1

I am developing a Teams App which have Tab and Search Message extension as a capability. The app should support multitenant scenarios, where the app will be deployed on different tenant and should be able to do some operation using Graph api. Hence I am calling a On-Behalf-user token. My request fails for these scenarios. When I tried to make Tab App registration to support Multitenant, I receive below error: enter image description here

and when I am querying for Graph Token, I get CORS Issue: enter image description here

Let me know what should be my next step.

user25879
  • 129
  • 7
  • Have a look at already answered question it might help you. https://stackoverflow.com/questions/38317973/no-access-control-allow-origin-header-with-microsoft-online-auth – Hunaid Hanfee-MSFT Dec 07 '21 at 20:19
  • Hey, Did you get a chance to look into the solution of similar issue shared above? – Hunaid Hanfee-MSFT Dec 08 '21 at 11:00
  • Yes, it is getting really complex for us now. We have the requirement to get the Teams Logo binary and save it back to database along with other info and the app is going to work on multiple customer. So we wanted an easy solution where not every customer has to give much permissions. We are planning to drop this. Will check the Teams client development, if in future I could get Team logo without graph api call. – user25879 Dec 09 '21 at 11:27
  • I think there are 2 separate questions here : 1) why can the AAD Single tenant app not be changed into a Mutli-tenant App registration 2) what does a (OBO) token granted for a Single Tenant App not work against other directories – Jos Verlinde Dec 09 '21 at 13:54
  • @Hunaid Hanfee-MSFT - link that you shared does not clarify matters , it actually describes a different issue, and there are multiple possible answers . So sadly it is of little use. if you meant to say : Please use ADAL , that would have been much much clearer – Jos Verlinde Dec 09 '21 at 13:56
  • Please have a look at this doc, to understand [Why changing to multi-tenant can fail](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail) – Hunaid Hanfee-MSFT Dec 09 '21 at 21:37
  • @user25879 - Hey, Did you check this link and check? – Hunaid Hanfee-MSFT Dec 13 '21 at 10:29
  • its increasing complexity, hence we dropped it as of now. I dont have my static website right now on verified domain or the domain that I owned. – user25879 Dec 13 '21 at 15:40

2 Answers2

0

Please have a look at this doc, to understand Why changing to multi-tenant can fail?

Key point from doc are

  1. Can sometimes fail due to Application ID URI (App ID URI) name collisions.
  2. For a multi-tenant application, Application ID URI must be globally unique so Azure AD can find the app across all tenants
Hunaid Hanfee-MSFT
  • 836
  • 1
  • 3
  • 8
0

Please take a look at this Github Issue.

Main reason of this failure is that Azure AD requires verified domain as Application ID Uri for Multi-tenant apps.

Bowen Song
  • 169
  • 2