How can I seamlessly change an App Registrations "Application ID URI" domain?

2024-04-25T09:54:11.6+00:00

I have a published teams app which includes tabs. The tabs point at Domain A to authenticate the user using "microsoftTeams.authentication.authenticate" and "microsoftTeams.authentication.getAuthToken()". The teams manifest.json contains this section which points to my app registration in Entra: manifest.json

I want to move the domain which hosts my teams app authentication flow to Domain B. I can't do that and have authentication continue to work without updating the "Application ID URI" in the "Entra -> App Registration -> [App Name] -> Expose an API" section and making it match the Domain B.

Entra Application ID URI

If try to change the tab urls without updating the "Application ID URI" I get this error message in the browser console:

"App resource defined in manifest and iframe origin do not match."

However if I were to change the "Application ID URI" it would break authentication for all the existing users of the app using Domain A (since they would get the same error) until the manifest is submitted to Microsoft and is approved, this takes time and would make the app inaccessible during this time.

I have considered switching to a new app registration however this is not feasible since existing users have already granted permissions to the existing app registration. It does not seem possible to have multiple valid Application ID URI's as Entra only provides one textbox for this property.

How can I seamlessly switch to a new domain, or am I stuck with the original domain for all time?

There is a (semi) related SO post here App resource defined in manifest and iframe origin do not match which explains that the tab domain and the application ID URI domain must match.

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,333 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,178 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,856 Reputation points Microsoft Employee
    2024-04-30T11:28:58.1566667+00:00

    Hi @Paul Hill (TMI Systems - Development) ,

    Thanks for reaching out.

    It seems that you want to move the domain which hosts your Teams app authentication flow to Domain B. However, you are concerned that changing the "Application ID URI" in the "Entra -> App Registration -> [App Name] -> Expose an API" section would break authentication for all the existing users of the app using Domain A.

    You are correct that the "Application ID URI" must match the tab domain to avoid the "App resource defined in manifest and iframe origin do not match" error. Unfortunately, it is not possible to have multiple valid Application ID URI's.

    One possible solution is to create a new app registration in Entra for the new domain and update the manifest.json to point to the new app registration. You can then gradually migrate your users to the new app registration by prompting them to re-authenticate with the new domain. This way, you can avoid breaking authentication for all the existing users of the app using Domain A.

    Hope this will help.

    Thanks,

    Shweta


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.