cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
BenAffleck
Frequent Visitor

Limit end-user authentication (signInAudience) to organizational directory only

Good day,

 

As per the documentation here, we need to configure the app registration for end-user authentication to allow "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)". 

 

For better security, I tried changing this value to "Accounts in this organizational directory only (Customer - Single tenant),"
using the manifest editor. 

 

However, this seems to be not supported as the error message indicates on login:

 

{
  "error": {
    "code": "ServiceError",
    "message": "Missing required query string parameter: code. Url = https://token.botframework.com/.auth/web/redirect?error=+is+not+configured+as+a+multi-tenant+application.+Usage+of+the+%2fcommon+endpoint+is+not+supported+for+such+applications+created+after+%2710%2f15%2f2018%27.+Use+a+tenant-specific+endpoint+or+configure+the+application+to+be+multi-tenant
  }
}

 

Is there any way to limit the app registration to single-tenant only? 

 

This was one finding of a security audit, so I would also be interessted in the reason for this design decision. 

 

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
renatoromao
Super User
Super User

Hi @BenAffleck ,

 

Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.760 students) : English | Português

View solution in original post

1 REPLY 1
renatoromao
Super User
Super User

Hi @BenAffleck ,

 

Have no problem to allow multitenant because when you configure the API permissions inside the Azure panel, you need grant consent using the Administrator of your organization. But when a user connect to the Loggin button, you are getting the data to the user and not the user gets the data from the organization.

That's no way to allow only your single-tenant but I hope that it's not bad for you because we can get another organization data in the future.


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Connect with me here 😉

Power Virtual Agents course (+2.760 students) : English | Português

Helpful resources

Announcements
Power Virtual Agents News & Announcements

Power Virtual Agents News & Announcements

Keep up to date with current events and community announcements in the Power Virtual Agents community.

Community Calls Conversations

Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Virtual Agents Community Blog

Power Virtual Agents Community Blog

Check out the latest Community Blog from the community!

Top Solution Authors
Users online (3,992)