Please bare with me as I’m a little confused about this topic in general.
I’m building a teams app with the visual studio code teams toolkit with the aim to publish it on the teams store. The app will use SSO and then I will call the dynamics 365 API to retrieve data.
I initially thought that the app registration for this app would sit on my own azure account (which i have logged into on vs code), however after testing the provisioning of resources I can see it sits on the Microsoft 365 tenant that I am using for testing instead.
This has confused everything in my head and I have a few questions that I can’t seem to get to the bottom of.
-
If the app is sitting on the tenant of whoever downloads the app, can I use a single organisation SSO instead of multiple organisation since the app registration will be in the same tenant as the user? I’m finding this point confusing as I wish to release the app to multiple organisations but each organisation will only be accessing dynamics data from within their own environment.
-
With the registration being on the Microsoft 365 tenant, I’m not sure how I can assign permissions to the app registration which, for example, will let me make calls to graph and dynamics 365 API. If it was on my own azure account I understand that I can go onto the registration and add an API permission, however I am not sure how I can get it so these permissions are are automatically present when a user downloads the app onto their tenant.
Sorry for the essay, any help clarifying all this in my head would be much appreciated.
2
Answers
The app registration is on the tenant of the user who downloads the app, you can use a single organization SSO flow if all the organizations accessing the app have their own separate Dynamics 365 environments. Each organization will authenticate using their own credentials and have access to their own Dynamics data within their environment.
To assign permissions to the app registration for making calls to the Graph and Dynamics 365 API, you need to configure the app registration within the Microsoft 365 tenant. You would need to go to the Azure portal, find the app registration associated with your app, and configure the required API permissions there. These permissions will apply when a user downloads the app onto their tenant.
When users download your app from the Teams store, the app registration is automatically provisioned in their own tenant, and they will need to grant the necessary permissions during the installation process. The permissions you configured in your app registration will be requested during the installation, and users will have the option to consent to those permissions.
Yes, you can create Single Tenant (SSO) Application to access the APIs. If you want other organizations to access the application, then create multi-Tenant applications.
I created an Azure AD Single Tenant Application and granted Graph API permissions:
If the Admin grant the consents, then all the users will be able to sign in and call the API based on the permissions granted.
For sample, I used below endpoint to authorize the users:
Once the user sign-in, the auth-code will be generated:
I generated the access token by using below parameters via Postman:
By using the above access token, the user in the tenant can call Microsoft Graph API and query the user’s data in the Tenant.
To access or call the Dynamics 365 API, grant the API permission to the application and follow the same:
Note that: You cannot call or access two APIs by using only one access token, you have to generate access token separately for each API.
Reference:
Single and multi-tenant apps in Azure AD – Microsoft Entra