The sample code provided for using ADAL.js looks something like this:
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: '[Enter your tenant here, e.g. contoso.onmicrosoft.com]',
clientId: '[Enter your client_id here, e.g. g075edef-0efa-453b-997b-de1337c29185]',
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', localhost.
};
var authContext = new AuthenticationContext(config);
This works fine, but I'm trying to allow access for a multi-tenant application - users from an organisation should only be able to sign in if the application has been granted access by their account administrator.
I've implemented the first part - allowing admin users to enable - as per this example.
So at this point my application is listed in the third party's Active Directory.
I'm not sure what the correct settings should be for the tenant. I tried using 'common', but then it shows a dialog asking an individual user if they would like to grant access to the application, which is not what I'm looking for.
If I was making a straight MVC app, I'd continue on with the example above, using app.UseOpenIdConnectAuthentication on the server. But my app is a SPA, with Web Api backend, and I haven't been able to find a multi-tenant example for this scenario.
The correct way of configuring your app for authenticating with any tenant, which is what you want in your scenario, is to use common.
The per-user consent is a provisioning consideration. If you want an administrator to consent for the app on behalf of the entire organization, you can implement the admin consent flow by triggering an authentication request and appending prompt=admin_consent
to it. Provided that an administrator performs an authentication flow in response to that request, Azure AD will offer to the admin the chance to consent for the app on behalf of everybody in the organization.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With