You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 2-WebApp-graph-user/2-3-Multi-Tenant/README.md
+7-7Lines changed: 7 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ This sample shows how to build an ASP.NET Core MVC web application that uses Ope
33
33
When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the [Azure portal](https://portal.azure.com).
34
34
35
35
-`Single-tenant` apps are only available in the tenant they were registered in, also known as their home tenant.
36
-
-`Multi-tenant` apps are available to users in both their home tenant and other tenants where they are provisioned.
36
+
-`Multi-tenant` apps are available to users in both their home tenant and other tenants where they are provisioned. Apps that allow users to sign-in using their personal accounts that they use to sign into services like Xbox and Skype are also multi-tenant apps.
37
37
38
38
For more information about apps and tenancy, see [Tenancy in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps)
39
39
@@ -121,7 +121,7 @@ As a first step you'll need to:
121
121
1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
122
122
1. Click **New registration** on top.
123
123
1. In the **Register an application page** that appears, enter your application's registration information:
124
-
- In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `WebApp-MultiTenant-v2WebApp-MultiTenant-v2`.
124
+
- In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `WebApp-MultiTenant-v2`.
125
125
- Change **Supported account types** to **Accounts in any organizational directory**.
126
126
> Note that there are more than one redirect URIs used in this sample. You'll need to add them from the **Authentication** tab later after the app has been created successfully.
127
127
1. Click on the **Register** button in bottom to create the application.
@@ -193,7 +193,7 @@ The list of users will be presented in the **Assigned To** dropdown:
193
193
This sample details the following aspects of a multi-tenant app.
194
194
195
195
- usage of the `/common` endpoint.
196
-
- Service Principle provisioning of an app in Azure AD tenants
196
+
- Service principal provisioning of an app in Azure AD tenants
197
197
- Custom Token Validation to allow users from onboarded tenants only.
198
198
- Data partitioning in multi-tenant apps.
199
199
- Acquiring Access tokens for Microsoft Graph for each tenant.
You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
217
217
218
-
### Service principle provisioning for new tenants (onboarding process)
218
+
### Service principal provisioning for new tenants (onboarding process)
219
219
220
-
For a multi-tenant app to work across tenants, its service principle will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principle provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
220
+
For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
221
221
222
222
```csharp
223
223
[HttpPost]
@@ -236,7 +236,7 @@ public IActionResult Onboard()
236
236
}
237
237
```
238
238
239
-
This results in an OAuth2 code grant request that triggers the admin consent flow and creates the service principle in the admin's tenant. The `state` parameter is used to validate the response, preventing a man-in-the-middle attack. Then, the `ProcessCode` action receives the authorization code from Azure AD and, if they appear valid, we create an entry in the application database for the new customer.
239
+
This results in an OAuth2 code grant request that triggers the admin consent flow and creates the service principal in the admin's tenant. The `state` parameter is used to validate the response, preventing a man-in-the-middle attack. Then, the `ProcessCode` action receives the authorization code from Azure AD and, if they appear valid, we create an entry in the application database for the new customer.
240
240
241
241
The `https://graph.microsoft.com/.default` is a static scope that allows the tenant admin to consent for all permissions in one go. You can find more about static scope on [this link.](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent#request-the-permissions-from-a-directory-admin)
242
242
@@ -316,7 +316,7 @@ If you are receiving the following error message, you might need to **delete old
316
316
317
317
> OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS650051: Application '{applicationId}' is requesting permissions that are either invalid or out of date.
318
318
319
-
If you had provisioned a service principle of this app in the past and created a new one, the tenants that had signed-in in the app might still have the previous service principle registered causing a conflict with the new one. The solution for the conflict is to delete the older service principle from each tenant in the **Enterprise Application** menu.
319
+
If you had provisioned a service principal of this app in the past and created a new one, the tenants that had signed-in in the app might still have the previous service principal registered causing a conflict with the new one. The solution for the conflict is to delete the older service principal from each tenant in the **Enterprise Application** menu.
320
320
321
321
### Error `The provided request must include a 'response_type' input parameter`
0 commit comments