Changing “signInAudience” to “AzureADMultipleOrgs” in aad.template.json throws "Values of identifierUris property must use a verified domain of the organization " error.

Question

Changing “signInAudience” to “AzureADMultipleOrgs” in aad.template.json throws "Values of identifierUris property must use a verified domain of the organization " error.

Godhwani, Naina 41

We have a Teams App which is created using Teams Toolkit - SSO Enabled Tab option. This App is single tenant by default and we want to convert it to Multi Tenant. We are following the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to do the same. Here when I update the aad.template.json file and change the value of signInAudience to AzureADMultipleOrgs, and then run provisioning using teams toolkit. I get an error - "Failed to update application in Azure Active Directory. Please make sure 'templates/appPackage/aad.template.json' is valid: Request failed with status code 400 Detailed error: Request failed with status code 400. Reason: Values of identifierUris property must use a verified domain of the organization " On changing the value back to AzureADMyOrg, provisioning is successful. Anyone faced similar issue

Nivedipa-MSFT 3,646 Reputation points Microsoft External Staff Moderator

2022-11-04T18:02:33.317+00:00

@Godhwani, Naina - You can track this issue here: https://stackoverflow.com/questions/74315069/update-existing-teams-app-to-multi-tenant-failing-during-provisioning-using-team
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-10T09:45:34.473+00:00

Hi @Godhwani, Naina ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.\
Thanks,
Shweta

Accepted answer

0 additional answers

Your answer

Nivedipa-MSFT 3,646 Reputation points Microsoft External Staff Moderator

2022-11-04T18:02:33.317+00:00

@Godhwani, Naina - You can track this issue here: https://stackoverflow.com/questions/74315069/update-existing-teams-app-to-multi-tenant-failing-during-provisioning-using-team
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-10T09:45:34.473+00:00

Hi @Godhwani, Naina ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.\
Thanks,
Shweta

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Godhwani, Naina ,

Thanks for reaching out.

identifierUris in the manifest is the Application ID URI which is used to uniquely identify the scopes of your custom api and set while exposing the scopes to another application and hence that entry has to be globally unique. You can either use the default value provided, which is in the form api://<application-client-id> or specify a more readable URI like https://contoso.com/api.

Switching an app registration from single- to multi-tenant can sometimes fail due to Application ID URI (App ID URI) name collisions.

It would always recommend a fresh setup for the app registration, if that is a possibility on your end and set App Id URI which always generates unique App ID URI globally in case of multi-tenant applications or verified customer owned domain.

Hope this will help.

Thanks,
Shweta

---------------------------

Please remember to "Accept Answer" if answer helped you.

Godhwani, Naina 41 Reputation points

2022-11-08T08:55:34.943+00:00

Hi @Shweta Mathur ,
Thanks for your response,
I created a fresh setup with a new SSO enabled Teams App from the scratch. And provisioned the newly created App.
By default this App is a single tenant App, and now I convert it to Multi Tenant using the steps in - "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app"

We are using our dev tenant and domain ".onmicrosoft.com" to run provisioning and deployment steps.
Can we deploy Multi tenant apps using ".onmicrosoft.com" or do we need a custom domain for this ?
Godhwani, Naina 41 Reputation points

2022-11-08T10:53:40.843+00:00

I updated the values for "Application ID URI" to api://<application-client-id> and followed the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to deploy and publish the multi tenant App.
Now should my App be visible to Other Tenants besides the one where it is hosted.
Because I don't see it in the other tenant, are there any more steps that needs to be followed here ?
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-11-08T11:24:10.33+00:00

For a multi-tenant application, the initial registration for the application resides where the application is hosted by developer. When a user from a different tenant sign into the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant and application is visible in another tenant.

Refer to understand multi-tenancy in detail: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

As your initial query has been resolved, please "Accept Answer" and "Up-vote" so it would help others in community looking for similar issue. If you have any other question regarding your scenario, please open a new thread for higher visibility.

Thanks,
Shweta

Share via

Changing “signInAudience” to “AzureADMultipleOrgs” in aad.template.json throws "Values of identifierUris property must use a verified domain of the organization " error.

0 additional answers

Your answer