Home

Multi-tenant SaaS application integration with tenants in microsoftonline.com and microsoftonline.de

%3CLINGO-SUB%20id%3D%22lingo-sub-100792%22%20slang%3D%22en-US%22%3EMulti-tenant%20SaaS%20application%20integration%20with%20tenants%20in%20microsoftonline.com%20and%20microsoftonline.de%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-100792%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20forums!%26nbsp%3BLooking%20for%20some%20help%2Fadvice%20for%20the%20following%20situation%3A%26nbsp%3B%3CSPAN%3EI%20have%20an%20existing%20web%20app%20that%20we%20will%20be%20adding%20Azure%20AD%20sign%20in%20for.%20The%20application%20is%20multi-tenanted%20and%20users%20currently%20sign%20on%20using%20our%20username%20and%20password%20system.%20The%20tenants%20we%20have%20may%20be%20using%20an%20Azure%20global%20account%20or%20an%20Azure%20Germany%20account.%20Since%20Microsoft%20Azure%20services%20for%20Azure%20AD%20are%20not%20dependent%20on%20a%20specific%20region%20I%20didn't%20think%20this%20would%20be%20an%20issue%20(see%20security%20%2B%20identity%20section%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fregions%2Fservices%2F%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3CSPAN%3E).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETo%20begin%20with%20I%20have%20been%20looking%20over%20the%20documentation%20and%20following%20the%20Azure%20samples%20for%20multi-tenanted%20web%20apps%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure-Samples%2Factive-directory-dotnet-webapp-multitenant-openidconnect%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20The%20sample%20app%20is%20the%20base%20of%20my%20initial%20trial%20to%20see%20how%20all%20of%20this%20works%20and%20how%20it%20can%20then%20be%20put%20into%20our%20own%20system.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20my%20sample%20Azure%20app%20is%20registered%20on%20the%20global%20version%20of%20Azure.%20The%20sign%20up%20process%20is%20successful%20for%20a%20test%20tenant%20on%20the%20global%20site.%20The%20problem%20comes%20from%20the%20Germany%20test%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20the%20app%20directs%20the%20user%20to%20the%20Germany%20login%20endpoint%20they%20are%20prompted%20for%20consent%20as%20expected.%20The%20application%20sitting%20in%20the%20global%20Azure%20is%20then%20also%20copied%20into%20the%20Germany%20tenant's%20Enterprise%20Application%20area%20(you%20can%20see%20it%20click%20on%20it%20to%20see%20the%20information%20and%20publisher%20-%20which%20actually%20says%20%22Foreign%20Cloud%20Applications%22).%20So%20that%20seems%20to%20have%20worked%20out%20ok%20also.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%2C%20the%20original%20Azure%20sample%20makes%20use%20of%20the%20Graphs%20API%20to%20retrieve%20the%20tenant%20ID%20for%20onboarding.%20Because%20this%20has%20a%20different%20endpoint%20in%20Azure%20Germany%20and%20Azure%20Global%20I%20assume%20it%20uses%20region%20specific%20feature.%20Attempts%20to%20use%26nbsp%3BAcquireTokenByAuthorizationCode%20as%20the%20sample%20does%20give%20the%20following%20error%3A%26nbsp%3B%3CEM%3EAADSTS70002%3A%20Error%20validating%20credentials.%20AADSTS50012%3A%20Invalid%20client%20secret%20is%20provided.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20code%20from%20the%20sample%20app%3A%26nbsp%3B%3C%2FP%3E%3CPRE%3E%2F%2F%20---If%20the%20response%20is%20indeed%20from%20a%20request%20we%20generated%20%3CBR%20%2F%3E%2F%2F%20------get%20a%20token%20for%20the%20Graph%2C%20that%20will%20provide%20us%20with%20information%20abut%20the%20caller%20%3CBR%20%2F%3EClientCredential%20credential%20%3D%20new%20ClientCredential(%20context.IdaClientID%2C%20context.Password%20)%3B%20%3CBR%20%2F%3EAuthenticationContext%20authContext%20%3D%20new%20AuthenticationContext(%20context.IdaAzureActiveDirectoryInstance%20)%3B%20%3CBR%20%2F%3EAuthenticationResult%20result%20%3D%20authContext.AcquireTokenByAuthorizationCode(%20code%2C%20new%20Uri(%20Request.Url.GetLeftPart(%20UriPartial.Path%20)%20)%2C%20credential%20)%3B%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20mean%20time%20I%20have%20been%20getting%20around%20this%20by%20replacing%20that%20part%20of%20the%20sample%20with%20an%20authentication%20challenge%20request%20on%20the%20owin%20context.%3C%2FP%3E%3CPRE%3EHttpContext.GetOwinContext(%20).Authentication.Challenge(%20new%20AuthenticationProperties%20%7B%20%3CBR%20%2F%3E%20%20%20%20RedirectUri%20%3D%20%22%2FOnBoarding%2FStep2%3Fstate%3D%22%20%2B%20myTenant.IssValue%20%7D%2C%20%22AzureAD%22%20)%3B%3C%2FPRE%3E%3CP%3EThis%20passes%20and%20gives%20me%20access%20to%20a%20ClaimsPrinciple%20from%20which%20the%20tenant%20ID%20can%20be%20found%20and%20link%20the%20Azure%20tenant%20to%20the%20local%20DB%20tenant.%20But%20since%26nbsp%3Ball%20the%20samples%20I%20have%20seen%26nbsp%3Bget%20the%20token%20for%20the%20Graph%20API%20I%20wasn't%20entirely%20sure%20that%20the%20work%20around%20was%20ok...%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20application%20has%20no%20intention%20of%20using%20the%20Graph%20API%20does%20it%20matter%3F%20Or%20does%20the%20whole%20situation%20really%20require%20an%20app%20registration%20in%20the%20Global%20site%20for%20tenants%20residing%20on%20global%20and%20one%20in%20the%20Germany%20site%20for%20those%20tenants%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-100792%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Tarah C
Frequent Visitor

Hello forums! Looking for some help/advice for the following situation: I have an existing web app that we will be adding Azure AD sign in for. The application is multi-tenanted and users currently sign on using our username and password system. The tenants we have may be using an Azure global account or an Azure Germany account. Since Microsoft Azure services for Azure AD are not dependent on a specific region I didn't think this would be an issue (see security + identity section here).

 

To begin with I have been looking over the documentation and following the Azure samples for multi-tenanted web apps here. The sample app is the base of my initial trial to see how all of this works and how it can then be put into our own system.

 

So, my sample Azure app is registered on the global version of Azure. The sign up process is successful for a test tenant on the global site. The problem comes from the Germany test tenant.

 

When the app directs the user to the Germany login endpoint they are prompted for consent as expected. The application sitting in the global Azure is then also copied into the Germany tenant's Enterprise Application area (you can see it click on it to see the information and publisher - which actually says "Foreign Cloud Applications"). So that seems to have worked out ok also.

 

But, the original Azure sample makes use of the Graphs API to retrieve the tenant ID for onboarding. Because this has a different endpoint in Azure Germany and Azure Global I assume it uses region specific feature. Attempts to use AcquireTokenByAuthorizationCode as the sample does give the following error: AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.

 

The code from the sample app: 

// ---If the response is indeed from a request we generated 
// ------get a token for the Graph, that will provide us with information abut the caller
ClientCredential credential = new ClientCredential( context.IdaClientID, context.Password );
AuthenticationContext authContext = new AuthenticationContext( context.IdaAzureActiveDirectoryInstance );
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri( Request.Url.GetLeftPart( UriPartial.Path ) ), credential );

 

In the mean time I have been getting around this by replacing that part of the sample with an authentication challenge request on the owin context.

HttpContext.GetOwinContext( ).Authentication.Challenge( new AuthenticationProperties { 
RedirectUri = "/OnBoarding/Step2?state=" + myTenant.IssValue }, "AzureAD" );

This passes and gives me access to a ClaimsPrinciple from which the tenant ID can be found and link the Azure tenant to the local DB tenant. But since all the samples I have seen get the token for the Graph API I wasn't entirely sure that the work around was ok...  

 

If the application has no intention of using the Graph API does it matter? Or does the whole situation really require an app registration in the Global site for tenants residing on global and one in the Germany site for those tenants?

 

 

Related Conversations
restrict yammer group creation
Robert Woods in Yammer on
31 Replies
Office 365 Video in Yammer
Martijn Olislaegers in Yammer on
4 Replies
Yammer Embed Configuration
Steve Brown in Yammer on
4 Replies