multitenant | making cross tenant data leaks a thing of the past | Application Framework library

Right now, I have MS Teams Bot running under App Registration configured to use "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".

To begin with, I did a research on that topic and I am writing this question having in mind following resources:

• Comment on issue #9498 @ azure-sdk-for-net
• Azure Bot App Registration requiring multi-tenancy when single-tenant is prefered
• Bot Framework - App registration - Single tenant vs Multi tenant

All these answers, from my understanding, comes to this:

• prior to late 2021 only Multi-tenant apps as bot identity were supported
• now I should be able to use the Single-tenat for app registration, but that requires additional configuration
• moment when mentioned changes are in effect is a moment when Bot is trying to authenticate

As other bots imperatively (explicitly) authorize using ex. MicrosoftAppCredentials - MS Teams Bots have their authorization details configured declaratively in XML files like appsettings.json in bot service.

How can I use Single tenant App Registration with Azure Bot used in MS Teams? Or is it not possible currently?

EDIT:
For future reader: using the answer, I prepared two places where you can access TenantId of incoming activity to perform whitelisting validation (in Multi-tenant setup, because Single-tenant is still not working on Teams):

1. In BotController:

I am building Web API backend for multitenant, .NET 6 based, application and I have encountered an architectural problem which drives me crazy since last couple of weeks, so I would much appreciate ANY hints and advices.
Whole solution is build in classic Clean Architecture (layers: API, Domain, Application, Infrastructure, Shared), which was't the greatest idea I suppose, but I'm affraid it is irreversible by now. Anyway, I would like to make an effort to save all I have created so far.

In the application I have 2 databases (with Entity Framework in the code behind): Database A: Tenant users scope - with TenantId field in each table for RLS mechanizm implemented on the SQL level to prevent inter-tenant data leaks Database B: Internal users scope - no RLS mechanism

The problem is both databases share great amount of common structures and logic.
Simplified example of current models (both database and domain):
Database A:

I have an Azure Bot installed in my organization through Teams. Interactions with the bot are properly functioning.

We have a scenario where we need to send notifications to our users from an external process (C# app running in Azure).

I attempted to use the Bot Framework REST API to create a conversation with a user in order to then message them with the notification as outlined here

This scenario does not work as I cannot get an access token for a bot that is not using the global Bot Framework Tenant. Our Bot is installed on our Azure tenant as a SingleTenant BotType so I get the following error:

I'm using the default Blazor Server Template in Visual Studio 2022 with the authentication set to use the Microsoft Identity Platform.

I have an AppRegistration in my Azure Active Directory account set to allow accounts in any organization (Multitenant):

In my appsettings.json file I am using the correct client & tenant id:

When I run the application I can log in with any account that is in my AAD tenant (or has been invited into my AAD). However when I try to use an identity from another AAD Tenant I get the following error:

Selected user account does not exist in tenant 'TENANT NAME' and cannot access the application 'APP-REGISTRATION-ID' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

From what I have found in the docs and other articles I need to be using the common endpoint for logging in, but if I change the "Domain" in my appsettings to "common" it does not make a difference and if I update "Instance" to https://login.microsoftonline.com/common/oauth2/authorize or https://login.microsoftonline.com/common/ I get an exception as the URL is not correct.

Perhaps the default Blazor Server Template is set to use Single Tenant app registrations? How can I have it properly use Multitenant?

I'm having trouble getting any of the Application ID URIs working. I have a Blazor WebAssembly Hosted application, written in ASP.NET Core 5.0. Using the api:// format is fine, but this doesn't play well with Terraform. I can get my client talking to the server using api://, so I know the code is working fine. When I swap the Application ID URI to use any of the other formats, such as https:/// or api:///, I get a 401 error. I'm using a verified Azure AD domain.

I can see that means, "The string value for the host or the api path segment.", but I'm not sure what that means. I've been testing with set to the name of my App Service and also the name of the App Registration. I've also tried changing the App Registration from Single Tenant to Multitenant (just in case that makes a difference).

Any advice would be much appreciated.

I have created a webapp on Azure and have set the authentication mode to;

"Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers."

It works perfectly for me and my colleges, and it works also for personal Microsoft accounts.

I am now trying to login users on a different Azure AD, but these cannot login. Here is the login log of an attempt taken from their AD. A similar message was displayed to the user onscreen

User account '{email}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appId}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

the sole purpose of the webapp is to get an Azure/MS verified email address of the user and perform a lookup in a user database.

Preferably this should be achieved without need the "other azure AD" admins to do anything on their end. But if need be this can be asked. I just don't know what to ask.

I am trying to write custom api log handler for wso2 apim (4.0.0) so that it should add correlationId, request payload and response body when certain api is called. I followed the answer to similar question. So far I have done following:

Let's say I have a company of 100 employees/users in its Azure AD Premium P1. This company has 100 monthly active external users in its Azure AD. This company has some SaS multitenant applications(app registrations) which are used by 1000 monthly active users from different companies who have their own Azure Ad subscription.

For 100 users from the company's Azure AD Premium P1 applies pricing $6 per user/month. For 1100 users(100 externals and 1000 from other Azure Ad subscriptions who use the multi-tenant apps) apply the MAU pricing - First 50,000 MAU $0/Monthly Active Users.

Am I right?

I am trying to build a signin solution for a multi-tenant Web App.

I have more or less created a solution based on the B2C Multi Tenant sample provided by Marius Rochon here: https://github.com/mrochon/b2csamples/tree/3823c17def460f154e4bf4a74b2a8b8b7c14fc2e/Policies/MultiTenant

This solution relies on "Tenant Selection" in the query string, and then the backend API populates the "appTenantName" based on the query parameter.

What I would really like is a solution where, after the initial login, the user is prompted to select one of the available tenants, in a dropdown based on the "allTenants" claim (an array of strings).

Alternatively a solution where the tenant selection is based on the subdomain part of the site the user is trying to login to.

I have limited experience with the custom IEF setup, so I am uncertain if what I want is even possible.

I can see that its possible to define user input and a fixed "enumeration" for available options, but I guess I want a "dynamic" enumeration based on the claims. Is that even possible?

Or should I do custom UI content instead and load the UI from my own website (like described here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/customize-ui-with-html?pivots=b2c-custom-policy