cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
BenAffleck
Frequent Visitor

Limit end-user authentication (signInAudience) to organizational directory only

Good day,

 

As per the documentation here, we need to configure the app registration for end-user authentication to allow "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". 

 

For better security, I tried changing this value to "Accounts in this organizational directory only (Customer - Single tenant),"
using the manifest editor. 

 

However, this seems to be not supported as the error message indicates on login:

 

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant
  }
}

 

Is there any way to limit the app registration to single-tenant only? 

 

This was one finding of a security audit, so I would also be interessted in the reason for this design decision. 

 

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
renatoromao
Super User
Super User

Hi @BenAffleck ,

 

Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.650 students) : English | Português

View solution in original post

1 REPLY 1
renatoromao
Super User
Super User

Hi @BenAffleck ,

 

Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.650 students) : English | Português

View solution in original post

Helpful resources

Announcements
March Update

Welcome to the User Group Private Preview

Check out new user group experience and if you are a leader please create your group

V3_PVA CAmpaign Carousel.png

Community Challenge - Giveaways!

Participate in the Power Virtual Agents Community Challenge

Carousel 2021 Release Wave 2 Plan 768x460.jpg

2021 Release Wave 2 Plan

Power Platform release plan for the 2021 release wave 2 describes all new features releasing from October 2021 through March 2022.

Users online (7,215)