Multi tenant Teams app with Custom claims and Certificate for signing

Copper Contributor

I'm creating a multi-tenant Teams app on .Net - Using this app for now ( 

OBO (OnBehalfOf) flow seems to be recommended in this case. I'm trying to make graph call to get access token with custom claims mapped.

1. Added certificate to the Azure Web App and App registration.
2. Modified the app to use Microsoft.Identity.Web library. Updated to generate a JWT signed token with the cert and use that as client-assertion and added to auth header as well.

3. When I had acceptMappedClaims value as true, the app worked for multiple tenants and able to return custom claims.


I'm trying to configure signing key in Azure AD using Graph API call as mentioned in this -




//var body = $"assertion={idToken}&requested_token_use=on_behalf_of&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={configuration[ClientIdConfigurationSettingsKey]}@{configuration[TenantIdConfigurationSettingsKey]}&client_secret={configuration[AppsecretConfigurationSettingsKey]}&scope=";
var body = $"assertion={idToken}&client_assertion={token}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&requested_token_use=on_behalf_of&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={configuration[ClientIdConfigurationSettingsKey]}@{configuration[TenantIdConfigurationSettingsKey]}&scope=";




OBO Flow sample passes id token as assertion and client secret. For certificate, it is mentioned to use client_assertion. So modified the line in SSOAuthHelper.cs and added client assertion. Comment has the unmodified line. 


1. Does the idToken needs to be removed from the body?
2. And tried custom signing through the graph call mentioned in the article. Does this need to be run against the app registration in tenant in which the app is hosted or should it be the M365 tenant?


Really appreciate any help on this and please let me know if you need more details.

5 Replies

@Srihari_333  -  Thanks for reporting your issue. We will check this and update you soon.

Hello @Srihari_333 - Sorry for delay in response.
Please let us know if you are getting any error after removing the assertion from the body.
If yes, you can revert it back.

Regarding multitenant,
If your app is enabled for multi-tenant, your application will work for M365 tenant otherwise you need to run the Graph API from the application registration tenant only.

Please let us know if you need any further help here.


I have removed the assertion and getting this error now.
"AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.". Below are the steps I followed for signing (
1. Created a cert and uploaded to the web app
2. Made graph call as mentioned in the article with service principal set to app registration in the Teams/M365 tenant id. And this was successful.
3. Made graph call as mentioned in the article with service principal set to app registration in the Host Tenant id. And got bad request.


Is the 3rd step necessary? Any other steps I'm missing?


I have attached the file SSOAuthHelper.cs file changes I made.

I tried both POST and PATCH calls for custom signing
Post -{id}/microsoft.graph.addKey
Patch -{id}

Getting 403 error with Post - "Forbidden - 403 - 376ms. Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab". In the modify permissions tab, I have got all the permissions. Also, I got admin privileges as well.

With Patch request, getting 400 error - "Property keyCredentials is invalid."

I generated the JSON request using the PowerShell script in this article - Please let me know if I'm missing any steps or how do I get the custom signing setup?

Hello @Srihari_333 - Your issue is more related to Identity rather than Teams Platform specific.
Please raise it on Microsoft QnA so that Identity experts can help resolve:

Support and help options for Microsoft identity platform developers - Microsoft identity platform | ...