Error message: App not configured as a multi-tenant application

[malle-pietje]

I tested the OAuth2 integration with my personal Microsoft account and I was able to configure the App for a single-tenant.

Now in a production environment, I'm seeing this error:

(APP_NAME) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

Must I switch to multi-tenant for the App configuration and then restrict access by group(s) or is there a way to pass the suffix for a single-tenant that replaces the "common" part of the default endpoint?

[hajekj]

Hi, if you are integrating with personal accounts you need to use the V2.0 endpoint I believe.

[malle-pietje]

Yes, we're using V2.0. Here's the main part of the code:

$provider = new Azure([
    'clientId'     => $azure_client_id,
    'clientSecret' => $azure_client_secret,
    'redirectUri'  => $callback_url,
]);
$provider->defaultEndPointVersion = Azure::ENDPOINT_VERSION_2_0;
$baseGraphUri = $provider->getRootMicrosoftGraphUri(null);
$provider->scope = 'openid profile email offline_access ' . $baseGraphUri . '/User.Read';
// URL to redirect client to (which then returns the error message
$authUrl = $provider->getAuthorizationUrl(['scope' => $provider->scope]);

[hajekj]

Are you getting any sort of AADSTSXXXX error code?

[malle-pietje]

Yes, this one: AADSTS50194

[decomplexity]

If you have a look in the AAD Manifest for that client, the ‘signInAudience’ claim can take the following values:

AzureADMyOrg - single-tenant (the one the app is registered to) AzureADMultipleOrgs - multi-tenant AzureADandPersonalMicrosoftAccount - multi-tenant and personal accounts (e.g. outlook.com)

If you managed to acquire an authorisation code and then access token and used the latter with a personal account, the AAD client Manifest must already be showing: "signInAudience": "AzureADandPersonalMicrosoftAccount"

OIDC confuses things with endpoints qualified as follows: https://login.microsoftonline.com/{xyz}/v2.0/.well-known/openid-configuration where {xyx} is either: 'common’ (tenant and personal), or ‘organizations’ (tenant), or ‘consumers’ (personal), or one specific tenant identified by domain name or GUID

so it is worth double-checking what endpoint you hit.

Note that MSFT are now blocking user logon to new multi-tenant apps unless the app ‘owner’ has a Microsoft Partner Network ID (i.e. the owner has undergone MPN verification)

[malle-pietje]

@decomplexity Thanks for the input. I'll request a copy of the manifest to check things.

Looking at your reply, it looks as if I need to specifically set the $tenant property to the tenant id (GUID or domain name) to support a single-tenant setup.

It is strange though that using my personal (dev) Microsoft account I can select single-tenant without providing a tenant id and therefore using the "common" endpoint. No errors are thrown and it all works fine...

[malle-pietje]

@decomplexity Actually I take back that comment on my test set up, it's not set up as single-tenant. The signInAudience is set to: AzureADandPersonalMicrosoftAccount.

[decomplexity]

Exactly why there isn't a better mapping between signInAudience and the end-point client type (my xyz above) - and in particular why there isn't a signInAudience equivalent of PersonalMicrosoftAccount is known only to MSFT. It seems reasonable (?) to assume that Admin will probably be the set-up tenant, but the clients set up by Admin within that tenant can obviously have different sign-In Audiences.

[malle-pietje]

Indeed a bit odd. It now looks as if things are working after changing the endpoint by updating $tenant with the tenant id for single-tenant apps. Need to now confirm in a different environment.

[josemi-ca]

I'm receiving this same error. In my case is a AzureADMyOrg app only for internal use. How can I specify my tenant instead of the common endpoint? Thanks

[malle-pietje]

I'm receiving this same error. In my case is a AzureADMyOrg app only for internal use. How can I specify my tenant instead of the common endpoint? Thanks

In my initial code example I added this to set the tenant id:

$provider->tenant = $tenant_id;