Implement Multi tenant integration

[EiffelD]

Hi @weilai-irl ,

Will be implementing your suggestion on -1862-

We are seeing many of these error and wanted to ask why this could be?

.. All courses have groups created. Processing courses without teams... ... Processing course #770 ...... Adding 1 owners and 0 members to group with ID a1fa36c9-e776-4b32-9b79-2008a41e1af8 ......... Error: Error in API call: As per tenant wide policy guest users are not allowed to be owner of an unified group. ......... Retry #1 ......... Error: Error in API call: As per tenant wide policy guest users are not allowed to be owner of an unified group. ......... Retry #2 ......... Error: Error in API call: As per tenant wide policy guest users are not allowed to be owner of an unified group.

Guest Access is Turned on but not sure what this is occurring.

Regards, D

[EiffelD]

Hi @weilai-irl ,

We had tried to do a new configuration. on step 1 we have the user in the main tenant but when trying to log in we see the following:

Microsoft Sign in Sorry, but we’re having trouble signing you in.

AADSTS700016: Application with identifier 'c118267e-b667-40c6-b875-57002cf59793' was not found in the directory 'Source tenant'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Troubleshooting details If you contact your administrator, send this info to them. Copy info to clipboard Request Id: 9d4a945d-af52-40cf-9efb-565cccf2cb01 Correlation Id: f1a44f81-3a70-4cbd-bdf1-ed568b4dba9f Timestamp: 2023-11-24T13:39:04Z Message: AADSTS700016: Application with identifier 'c118267e-b667-40c6-b875-57002cf59793' was not found in the directory 'Source tenant'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Flag sign-in errors for review: Enable flagging If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.

Looking at the above, seems the login request is gong to the wrong tenant. They way I believe to fix this would be to route the user the correct tenant app or create a duplicate app some how in the source tenant.

Please advise on any information that can get us closer to getting this to work..

Regards, D

Regards

[EiffelD]

Hi @weilai-irl ,

We are at a cross roads now with the implementation. We have the user added a test user as a guest in a different tenant ( Destination ), we added the user via B2B collaboration in Entra ( Azure). Everything looks fine, we tried to log in to Moodle with the user using the UPN from the Destination tenant. The background of the page changes to the correct Destination tenant background but when we enter the password we get the following:

Your account or password is incorrect. If you don't remember your password

Logging on to the Source tenant Office 365 works fine with the same password but with the UPN from the Source. The Sign-in Activity on the Source tenant does not show any logs for the login attempt. There is no option to view Sign-in logs on the Destination tenant as per the B2B config ( management of user passwords are on the Source tenant ).

We have a case with MS Support but we are going in circles with them. Is there a way we can route the case to your team for further assistance?

Or do you have any information we can use to test further?

Regards, D

[weilai-irl]

Hi @EiffelD

Sorry or not getting back to you sooner. We had an extremely busy period towards the end of last year, but things are looking better now, so I should be more responsive.

So let me catch up a bit.

I think ultimately what you want to achieve is:

• All teachers in one Microsoft tenant.
• All students in another Microsoft tenant.
• Users from both tenants need to be able to SSO to Moodle.
• Teams to be created, and teacher and student Microsoft accounts from both tenants can access.

Please review and confirm my understandings, and add any conditions/restrictions/parameter that I oversaw.

To achieve this:

• In the first post, you were trying to create a Team from a course, which has a guest user as potential Team owner. This resulted in an error. I think this one is expected - I remember seeing this behaviour some time ago.
• In the second and third posts, you were trying different approaches, but encountered different SSO issues.

I didn't quite follow the steps in the second and third posts, unfortunately. I'll need to dig a bit deeper once the requirement is clarified. I may need to do some testing as well to see what's possible.

Of the top of my head, I do recall making a proposal 12-18 months ago about a complete multi-tenancy support in the plugins, supporting not only SSO, but also Teams integrations. I remember the most significant difficulty was where to create the teams and how to manage access for users from different tenants. It sounds very like what you need here. I remember a few solutions were proposed, but none was perfect. The effort required was so big that we decided not to proceed at the time. Once we have the requirement clarified, I'll try to find the proposal and see what can be done based on it. I'm afraid it's not going to be an easy task either way.

Regards, Lai

[EiffelD]

Hi @weilai-irl,

Thank you very much for the response. Apologies for the lack of information on the above two posts, let me clarify.

Post 2:

The Guest user account was not manually created in Moodle at the time. This was on the first attempt to login to Moodle via SSO. The login attempt was looking for the app registration in the Source Tenant by the looks of it. We used the UNP in the Destination tenant for this attempt. To progresses the login we used the UPN from the Source tenant.

Another item I just noticed on Moodle for this user was the following message:

_Change pending. Open the link sent to you at source_UPN#EXT#destinantiondomain. This I assume will just be a loop where the link will try to view the app in the Source tenant.

Post 3:

We attempted logging to Moodle via OpenID Connect SSO using the UPN from Destination tenant - i.e where the UPN has the source_UPN#EXT#destination_domain. The message we got was the password is incorrect.

Your questions: _I think ultimately what you want to achieve is:

All teachers in one Microsoft tenant. All students in another Microsoft tenant. Users from both tenants need to be able to SSO to Moodle. Teams to be created, and teacher and student Microsoft accounts from both tenants can access._

100% what we want to do. We understand this will not be easy , we are already knee deep in the trenches and will greatly appreciate the assistance. Also if we can route our current call with MS to you, pleas let me know how to do this.

Regards, D

[ImmortalTreearms]

Hey all, I'm working through almost an identical scenario. I have a dev server going, and I'm trying to see how this will work. I've tried the /common/ platform login, and really didn't have any success there. So far, the most successful pathway I've found for this, is to create the App Registration/Enterprise Application in Azure on both tenants. Running the provided Powershell script works fine, but you'll need to authenticate a user from the other tenant to it and grant admin consent.

(Note: The Powershell script itself seems to even occasionally have issues with a specific value being passed to OIDC. Not sure if that's an update to the OIDC side, or in Powershell, but we'll continue.)

When you run it the first time, make sure to take that application information and add it to your Application ID field, and applicable secret. Save as the instructions tell you. After that go back to the IdP and authentication settings and make sure you use Tenant Specific logins at this time to manage the Multi-tenancy ("Adding Additional Tenant Screens"). The screen will warn you that you need to grant admin consent again in the config page, but you've already done that through the Powershell script.

Once your multi-tenant app is registered on both tenants, and you've changed the Login to tenant specific logins, go back and try to set up your additional tenant. In our case we used the "Students" tenant as the primary host, and the "Employee" tenant as the additional. I'm still in process of testing, but this at least allowed me to get both tenants into the system (and working for SSO).

I know this isn't the most scientific/repeatable answer, but maybe it will at least help to get on the track to get this working. This is the second implementation I've had to do with the M365 Integration, and it is awesome when it works, but the multitenancy settings have been really difficult to work through. Basically, I don't think the /common/ auth pathway is quite working as expected. Having it report that the Application ID couldn't be found on "Microsoft" was a big indicator of that.

I even verified that an additional tenant was not able to login (I have a separate work account on a totally separate domain that I was able to test this with). Still working through to see how it works in terms of Sync'ing users.

Hope this helps!

Edit: One additional note is that I did switch the login URL back to the /common/ setting in IdP and Authentication settings after all was setup.

[ImmortalTreearms]

Update: Even though multi-tenancy is working here:

The users do not sync from the other tenant domain at all. I have a regex for user creation set up to accept either "@students.domain.edu" and "@domain.edu", but even clearing that out will not allow creation from the Staff/Faculty domain side.