Domain Configuration Challenges for Multi-Tenant Teams App with SSO Across Azure and M365 Tenants

Swen Meeuwes 0 Reputation points
2024-09-23T09:32:31.4966667+00:00

Hi,

We are creating a multi-tenant personal teams app with SSO enabled, but are running into some issues surrounding our development environment set-up.

Due to some legacy reasons, we are developing the teams app in two different tenants:

  • Tenant A (Azure): Containing our Azure services.
  • Tenant B (M365): We use for testing the app in teams.

In the Teams toolkit I am also logged in with different accounts for Azure and M365.

The issue I am having is the domain. You can only 'bind' a (trusted) domain to one tenant and our app is 'hosted' in tenant A, but 'registered' (through an app registration in entra id) in tenant B.

I have set-up the domains like so:

  • Tenant A (Azure), trusted domains:
    • test.<myapp>.com
    • acceptance.<myapp>.com
  • Tenant B (M365), custom domains:
    • id.<myapp>.com
      • the app uses subdomains of this (sub)domain, e.g. test.id.<myapp.com>

This set-up solved previous issues that I had, such as:

  • [Error] - code:AadAppClient.HostNameNotOnVerifiedDomain, message: Unable to set identifierUri because the value is not on verified domain: Values of identifierUris property must use a verified domain of the organization or its subdomain.
  • AADSTS500011: The resource principal named api://<app>.westeurope.azurecontainerapps.io/<client_id> was not found in the tenant named <Tenant B (M365)>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.

But I don't think this set-up will work either as I am now running into the following error:

  • Get SSO token failed with error: App resource defined in manifest and iframe origin do not match.

How should I configure the domains to work correctly for my situation (two tenants)?

Microsoft Teams Development
Microsoft Teams Development
Microsoft Teams: A Microsoft customizable chat-based workspace.Development: The process of researching, productizing, and refining new or existing technologies.
3,266 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,786 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.