cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Frequent Visitor

Limit end-user authentication (signInAudience) to organizational directory only

Good day,

 

As per the documentation here, we need to configure the app registration for end-user authentication to allow "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". 

 

For better security, I tried changing this value to "Accounts in this organizational directory only (Customer - Single tenant),"
using the manifest editor. 

 

However, this seems to be not supported as the error message indicates on login:

 

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant
  }
}

 

Is there any way to limit the app registration to single-tenant only? 

 

This was one finding of a security audit, so I would also be interessted in the reason for this design decision. 

 

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Super User
Super User

Hi @BenAffleck ,

 

Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.250 students | PROMOTIONS) : English | Português

View solution in original post

1 REPLY 1
Super User
Super User

Hi @BenAffleck ,

 

Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.250 students | PROMOTIONS) : English | Português

View solution in original post

Helpful resources

Announcements
PP Bootcamp Carousel

Global Power Platform Bootcamp

Dive into the Power Platform stack with hands-on sessions and labs, virtually delivered to you by experts and community leaders.

secondImage

Power Platform Community Conference On Demand

Check out Tomasz Poszytek's session from the 2020 Power Platform Community Conference!

PVA Commnity Blog

NEW Power Virtual Agents Community Blog

View articles posted by fellow community members on the Power Virtual Agents Community Blog!

Top Solution Authors
Top Kudoed Authors
Users online (6,184)