We have a Teams App which is created using Teams Toolkit - SSO Enabled Tab option.
This App is single tenant by default and we want to convert it to Multi Tenant.
We are following the steps mentioned in "https://github.com/OfficeDev/TeamsFx/wiki/Multi-tenancy-Support-for-Azure-AD-app" to do the same.
Here when I update the aad.template.json file and change the value of signInAudience to AzureADMultipleOrgs, and then run provisioning using teams toolkit. I get an error - "Failed to update application in Azure Active Directory. Please make sure 'templates/appPackage/aad.template.json' is valid: Request failed with status code 400 Detailed error: Request failed with status code 400. Reason: Values of identifierUris property must use a verified domain of the organization "
On changing the value back to AzureADMyOrg, provisioning is successful.
Anyone faced similar issue
- 63
- 6
2 Answers
This error is because you are not using a verified domain in Application Id Uri of your multi-tenant Azure AD app. Teams Toolkit will by default use Storage to host your Tab app, however Storage endpoint is not a tenant verified domain, and thus you will fail with this error if only update your AAD manifest.
You can follow step 2-4 in Update your Tab applications to create your CDN or use your own tenant verified domain and setup the endpoint in your project.
- 169
- 2
It sounds like it's failing because you don't have a verified domain registered with Azure. It's only required for multi-tenant apps, but that's exactly what you're building. Essentially, you need to have a regular external domain registered with Azure, something like a .com, .io, .net, .whatever public domain.
On the page you linked, it actually says as much:
Since Azure AD app requires an "tenant verified domain" for Application ID URI, you can use your own Custom Domain or Create a new Custom Domain on Azure.
But this looks useful too: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail
- 9,809
- 2
- 10
- 24
-
Thanks for your answers. I have been using domain "XXX.onmicrosoft.com" where "XXX" is our tenant name. This domain was made available to us as a part of Microsoft Developer Account. We have been using this domain to deploy and side-load Single tenant Apps, which works fine. For this we login to Azure and M365 using "admin@XXX.onmicrosoft.com" for deploying the Teams App. I have following questions: 1. I can see in the domain list that "XXX.onmicrosoft.com" is available to us, so can't we verify this domain and use this for publishing multi tenant Apps ? – Naina Nov 07 '22 at 12:12
-
2. Can we use the existing developer account and the tenant that we were using to test the single Tenant Teams App for multi tenant App testing as well or do we need to have a separate productive tenant for the multi tenancy testing ? 3. Also until now we would login to M365 and Azure using "admin@XXX.onmicrosoft.com" and then deploy our App. So now when we add a custom domain does it mean we would need logins for both M365 and Azure with this newly added custom domain? – Naina Nov 07 '22 at 12:19
-
From my -understanding-, you can't use an ".onmicrosoft.com" account if you're wanting to do a cross-tenant scenario - you need to use a proper live internet domain (e.g. .com). If you don't have one, I think there are even free providers (warning, I've not used one so no idea what's involved, but a Google search brings up https://www.freenom.com/). – Hilton Giesenow Nov 07 '22 at 12:40
-
If the only reason you're needing this though is because of a difference between your dev vs company tenant, why not just switch to using your company tenant? – Hilton Giesenow Nov 07 '22 at 12:40
-
Sure I will try that by using my company tenant. Just to clarify If I switch to my company tenant, then would I still need a custom domain (live internet domain eg .com) ? I am asking this as I see even for my company tenant the default domain is *.onmicrosoft.com" – Naina Nov 07 '22 at 14:01