Currently it appears that for the Microsoft oAuth provider, the initial redirect to Microsoft login is using the /common endpoint, doing this requires that the application in Azure AD is setup as a multi tenant application. In my use case, this is not desirable because we want to only allow access from users located in our organization and not all people that have a Microsoft account.
The error thrown by Microsoft is
AADSTS50194: Application ‘xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx’ is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after ‘10/15/2018’. Use a tenant-specific endpoint or configure the application to be multi-tenant.
Is there any way to configure my Microsoft oAuth Provider in Backendless to provide my tenant name thus providing a redirect to Microsoft that allows a single tenant application to authorize?
There may be ways to filter the user registration by email address or something in the application layer, however for many security reasons I would like to restrict the access to my application for users on the Azure AD level, thus it is highly desirable that a single tenant application is supported in the Microsoft provider.
Am I missing something or is this a feature that simply does not exists yet?
Thank you for having me. So far, I am very impressed as I build out my first app.
Just so your team knows, in order to do a new multi-tenant app setup, starting November 2020 Microsoft now requires the business to become a Microsoft Partner to validate the publisher of the app.
That is not desirable for businesses who are simply moving an app to the Cloud and wants/needs private auth via Azure AD.
I understand Microsoft’s reasons as multi-tenant is meant to be a public facing app, while the single tenant is meant for private use. Single tenant has no such requirements, other than not to use the /common endpoint.
I am happy to beta/test/provide feedback as needed, hopefully this is something the team can find time to implement or provide a workaround for, I am looking to hook in to auth in the coming days/weeks.
Unfortunately there is no way to achieve your goal with predefined provider for Microsoft at the current moment. But you can try to create your own OAuth2 login provider for this purpose. In this way you will be able to specify your own endpoints for integration but configuration will be more tricky.
To create your own custom OAuth2 login provider go to the “Users” > “Login Providers” page, click “Add new login provider” button and fill configuration fields for your provider.
If you have any questions about configuration of custom login provider feel free to ask them here and I will try to help you.
Could you please try this approach and write me back about results?
Well that certainly sounds promising, and after a quick look I think this will work for me.
Would you be so kind and provide me with the current values for your Microsoft provider? I understand that the URLs will need to be the single tenant version for me, however it would save me a ton of trial and error to see your current settings for the Microsoft. Specifically I would like to know if I should use V2 or V1, what scopes do you need, are you using the MS Graph for user info, default mappings etc…
Maybe you can add a new Microsoft Single Tenant provider that makes this easy for the next developer? However I am very grateful for your assistance and I am super pleased with the platform and service. Great work!
Nice to hear that you have managed to configure single tenant authentication.
About “out of the box” support for single tenant authentication. We will consider possibility of adding this type of authentication. It seems that only Microsoft from all our login providers supports “single tenant” mode. We will look for other OAuth2 login providers with this feature and will try to come up with some flexible solution for configuration.
What about offering the ability to do advanced configuration of any provider where I could have modified any of the settings. This could allow any provider to be modified by the end user as needs change, i.e. scope. Of course a Reset button would reset the settings to factory, just incase we need to get ourselves out of trouble.