search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
42 stars 451 forks source link

[o365] multi-tenancy failing #1759

Open smileitjc opened 3 years ago

smileitjc commented 3 years ago

Hi all,

I'm trying to get multi-tenancy working using the o365 module (based on the config listed here) and certificate based auth is working, however when adding multiple tenants, as you can only add one application ID, you cannot authenticate against tenants B, C, ... Z and so on.

Nowhere in any documentation have I been able to determine how you can include a second application ID, nor work out if it's possible to use the same application ID across numerous app registrations in Azure.

I've tried to ask about this on the elastic forums but no one seems to know - so I though I would create an issue as at this stage I'm sure it can't actually be done, or at the very least no one has attempted it.

This is the error you get when you try to use the tenant A, tenant B etc. implementation, but only one application ID: ERROR [input.o365audit] o365audit/input.go:126 Input failed: unable to acquire authentication token for tenant:<redacted tenant B>: refreshing spt token: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '[<redacted tenant B>]' was not found in the directory '<REDACTED>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

As, of course, the application ID specified exists in tenant A but not B. You cannot change the ID when creating an application registration in Tenant B's AzureAD either, it is a read-only field.

Any assistance with this one from anyone who may have created this integration or knows about it would be really helpful.

Thanks

elasticmachine commented 3 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

adriansr commented 2 years ago

I'm not sure this was even tested, the Azure configuration is complicated.

Just to be sure, in Azure AD, did you create the "Application" as multi-tenant?

As an alternative, you can just configure two separate integrations, one for each tenant, with different application ID.

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!