I would like the Microsoft Autentication provider for App Service to support multi tenant applications.
I figured out by this old blog post https://blog.mastykarz.nl/configuring-multi-tenant-authentication-azure-app-service-authentication-options/ that if you remove the issuer you'll get automatically support for multi tenant login.
That looks great but it also switches back to the v1 authentication endpoint. Where I need to configure some extra stuff to get access to the Graph token as described here https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=command-line#configure-app-service-to-return-a-usable-access-token
I tried these 3 solutions:
- In the Issuer URL field I add the https://login.microsoftonline.com/fbfae7d1-xxxx-47d5-xxxx-e4a38cd0b4fb/v2.0/ url with the correct tenant. Then I'm getting the correct tokens for the graph api in the X-MS-TOKEN-AAD-ACCESS-TOKEN header. But I can only login with that specific tenant
- If I add https://login.microsoftonline.com/organizations/v2.0/ like I would in a normal app. I get an error from Easy Auth that there is something wrong (in dotnet core that works but I have to set it to not validate the issuer, or set a list of issuers that are allowed) So Azure AD wise I'm good for login in but Easy Auth disallows my request because of a mismatch on the issuer
- If I clear the Issuer URL field as suggested in the blog post, it reverts back to the v1 endpoints (that don't understand the scope parameter) and I'm stuck with Compact tokens as described here https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=command-line#configure-app-service-to-return-a-usable-access-token
The best solution would be to expose the "ValidateIssuer" setting (and setting it to false if you pick multitenant in the wizard). And as a bonus expose the "ValidIssuers" setting. That way you can set your application to multi tenant, but still control who can actually acccess it (paying customers for instance).
I'm also open to suggestions on how to get a token for the graph api with the issuer field empty. The suggested fix (to set the additionalLoginParams to include the correct resource) doesn't work because I managed to setup EasyAuth v2 through the portal and am now disallowed to edit the settings in https://resources.azure.com