Microsoft oAuth Single Tenant

Currently it appears that for the Microsoft oAuth provider, the initial redirect to Microsoft login is using the /common endpoint, doing this requires that the application in Azure AD is setup as a multi tenant application. In my use case, this is not desirable because we want to only allow access from users located in our organization and not all people that have a Microsoft account.

The error thrown by Microsoft is

AADSTS50194: Application ‘xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx’ is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ‘10/15/2018’. Use a tenant-specific endpoint or configure the application to be multi-tenant.

More info can be found at "Use a tenant-specific endpoint or configure the application to be multi-tenant" when signing into my Azure website - Stack Overflow

Is there any way to configure my Microsoft oAuth Provider in Backendless to provide my tenant name thus providing a redirect to Microsoft that allows a single tenant application to authorize?

There may be ways to filter the user registration by email address or something in the application layer, however for many security reasons I would like to restrict the access to my application for users on the Azure AD level, thus it is highly desirable that a single tenant application is supported in the Microsoft provider.

Am I missing something or is this a feature that simply does not exists yet?

Thank you all!

Hello @Jason_Lavigne

Welcome to the community and thanks for being interesting in Backendless!

I’ve created an internal ticket BKNDLSS-27309 and our engineer will take a look into it as soon as possible.

Regards, Vlad

Hello @vladimir-upirov,

Thank you for having me. So far, I am very impressed as I build out my first app.

Just so your team knows, in order to do a new multi-tenant app setup, starting November 2020 Microsoft now requires the business to become a Microsoft Partner to validate the publisher of the app.

That is not desirable for businesses who are simply moving an app to the Cloud and wants/needs private auth via Azure AD.

I understand Microsoft’s reasons as multi-tenant is meant to be a public facing app, while the single tenant is meant for private use. Single tenant has no such requirements, other than not to use the /common endpoint.

I am happy to beta/test/provide feedback as needed, hopefully this is something the team can find time to implement or provide a workaround for, I am looking to hook in to auth in the coming days/weeks.

Cheers,

Jay

Hi @Jason_Lavigne ,

Unfortunately there is no way to achieve your goal with predefined provider for Microsoft at the current moment. But you can try to create your own OAuth2 login provider for this purpose. In this way you will be able to specify your own endpoints for integration but configuration will be more tricky.

To create your own custom OAuth2 login provider go to the “Users” > “Login Providers” page, click “Add new login provider” button and fill configuration fields for your provider.
If you have any questions about configuration of custom login provider feel free to ask them here and I will try to help you.

Could you please try this approach and write me back about results?

Regards, Andriy

Hello Andriy,

Well that certainly sounds promising, and after a quick look I think this will work for me.

Would you be so kind and provide me with the current values for your Microsoft provider? I understand that the URLs will need to be the single tenant version for me, however it would save me a ton of trial and error to see your current settings for the Microsoft. Specifically I would like to know if I should use V2 or V1, what scopes do you need, are you using the MS Graph for user info, default mappings etc…

Thanks a ton, this is one impressive platform.

Cheers,

Jay

Hi @Jason_Lavigne ,

Sure, here is our configuration for default Microsoft login provider:

name = Microsoft
authUrl = https://login.microsoftonline.com/common/oauth2/v2.0/authorize
tokenInfo.url = https://login.microsoftonline.com/common/oauth2/v2.0/token
tokenInfo.auth = NONE
tokenInfo.httpMethod = POST
tokenInfo.paramsPosition = BODY
tokenInfo.contentType = URL_FORM_ENCODED
tokenInfo.scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
userInfoUrl.url = https://graph.microsoft.com/v1.0/users/me
userInfoUrl.httpMethod = GET
userInfoUrl.defaultMappings = { "id": "id", "displayName": "name", "userPrincipalName": "email" }

If you need more information from Microsoft - modify default mappings appropriately and make sure that scopes for these fields are provided in Token Scopes.

Regards, Andriy

Amazing!! I got it working just fine, thank you very much. The only changes are as follows

Auth URL and Token URL are specific to the tenant and can be found in the Endpoints page of the application in the Azure portal.

The Graph User URL changes for single tenant from

https://graph.microsoft.com/v1.0/users/me

to

https://graph.microsoft.com/v1.0/me

And that is it on the Backendless side. On the Azure App side, I also needed to make sure that the permission were selected correctly. Both of these requirements are listed here.

https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

Maybe you can add a new Microsoft Single Tenant provider that makes this easy for the next developer? However I am very grateful for your assistance and I am super pleased with the platform and service. Great work!

Cheers,

Jason

Hi @Jason_Lavigne,

Nice to hear that you have managed to configure single tenant authentication.
About “out of the box” support for single tenant authentication. We will consider possibility of adding this type of authentication. It seems that only Microsoft from all our login providers supports “single tenant” mode. We will look for other OAuth2 login providers with this feature and will try to come up with some flexible solution for configuration.

Regards, Andriy

What about offering the ability to do advanced configuration of any provider where I could have modified any of the settings. This could allow any provider to be modified by the end user as needs change, i.e. scope. Of course a Reset button would reset the settings to factory, just incase we need to get ourselves out of trouble.

Cheers.

Jason

Sounds interesting. Thank you for this advice.
I will discuss this feature with the team.

Regards, Andriy

1 Like