Domain Configuration Challenges for Multi-Tenant Teams App with SSO Across Azure and M365 Tenants
Hi,
We are creating a multi-tenant personal teams app with SSO enabled, but are running into some issues surrounding our development environment set-up.
Due to some legacy reasons, we are developing the teams app in two different tenants:
- Tenant A (Azure): Containing our Azure services.
- Tenant B (M365): We use for testing the app in teams.
In the Teams toolkit I am also logged in with different accounts for Azure and M365.
The issue I am having is the domain. You can only 'bind' a (trusted) domain to one tenant and our app is 'hosted' in tenant A, but 'registered' (through an app registration in entra id) in tenant B.
I have set-up the domains like so:
- Tenant A (Azure), trusted domains:
-
test.<myapp>.com
-
acceptance.<myapp>.com
-
- Tenant B (M365), custom domains:
-
id.<myapp>.com
- the app uses subdomains of this (sub)domain, e.g.
test.id.<myapp.com>
- the app uses subdomains of this (sub)domain, e.g.
-
This set-up solved previous issues that I had, such as:
- [Error] - code:AadAppClient.HostNameNotOnVerifiedDomain, message: Unable to set identifierUri because the value is not on verified domain: Values of identifierUris property must use a verified domain of the organization or its subdomain.
- AADSTS500011: The resource principal named api://<app>.westeurope.azurecontainerapps.io/<client_id> was not found in the tenant named <Tenant B (M365)>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
But I don't think this set-up will work either as I am now running into the following error:
- Get SSO token failed with error: App resource defined in manifest and iframe origin do not match.
How should I configure the domains to work correctly for my situation (two tenants)?