skip to Main Content

Please bare with me as I’m a little confused about this topic in general.

I’m building a teams app with the visual studio code teams toolkit with the aim to publish it on the teams store. The app will use SSO and then I will call the dynamics 365 API to retrieve data.

I initially thought that the app registration for this app would sit on my own azure account (which i have logged into on vs code), however after testing the provisioning of resources I can see it sits on the Microsoft 365 tenant that I am using for testing instead.

This has confused everything in my head and I have a few questions that I can’t seem to get to the bottom of.

  1. If the app is sitting on the tenant of whoever downloads the app, can I use a single organisation SSO instead of multiple organisation since the app registration will be in the same tenant as the user? I’m finding this point confusing as I wish to release the app to multiple organisations but each organisation will only be accessing dynamics data from within their own environment.

  2. With the registration being on the Microsoft 365 tenant, I’m not sure how I can assign permissions to the app registration which, for example, will let me make calls to graph and dynamics 365 API. If it was on my own azure account I understand that I can go onto the registration and add an API permission, however I am not sure how I can get it so these permissions are are automatically present when a user downloads the app onto their tenant.

Sorry for the essay, any help clarifying all this in my head would be much appreciated.

2

Answers


    1. The app registration is on the tenant of the user who downloads the app, you can use a single organization SSO flow if all the organizations accessing the app have their own separate Dynamics 365 environments. Each organization will authenticate using their own credentials and have access to their own Dynamics data within their environment.

    2. To assign permissions to the app registration for making calls to the Graph and Dynamics 365 API, you need to configure the app registration within the Microsoft 365 tenant. You would need to go to the Azure portal, find the app registration associated with your app, and configure the required API permissions there. These permissions will apply when a user downloads the app onto their tenant.

      When users download your app from the Teams store, the app registration is automatically provisioned in their own tenant, and they will need to grant the necessary permissions during the installation process. The permissions you configured in your app registration will be requested during the installation, and users will have the option to consent to those permissions.

    Login or Signup to reply.
  1. If the app is sitting on the tenant of whoever downloads the app, can I use a single organisation SSO instead of multiple organisation since the app registration will be in the same tenant as the user?

    Yes, you can create Single Tenant (SSO) Application to access the APIs. If you want other organizations to access the application, then create multi-Tenant applications.

    • If you create multi-Tenant application then each organization will only be accessing Dynamics/Graph data within their environment.
    • If you create Single Tenant still the user needs to authenticate with their credentials.

    I created an Azure AD Single Tenant Application and granted Graph API permissions:

    enter image description here

    If the Admin grant the consents, then all the users will be able to sign in and call the API based on the permissions granted.

    For sample, I used below endpoint to authorize the users:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize? 
    client_id=ClientID
    &response_type=code  
    &redirect_uri=https://jwt.ms
    &response_mode=query  
    &scope=https://graph.microsoft.com/.default
    &state=12345
    

    enter image description here

    Once the user sign-in, the auth-code will be generated:

    enter image description here

    I generated the access token by using below parameters via Postman:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
    
    client_id:ClientID
    grant_type:authorization_code
    scope:https://graph.microsoft.com/.default
    code:code
    redirect_uri:https://jwt.ms
    client_secret:ClientSecret
    

    enter image description here

    By using the above access token, the user in the tenant can call Microsoft Graph API and query the user’s data in the Tenant.

    https://graph.microsoft.com/v1.0/users
    

    enter image description here

    To access or call the Dynamics 365 API, grant the API permission to the application and follow the same:

    enter image description here

    Note that: You cannot call or access two APIs by using only one access token, you have to generate access token separately for each API.

    Reference:

    Single and multi-tenant apps in Azure AD – Microsoft Entra

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search