In the authentication wizard on a newly created functions app, you can pick multi-tenant, but this only changes the possible accounts for the created app registration.
It doesn't seems to be possible to:
- Use EasyAuth with multiple tenants
- Receive a working access token for the Graph api
- Create a new functions app. I picked Code, .NET, 3.1
- Add authentication, let it create a new application with
Any Azure AD directory - Multi-tenant
andAllow unauthenticated access
selected. And make sure the Token store is turned on. - Add the provided function,
HttpTrigger
, nameHttpTrigger1
(which should either trigger a login or display the value of theX-MS-TOKEN-AAD-ACCESS-TOKEN
header). - Go to
/api/HttpTrigger1
- If it's correct you should see an access token, that if you paste it to jwt.ms should have an audience of
00000003-0000-0000-c000-000000000000
meaning Microsoft Graph. - Call
/.auth/logout
to clear the session - Change the issuer to
https://login.microsoftonline.com/organizations/v2.0
- Try to go to
/api/HttpTrigger1
, it will fail because of an issuer mismatch. - Remove the issuer url, (this will revert back to the Azure AD v1 auth endpoint). The instructions did I find here.
- Go to
/api/HttpTrigger1
- You should now see some access token, and you can login with multiple tenants.
Removing the issuer, switches the authentication back to the Azure AD v1 auth endpoint, as you can see in the redirected urls.
If I try to use the token from step 10 to call something from the graph api, I'm stuck with the CompactToken parsing failed with error code: 80049217
that is described here
According to the documentation, I need to change the additionalLoginParams
at resources.azure.com, but that isn't allowed because I (apparently) am on the auth v2 settings (which I didn't pick nor can go back from).
It would be really awesome, if you would pick Any Azure AD - multi-tenant
in the wizard, it would switch the Issuer URL to https://login.microsoftonline.com/organizations/v2.0
and display an extra list for allowed issuers (like the allowed audiences).
This allowed issuers list should by default contain 1 entry, namely *
, which means I don't care about the issuer just login the user, but could also be replaced by multiple issuers. That means the application is multi-tenant, but you can at still limit users based on their tenant.