Changing “signInAudience” to “AzureADMultipleOrgs” in aad.template.json throws "Values of identifierUris property must use a verified domain of the organization " error.

Question

We have a Teams App which is created using Teams Toolkit - SSO Enabled Tab option. This App is single tenant by default and we want to convert it to Multi Tenant. We are following the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to do the same. Here when I update the aad.template.json file and change the value of signInAudience to AzureADMultipleOrgs, and then run provisioning using teams toolkit. I get an error - "Failed to update application in Azure Active Directory. Please make sure 'templates/appPackage/aad.template.json' is valid: Request failed with status code 400 Detailed error: Request failed with status code 400. Reason: Values of identifierUris property must use a verified domain of the organization " On changing the value back to AzureADMyOrg, provisioning is successful. Anyone faced similar issue

Answer 1

Hi @Godhwani, Naina ,

Thanks for reaching out.

identifierUris in the manifest is the Application ID URI which is used to uniquely identify the scopes of your custom api and set while exposing the scopes to another application and hence that entry has to be globally unique. You can either use the default value provided, which is in the form api://<application-client-id> or specify a more readable URI like https://contoso.com/api.

Switching an app registration from single- to multi-tenant can sometimes fail due to Application ID URI (App ID URI) name collisions.

It would always recommend a fresh setup for the app registration, if that is a possibility on your end and set App Id URI which always generates unique App ID URI globally in case of multi-tenant applications or verified customer owned domain.

Hope this will help.

Thanks,
Shweta

---------------------------

Please remember to "Accept Answer" if answer helped you.