How can we make our app multi tenant and successfully deploy & render content across multiple organization ?
Problem statement:
Objective: Publish a Microsoft Teams app with a chatbot and tabs integrated.
Steps we did: While processing to publish the app, we knew the following things,
- The bot is supported and all functionality works as expected.
- The app has integrated tabs in it that are visible on the top of the chat.
- The app shows the hosted content properly and the errors are handled well.
- To start the functionality, details of the user are required as context from Microsoft Graph API. The tab has SSO enabled so it fetches a token from Microsoft.
- It returns an error with token failure that the resource principal name is not found in the current tenant.
- We came to know that our tab does not have multi-tenant support.
- On converting the app to multi-tenant, it threw an error, on analyzing it, we came to know that we need a custom domain to make the app multi-tenant.
Issues:
- Documentations given by the Microsoft team do not align with our scenario and we are not able to add a custom domain directly to the tab app we have to add it in the bot and then we access it in tabs using "/webtab".
- Following the GitHub Wiki, we configured the app and now it is multi-tenant, supporting our custom domain. But after successful provision and deployment, it is unable to render the required tab.
- For further details refer to: Question on Stackoverflow. After implementing the solution we achieved multitenant with custom domain.
Active Errors:
- Error inside teams environment switching to teams.
OutOfRangeInputOne of the request inputs is out of range. RequestId:14e78267-001e-003c-7d43-95bea1000000 Time:2023-06-02T11:12:31.8502077Z
- Error when manually opening the CDN URL in a browser
<Error>
<Code>InvalidQueryParameterValue</Code>
<Message>Value for one of the query parameters specified in the request URI is invalid. RequestId:f07560bf-301e-007a-3444-958a26000000 Time:2023-06-02T11:20:23.0757441Z</Message>
<QueryParameterName>comp</QueryParameterName>
<QueryParameterValue/>
<Reason/>
</Error>
- If we open the old Tab URL in the browser the content (our app UI) is still rendered there, where we handle the error with token and teams environment (app can be used inside Teams tabs only) dependency by rendering AUTH error page. Ignore the content inside as it is a custom text. It is supposed to come when the admin of the organization had not allowed our app to access organization information. The app takes a token to access the data and here it is failing hence the screen is presented.
Primary Questions: For the given scenario.
- What should be our storage domain and endpoint in
templates\azure\provision\azureStorageTab.bicep
? - What should be
"m365TenantId":
"common"or
"${{AAD_APP_TENANT_ID}}"in the file
templates\azure\azure.parameters.dev.json`? - What will be the right value for "signInAudience": "AzureADMultipleOrgs" in
aad.manifest.json
? - What will be the right value for
"identifierUris": [
"api://${{PROVISIONOUTPUT__AZURESTORAGETABOUTPUT__DOMAIN}}/botid-${{BOT_ID}}"
]
in aad.manifest.json
?
5. Right value for
"auth": {
"frontendDomain": "custom.domain.com/webtab"
}
in .backup\.fx\configs\config.local.json
?
7. What would be the value for Application ID Uri in Azure?
8. What should be the auth url
"m365OauthAuthorityHost": "${{AAD_APP_OAUTH_AUTHORITY_HOST}}"
in in the file templates\azure\azure.parameters.dev.json
and Azure aad?
Expected behavior After implementing the multi-tenant app should render the tab UI inside teams or manually opening the custom domain URL in a browser but it is not happening.
Teams Toolkit - VS Code Extension Information:
- OS: Windows 10
- Version v5.0.0
We are unable to upload screenshots in forum question hence adding here.
Explored Resources
Tab Multi-tenant handling (Step by step)
- Multi tenancy Support for Azure AD app : https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app
- https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail
- https://github.com/OfficeDev/TeamsFx/blob/main/docs/fx-core/aad-help.md#action-1-note-frontend-info
- https://github.com/OfficeDev/TeamsFx/blob/main/docs/fx-core/aad-help.md#action-2-provision-cdn-profile-on-azure-portal
- https://learn.microsoft.com/en-us/azure/cdn/cdn-create-new-endpoint
- https://github.com/OfficeDev/TeamsFx/blob/main/docs/fx-core/aad-help.md#scenario-one-setup-cdn-as-storage-custom-domain
- https://learn.microsoft.com/en-us/azure/cdn/cdn-create-new-endpoint#create-a-new-cdn-profile
- After completing all steps => Deployed => https://github.com/OfficeDev/TeamsFx/wiki/Manage-AAD-application-in-Teams-Toolkit#how-to-view-the-aad-app-on-the-azure-portal-for-v5
- Grant tenant-wide admin consent to an application
Error Support
- Self raised query : Adding custom domain to tabs and make it work as multi-tenant
- Error after changing my Application ID URI to CDN endpoint
Similar Resources
- Azure website returns ERR_CONNECTION_RESET error after adding custom domain and SSL Certificate
- Error after changing my Application ID URI to CDN endpoint
- What is the difference between 'Active Directory Custom Domain' and 'App Service Custom Domain'?
- "Blank tabs" on Teams App update deployment (Teams Toolkit)
- Custom domain URL with Azure App Function
- Azure web app website - to a custom domain - does it need SSL certificate upload every few months?
- Azure Front Door custom domain not using correct cert
- Azure CDN - redirect from *.azurewebsites.net to cdn generate ERR_TOO_MANY_REDIRECTS error
- Azure website returns ERR_CONNECTION_RESET error after adding custom domain and SSL Certificate
- How to add a custom domain to Azure static web app by api
- Azure Websites and wildcard domains
- az staticwebapp hostname
- Custom domains with Azure Static Web Apps
- Configuring custom domains with Azure Front Door
- Tutorial: Configure HTTPS on a Front Door (classic) custom domain
- Cannot update authentication as Multi tenant under registered application in Azure
- Map an existing custom DNS name to Azure App Service
- Adding a custom domain to Azure App Service
- Error AADSTS50011: The redirect URI specified in the request does not match
- "One of the request inputs is out of range" when using Azure Storage PHP SDK
- How to update my Teams app already deployed in Azure?
- Managing custom domain names in your Azure Active Directory
- https://learn.microsoft.com/en-us/azure/virtual-machines/custom-domain?wt.md_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=37f4413221b54953aa1b751b4fb8a130
- https://azure.github.io/AppService/2020/07/28/zero_to_hero_pt5.html#upate-dns
- Azure - New Restrictions To Azurewebsites.net Domain
- What's new for authentication?