Microsoft Teams | Development
Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
Domain Configuration Challenges for Multi-Tenant Teams App with SSO Across Azure and M365 Tenants
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 47%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Swen Meeuwes
0
Reputation points
Hi,
We are creating a multi-tenant personal teams app with SSO enabled, but are running into some issues surrounding our development environment set-up.
Due to some legacy reasons, we are developing the teams app in two different tenants:
- Tenant A (Azure): Containing our Azure services.
- Tenant B (M365): We use for testing the app in teams.
In the Teams toolkit I am also logged in with different accounts for Azure and M365.
The issue I am having is the domain. You can only 'bind' a (trusted) domain to one tenant and our app is 'hosted' in tenant A, but 'registered' (through an app registration in entra id) in tenant B.
I have set-up the domains like so:
- Tenant A (Azure), trusted domains:
-
test.<myapp>.com -
acceptance.<myapp>.com
-
- Tenant B (M365), custom domains:
-
id.<myapp>.com- the app uses subdomains of this (sub)domain, e.g.
test.id.<myapp.com>
- the app uses subdomains of this (sub)domain, e.g.
-
This set-up solved previous issues that I had, such as:
- [Error] - code:AadAppClient.HostNameNotOnVerifiedDomain, message: Unable to set identifierUri because the value is not on verified domain: Values of identifierUris property must use a verified domain of the organization or its subdomain.
- AADSTS500011: The resource principal named api://<app>.westeurope.azurecontainerapps.io/<client_id> was not found in the tenant named <Tenant B (M365)>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
But I don't think this set-up will work either as I am now running into the following error:
- Get SSO token failed with error: App resource defined in manifest and iframe origin do not match.
How should I configure the domains to work correctly for my situation (two tenants)?
Microsoft Teams | Development
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-09-23T13:31:42.6766667+00:00 Thank you for reporting this, we will check this and get back to you.
-
Anonymous
2025-03-11T12:35:11.9233333+00:00 When creating a multi-tenant app, please note that it is essential to register the app in the tenant that will be the "home" for the app. The tenant you chose will be the developer (app vendor) for that tenant only or for multiple tenants if the app is multi-tenant. To resolve the
Get SSO token failed with error: App resource defined in manifest and iframe origin do not matchissue, you need to ensure that the app resource defined in the manifest matches the iframe origin. This involves verifying the domains and subdomains used in both tenants and ensuring that they are correctly configured and trusted.
Sign in to comment
Sign in to answer