How to maintain multiple ClientID's in Multitenant scenario with Vendor, Customers and a Microsft Tenant

[rickblommetjes]

Issue

Please provide us with the following information:

This issue is for the sample

    - [ ] 1-1) Sign-in with Azure AD
    - [ ] 1-2) Sign-in with Azure AD B2C
    - [ ] 2-1) Acquire a Token and call Microsoft Graph
    - [ ] 3-1) Protect and call a web API on Azure AD
    - [ ] 3-2) Protect and call a web API on Azure AD B2C
    - [ ]   4) Deploy to Azure Storage and App Service
    - [ ] 5-1) Call a web API using App Roles
    - [ ] 5-2) Call a web API using Security Groups
    - [ ] 6-1) Call Microsoft Graph using on-behalf-of flow
    - [X ] 6-2) Call a multi-tenant web API

This issue is for a

    - [ ] bug report -> please search issues before submitting
    - [x ] question
    - [ ] feature request
    - [ ] documentation issue or request

Minimal steps to reproduce

We have an Multi-tenant angular 14 SPA app connecting to our own vendor tenant, our customers will use this scenario to login on our SPA app with their own Microsoft Indentity. Sofar so good, the SPA app also needs to connect to the D365 Business Central API wich is a Microsoft tenant where each customer has an app-registration to access their D365 Business Central API. How to enable this scenario providing the correct client-id for each customer when connecting to the protected route tps://api.businesscentral.dynamics.com/v2.0/{{tenantId}}, it needs to use an different ClientId for each customer tenantId, to acquire the proper token.

Any log messages given by the failure

ERROR ServerError: invalid_client: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: {clientId}} (ES2 Portal Login). Resource value from request: https://api.businesscentral.dynamics.com. Resource app ID: xxxxxxxx. List of valid resources from app registration: 00000003-0000-0000-c000-000000000000.

Expected/desired behavior

Library version

"@azure/msal-angular": "^2.5.2",

Browser and version

Chrome, Edge, Firefox, Safari?

Mention any other details that might be useful

Thanks! We'll be in touch soon.

[derisen]

@rickblommetjes apologies for the late response. I'm not sure I understand the scenario or the auth model here. If the D365 Business Central API is a multi-tenant API, it would get provisioned into any tenant that has a multi-tenant app trying to connect to it.

The error you are receiving states that this resource "https://api.businesscentral.dynamics.com/" hasn't been granted permissions on the app registration portal. In your multi-tenant SPA registration, did you add permissions for the D365 Business Central API? Can you try doing that?

Is this documentation relevant to your use case? I would recommend calling out the authors to cover MSAL usage in their article.

Regarding how to call tps://api.businesscentral.dynamics.com/v2.0/{{tenantId}} -this looks like an APP ID URI/endpoint that you can make a bearer token request. This happens after you obtain an access token for the D365 Business Central API resource using MSAL (by passing the relevant scopes to MSAL Angular interceptor). So when making the bearer token request, you can simply substitute the relevant GUID into {{tenantId}} field (you can get the user's tenant ID from the idTokenCliams property) -but this is beyond the scope of MSAL.

Sorry for not being able to offer much help. Feel free to make further clarifications.

[rickblommetjes]

Hi Derisen,

Dynamics365 BC is a Microsoft Tenant (Organization) with
an app registration for each customer tenant, so each customer has its own client-id.

We would like to use the Microsoft Identity to allow the customer to login on our vendor tenant, and also login to the Dynamics365 BC API with a unique client-id for each customer tenant (organization)

Currently we have our vendor Client-Id in Msal configured and the customer can login to our web app hosted on our tenant. We can query the customers graph API with the correct scopes. But now we need to additionally need to request a token on the Dynamics 365 BC API using the specific customer client-id. So depending on the customer who's is logged in we need to request a token using the client-id of that specific customer tenant (organization) using msal, but remember we have our own client-id configured as the primary msal config.

We found some references to use the OBO scenario but how?

We where thinking of an MsalHttpInterceptor, and there somehow pass in the proper msalconfig with the correct client-id, so we can retrieve a token.

But no idea how, the D365 Business Central scope is configured but the app-id is different for each customer. I can show you this in a teams meeting if necessary.

We know how to acces the API, we did this already using a direct http request for an token request. Even when we use.msal.with a msal.config for a specific.client-id. But we never managed to use it in the multi-tenant scenario.

[derisen]

I see. Well it is possible to create an PublicClientApplication instance on the fly, and you might be able to use this for the scenario -see here for more. This replaces the original PublicClientApplication instance, as opposed to creating multiple instances (which is technically possible but I would expected problematic behavior since MSAL cache wasn't really designed for multiple app instances). Can you give this a try and let me know?

Some more resources about dynamic configuration:

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/v2-docs/configuration.md#dynamic-configurations-using-factory-providers-and-app_initializer

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/multi-tenant.md#dynamic-auth-request

[rickblommetjes]

Great let us check today if this helps us any further

[rickblommetjes]

We have some progress here, but trying to write down how and what we did so you can create either an additional example and update the docs. But it's hard to understand what's happening and to clearify it.

[derisen]

Sounds good! Yeah that would be really appreciated. I'll also update the multitenancy sample with the links I've shared above.

[github-actions]

This issue has not seen activity in 14 days. If your issue has not been resolved please leave a comment to keep this open. It will be closed in 7 days if it remains stale.

[github-actions]

This issue has been closed due to inactivity. If this has not been resolved please open a new issue. Thanks!