Multi tenancy Support for Microsoft Entra app - OfficeDev/TeamsFx GitHub Wiki
How to support Multi-tenancy single sign-on in TeamsFx project
When SSO is enabled, Teams Toolkit will by default provision a single-tenant Microsoft Entra app, which means only user and guest accounts in the same directory as your M365 account can successfully sign in to your Teams app.
To support multi-tenant, you can follow the steps below to update your TeamsFx project.
Note: This document is only for TeamsFx projects that have already enabled single sign on.
(Optional) Update Application Id URI
This part is only for TAB projects for ts/js. If you are working on a Bot/Messaging Extension or a VS project, please go to Update your project.
Since Microsoft Entra app requires an "tenant verified domain" for
Application ID URI, you can use your own Custom Domain or Create a new Custom Domain on Azure.
-
Provision your TeamsFx project.
-
Follow steps in Action 1 and note your Frontend Domain.
-
(Optional) Follow steps in Action 2 to provision CDN Profile on Azure Portal
Note: If you have a Custom Domain, you can skip this part. Remember to point your Custom Domain to the Frontend Domain noted in step 2.
-
Follow steps in Action 3 to update the frontend info in your project.
Note: you can skip the last
ProvisionandDeploystep since we will do this after everything is setup.
(Optional) Update Azure Function
This part is only for TAB projects with Azure Function.
- Open
./infra/azure.bicep, find the following lines:
and replace the tabDomain in cors.allowedOrigins with your Custom Domain.resource functionApp 'Microsoft.Web/sites@2021-02-01' = { ... properties: { ... cors: { allowedOrigins: [ tabDomain ] } ... } ...
Update your project
-
Open
./aad.manifest.json, findsignInAudienceand set value asAzureADMultipleOrgs. -
Open
infra/azure.parameter.${env}.jsonand find the following line:"m365TenantId": "{{state.fx-resource-aad-app-for-teams.tenantId}}",and replace with:
"m365TenantId": "common",