22%22%20tenant%3D%22%22%20app%3D%22%22%3E%3C%2FURL%3E%3C%2FSTRONG%3E%26nbsp%3Bwas%20not%20found%20in%20the%20tenant%20named%26nbsp%3B%3CSTRONG%3E%3CTENANT%20i%3D%22%22%3E%3C%2FTENANT%3E%3C%2FSTRONG%3E.%20This%20can%20happen%20if%20the%20application%20has%20not%20been%20installed%20by%20the%20administrator%20of%20the%20tenant%20or%20consented%20to%20by%20any%20user%20in%20the%20tenant.%20You%20might%20have%20sent%20your%20authentication%20request%20to%20the%20wrong%20tenant.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all,

I want to create a personal tab in Microsoft Teams with multitenant REST API.

My REST API have a client autentication (MSAL) that make some action with Graph API and application permission.

I would like to use my REST API application as a multitenant, thus avoiding to release the application for each client.
I tried to authenticate myself with the "Common" tenant but I can't log in.
I tried to insert a different tenant from the one in which I registered the application, but I have an authentication error.

I can't use user permissions because in some cases I need to do operations with elevated privileges.

I therefore wonder if it is necessary to generate an App Registration for each client. In this case, how can I do this while installing the application?
My application, through App Studio, consists of a ZIP file containing the manifest and the icons.

What is the best way to create a single backend that satisfies a multitenant application? Or how can I register a new "App Registration" when installing the application?

 

Thanks a lot

Andrea

2 Replies
Highlighted

Coincidentally I have the exact same problem, just tried a common tenant app and get the following from the Domains & Permissions section in App Studio:

 

*AAD application id of the app. This id must be a GUID.

My common tenant appId

 

*Resource url of app for acquiring auth token for SSO.

Url of the multi tenant app

 

The ADAL.js app itself doesn't have a tenant, like the OP mentioned:

 
{ tenant: 'common' }

 

This is the result: 

 

AUTHADAL: Event: adal:tokenRenewFailure, code: AADSTS500011: The resource principal named <Url of the multi tenant app> was not found in the tenant named <Tenant I'm attempting to logon against>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

 

Edit: important to say the app works fine outside of the MS Teams IFRAME and the consent has been given to the entire organization

Highlighted

@Andrea Tosato 

 

I tried to write one blog to address the same scenario. More details here: https://msteamssubba.blogspot.com/2020/06/tab-multi-tenant-authentication.html 

 

Overall, you need to create custom domain and use for multi tenant case. *****.azurewebsites.net is not supported for multi tenant case because of security issues. That is the reason you will face below issue:

 

The resource principal named <Url of the multi tenant app> was not found in the tenant named <Tenant I'm attempting to logon against>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.