Multi tenancy Support for Microsoft Entra app - OfficeDev/TeamsFx GitHub Wiki
How to support Multi-tenancy single sign-on in TeamsFx project
When SSO is enabled, Teams Toolkit will by default provision a single-tenant Microsoft Entra app, which means only user and guest accounts in the same directory as your M365 account can successfully sign in to your Teams app.
To support multi-tenant, you can follow the steps below to update your TeamsFx project.
Note: This document is only for TeamsFx projects that have already enabled single sign on.
(Optional) Update Application Id URI
This part is only for TAB projects for ts/js. If you are working on a Bot/Messaging Extension or a VS project, please go to Update your project.
Since Microsoft Entra app requires an "tenant verified domain" for
Application ID URI
, you can use your own Custom Domain or Create a new Custom Domain on Azure.
-
Provision your TeamsFx project.
-
Follow steps in Action 1 and note your Frontend Domain.
-
(Optional) Follow steps in Action 2 to provision CDN Profile on Azure Portal
Note: If you have a Custom Domain, you can skip this part. Remember to point your Custom Domain to the Frontend Domain noted in step 2.
-
Follow steps in Action 3 to update the frontend info in your project.
Note: you can skip the last
Provision
andDeploy
step since we will do this after everything is setup.
(Optional) Update Azure Function
This part is only for TAB projects with Azure Function.
- Open
./infra/azure.bicep
, find the following lines:
and replace the tabDomain in cors.allowedOrigins with your Custom Domain.resource functionApp 'Microsoft.Web/sites@2021-02-01' = { ... properties: { ... cors: { allowedOrigins: [ tabDomain ] } ... } ...
Update your project
-
Open
./aad.manifest.json
, findsignInAudience
and set value asAzureADMultipleOrgs
. -
Open
infra/azure.parameter.${env}.json
and find the following line:"m365TenantId": "{{state.fx-resource-aad-app-for-teams.tenantId}}",
and replace with:
"m365TenantId": "common",