cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Jinseng
Regular Visitor

Limit Portal Azure Active Directory authentication to our own tenant

‎01-21-2021 08:22 PM

I've inherited a Power Apps Portal with the Azure Active Directory Identity provider enabled.  We want users from our own AAD tenant to be able to authenticate, but not users from any other AAD tenant.  Right now, anyone can enter in credentials from any AAD tenant and get into the portal to register their user.

 

For more context here's the current login flow: User goes to site.powerappsportals.com, clicks on Sign In, Clicks on the "Azure AD" sign in button.  They're brought to our Tenant's AAD sign in screen (it has our background image), and they can enter in any AAD tenant account and authenticate.

 

Thanks for any thoughts on how to limit this to our own tenant.

Message 1 of 8
142 Views
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
ragavanrajan
Super User
Super User

‎01-22-2021 05:26 PM

Hi @Jinseng , 

 

      When you create a power apps portal it register the application in "Azure App Registrations"  as a "CRM Portals" 

 

1. Login to https://portal.azure.com/ 

2. Choose App Registrations > Owned Applications > You can see the CRM portals if you have created it. 

ragavanrajan_0-1611364769786.png

3.  Click on the relevant portal registration 

4. Under Authentication > Supported Account types> Make sure the first option is selected ( Single tenant only) 

 

ragavanrajan_1-1611364904734.png

 

5.  Once this option is enabled > You need to clear the cache by going in to the following URL: 

 

https://Yourportal.powerappsportals.com/_services/about  ( as a Admin ) 

 

6. In portal studio > Do the sync configuration. 

 

and finally make sure you have not added any of the domain you mentioned as guest users in Azure AD. May be please have a look at my below post. 

 

https://powerusers.microsoft.com/t5/Power-Apps-Portals/External-Azure-Active-Directory-Enabled-but-n... 

 

PS: If so remove all the external domain users from Guest and re do the steps from 1 to 5. 

 

Hope it helps. 

------------

If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

View solution in original post

Message 7 of 8
95 Views
7 REPLIES 7
ManirajKV
Advocate I
Advocate I

‎01-22-2021 01:27 AM

@Jinseng how do you like to restrict with examples? it will help us to understand your requirement.  @ragavanrajan 

 

Hope this post helps! 

 

 If you like this post, give a "Thumbs up". Where it solved your request, Mark it as a "Solution" to help other users to find it. 

 

Many Thanks! 

 

Maniraj.

 

Connect Me: LinkedIn

Message 2 of 8
127 Views
0 Kudos
OliverRodrigues
Super User II
Super User II

‎01-22-2021 02:08 AM

You should actually get the below message when trying to sign-in via a different Azure domain.

OliverRodrigues_0-1611310050334.png

by any chance did you setup any trust (B2B) between these Azure Tenants?




If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

Power Apps Portals Super User


Oliver Rodrigues


 

Message 3 of 8
119 Views
0 Kudos
Jinseng
Regular Visitor
In response to OliverRodrigues

‎01-22-2021 06:35 AM

All,

 

I'll call our AAD Tenant MyCompany.com.  The portal is being used as an internal HelpDesk ticket creation and tracking tool.  Employees of MyCompany.com sign in with their AAD credentials, add some information to their profile, and then create and track Internal IT helpdesk tickets.  Filling out a profile creates a Contact in CE that all their cases are connected to.

 

We thought that login was restricted to just MyCompany.com since we never set up any B2B authentication.  But we tested again recently with OtherCompany.com, ThirdCompany.com, BobsCompany.com and all are able to authenticate and create a profile.

 

The only identity provider enabled is Azure Active Directory.  I feel like there must be a simple setting somewhere and it was missed or misconfigured, but I haven't worked with this before so I'm not sure where to look.

Message 4 of 8
116 Views
OliverRodrigues
Super User II
Super User II

‎01-22-2021 08:41 AM

Silly question but are you sure they are signing in using the Azure AD option? or are they clicking on the Register tab/button and writing a username/pwd?




If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

Power Apps Portals Super User


Oliver Rodrigues


 

Message 5 of 8
110 Views
0 Kudos
Jinseng
Regular Visitor
In response to OliverRodrigues

‎01-22-2021 09:29 AM

I wish it were that simple.  I'm trying it myself and seeing the behavior (I have access to multiple AAD logins in different tenants).

 

2021-01-22 12_26_55-Document1 - Word.png

Message 6 of 8
106 Views
0 Kudos
ragavanrajan
Super User
Super User

‎01-22-2021 05:26 PM

Hi @Jinseng , 

 

      When you create a power apps portal it register the application in "Azure App Registrations"  as a "CRM Portals" 

 

1. Login to https://portal.azure.com/ 

2. Choose App Registrations > Owned Applications > You can see the CRM portals if you have created it. 

ragavanrajan_0-1611364769786.png

3.  Click on the relevant portal registration 

4. Under Authentication > Supported Account types> Make sure the first option is selected ( Single tenant only) 

 

ragavanrajan_1-1611364904734.png

 

5.  Once this option is enabled > You need to clear the cache by going in to the following URL: 

 

https://Yourportal.powerappsportals.com/_services/about  ( as a Admin ) 

 

6. In portal studio > Do the sync configuration. 

 

and finally make sure you have not added any of the domain you mentioned as guest users in Azure AD. May be please have a look at my below post. 

 

https://powerusers.microsoft.com/t5/Power-Apps-Portals/External-Azure-Active-Directory-Enabled-but-n... 

 

PS: If so remove all the external domain users from Guest and re do the steps from 1 to 5. 

 

Hope it helps. 

------------

If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

View solution in original post

Message 7 of 8
96 Views
Jinseng
Regular Visitor
In response to ragavanrajan

‎01-22-2021 06:54 PM

I'm going to test with a coworker, but I think we're on to something.  I'll report back.

Message 8 of 8
92 Views
0 Kudos

Helpful resources

Announcements
PA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

Power Apps Community Call

Monthly Power Apps Community Call

Did you miss the call?? Check out the Power Apps Community Call here!

secondImage

Experience what’s next for Power Apps

See the latest Power Apps innovations, updates, and demos from the Microsoft Business Applications Launch Event.

Power Platform ISV STudio

Power Platform ISV Studio

ISV Studio is the go-to Power Platform destination for ISV’s to monitor & manage applications post-AppSource publish.

View All
Users online (75,059)