Multi tenancy Support for Microsoft Entra app
When SSO is enabled, Teams Toolkit will by default provision a single-tenant Microsoft Entra app, which means only user and guest accounts in the same directory as your M365 account can successfully # to your Teams app.
To support multi-tenant, you can follow the steps below to update your TeamsFx project.
Note: This document is only for TeamsFx projects that have already enabled single sign on.
This part is only for TAB projects for ts/js. If you are working on a Bot/Messaging Extension or a VS project, please go to Update your project. This part is only for users that met with error "Values of identifierUris property must use a verified domain of the organization or its subdomain". Please skip this part first and go back here if you met with above error. This error occurs since Microsoft Entra app requires an "tenant verified domain" for
Application ID URI, you can use your own Custom Domain or Create a new Custom Domain on Azure.
-
Provision your TeamsFx project.
-
Note Frontend Info.
- Open
.fx\env\.env.{envName}file - Note the
TAB_ENDPOINTand find the resource group.
-
Login to Azure portal, create a CDN profile and a CDN endpoint, select endpoint type as Storage static website, then point to your frontend hosting storage. Learn More
-
Navigate to your created CDN endpoint and copy the endpoint hostname. For example, "https://sample.azureedge.net"
-
(Optional) Provision CDN Profile on Azure Portal
-
Login to Azure portal, create a CDN profile and a CDN endpoint, select endpoint type as Storage static website, then point to your frontend hosting storage. Learn More
-
Navigate to your created CDN endpoint and copy the endpoint hostname. For example, "https://sample.azureedge.net"
Note: If you have a Custom Domain, you can skip this part. Remember to point your Custom Domain to the Frontend Domain noted in step 2.
- Update Frontend Info.
- Open
infra\azure.bicepfile, and find the following two lines:output TAB_DOMAIN string = siteDomain output TAB_HOSTNAME string = siteDomain output TAB_ENDPOINT string = 'https://${siteDomain}' - Replace
siteDomainwith your CDN endpoint as following. Note you need to use your CDN endpoint copied above.
output TAB_DOMAIN string = 'sample.azureedge.net'
output TAB_HOSTNAME string = 'sample.azureedge.net'
output TAB_ENDPOINT string = 'https://sample.azureedge.net'
- Run "Teams - Provision in the cloud" and "Teams - Deploy to the cloud" or press F5 to start local debug. Please refer to the Setup CDN as storage custom domain to config custom domain.
Note: you can skip the last
ProvisionandDeploystep since we will do this after everything is setup.
This part is only for TAB projects with Azure Function.
- Open
./infra/azure.bicep, find the following lines:and replace the tabDomain in cors.allowedOrigins with your Custom Domain.resource functionApp 'Microsoft.Web/sites@2021-02-01' = { ... properties: { ... cors: { allowedOrigins: [ tabDomain ] } ... } ...
-
Open
./aad.manifest.json, findsignInAudienceand set value asAzureADMultipleOrgs. -
Open
infra/azure.parameter.${env}.jsonand find the following line:"aadAppTenantId": { "value": "${{AAD_APP_TENANT_ID}}" },and replace with:
"aadAppTenantId": { "value": "common" }, -
[For Local Debug] Open
teamsapp.local.yml, find the following lines:# Generate runtime environment variables for backend - uses: file/createOrUpdateEnvironmentFile with: target: ./api/.localConfigs envs: M365_CLIENT_ID: ${{AAD_APP_CLIENT_ID}} M365_CLIENT_SECRET: ${{SECRET_AAD_APP_CLIENT_SECRET}} M365_TENANT_ID: ${{AAD_APP_TENANT_ID}} M365_AUTHORITY_HOST: ${{AAD_APP_OAUTH_AUTHORITY_HOST}} ALLOWED_APP_IDS: ...and update the value of
M365_TENANT_ID:- uses: file/createOrUpdateEnvironmentFile with: target: ./api/.localConfigs envs: M365_CLIENT_ID: ${{AAD_APP_CLIENT_ID}} M365_CLIENT_SECRET: ${{SECRET_AAD_APP_CLIENT_SECRET}} M365_TENANT_ID: common M365_AUTHORITY_HOST: ${{AAD_APP_OAUTH_AUTHORITY_HOST}} ALLOWED_APP_IDS: ...