Error message: App not configured as a multi-tenant application
malle-pietje opened this issue Β· 11 comments
I tested the OAuth2 integration with my personal Microsoft account and I was able to configure the App for a single-tenant.
Now in a production environment, I'm seeing this error:
(APP_NAME) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
Must I switch to multi-tenant for the App configuration and then restrict access by group(s) or is there a way to pass the suffix for a single-tenant that replaces the "common" part of the default endpoint?
Hi, if you are integrating with personal accounts you need to use the V2.0 endpoint I believe.
Yes, we're using V2.0. Here's the main part of the code:
$provider = new Azure([
'clientId' => $azure_client_id,
'clientSecret' => $azure_client_secret,
'redirectUri' => $callback_url,
]);
$provider->defaultEndPointVersion = Azure::ENDPOINT_VERSION_2_0;
$baseGraphUri = $provider->getRootMicrosoftGraphUri(null);
$provider->scope = 'openid profile email offline_access ' . $baseGraphUri . '/User.Read';
// URL to redirect client to (which then returns the error message
$authUrl = $provider->getAuthorizationUrl(['scope' => $provider->scope]);Are you getting any sort of AADSTSXXXX error code?
Yes, this one: AADSTS50194
If you have a look in the AAD Manifest for that client, the βsignInAudienceβ claim can take the following values:
AzureADMyOrg - single-tenant (the one the app is registered to)
AzureADMultipleOrgs - multi-tenant
AzureADandPersonalMicrosoftAccount - multi-tenant and personal accounts (e.g. outlook.com)
If you managed to acquire an authorisation code and then access token and used the latter with a personal account, the AAD client Manifest must already be showing:
"signInAudience": "AzureADandPersonalMicrosoftAccount"
OIDC confuses things with endpoints qualified as follows:
https://login.microsoftonline.com/{xyz}/v2.0/.well-known/openid-configuration
where {xyx} is either:
'commonβ (tenant and personal), or
βorganizationsβ (tenant), or
βconsumersβ (personal), or
one specific tenant identified by domain name or GUID
so it is worth double-checking what endpoint you hit.
Note that MSFT are now blocking user logon to new multi-tenant apps unless the app βownerβ has a Microsoft Partner Network ID (i.e. the owner has undergone MPN verification)
@decomplexity Thanks for the input. I'll request a copy of the manifest to check things.
Looking at your reply, it looks as if I need to specifically set the $tenant property to the tenant id (GUID or domain name) to support a single-tenant setup.
It is strange though that using my personal (dev) Microsoft account I can select single-tenant without providing a tenant id and therefore using the "common" endpoint. No errors are thrown and it all works fine...
@decomplexity Actually I take back that comment on my test set up, it's not set up as single-tenant. The signInAudience is set to: AzureADandPersonalMicrosoftAccount.
Exactly why there isn't a better mapping between signInAudience and the end-point client type (my xyz above) - and in particular why there isn't a signInAudience equivalent of PersonalMicrosoftAccount is known only to MSFT. It seems reasonable (?) to assume that Admin will probably be the set-up tenant, but the clients set up by Admin within that tenant can obviously have different sign-In Audiences.
Indeed a bit odd. It now looks as if things are working after changing the endpoint by updating $tenant with the tenant id for single-tenant apps. Need to now confirm in a different environment.
I'm receiving this same error. In my case is a AzureADMyOrg app only for internal use. How can I specify my tenant instead of the common endpoint? Thanks
I'm receiving this same error. In my case is a AzureADMyOrg app only for internal use. How can I specify my tenant instead of the common endpoint? Thanks
In my initial code example I added this to set the tenant id:
$provider->tenant = $tenant_id;