How to read domain of Azure Active Directory

Question

I created new Azure account and trying to automatically deploy app inside it with following code:

var app = azure.AccessManagement.ActiveDirectoryApplications
.Define(appName)
.WithSignOnUrl(appSignOnUrl)
.WithAvailableToOtherTenants(true)
.WithIdentifierUrl(identifierUrl)
.DefinePasswordCredential(username)
.WithPasswordValue(password)
.WithDuration()
.Attach();
.CreateAsync();

It works, if identifierUrl is hardcoded as Azure Active Directory name.

How can I read identifierUrl (Azure Active Directory domain name) from Azure?

I can see this value in portal, but I cannot find an API to read it.

Answer 1

Code to get domain name(s) associated with your Azure AD tenant

Please know that there can be multiple domain names associated with your tenant. The one you have shown in screenshot with your question, is just the first one which is assigned to your tenant at the time of creation of Azure AD and is already verified since it uses .onmicrosoft.com. Link

You can always associate other domains with your Azure AD tenant, that you can prove ownership for and verify them. I'll touch a bit on this later, but first here's the relevant code. In your case you will probably get back only one domain which is default one.

This is working code that I quickly wrote and tested with my Azure AD tenant. Since you're already using fluent API to create the application, this should be pretty similar.

I have used a .NET and C# with a simple console application, but I guess code will be very similar for any other libraries as well.

using System;
using Microsoft.Azure.Management.Fluent;
using Microsoft.Azure.Management.Graph.RBAC.Fluent;
using Microsoft.Azure.Management.ResourceManager.Fluent;

namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            // whatever method you're using already for Authentication (like through file or with credentials or with cert
            // same can be used to get AzureCredentials as well, just change the FromFile to FromServicePrincipal if required
            IAzure azure = Azure.Authenticate("my.azureauth").WithDefaultSubscription();
            var creds = SdkContext.AzureCredentialsFactory.FromFile("my.azureauth");

            IGraphRbacManager graphRbacManager = GraphRbacManager.Authenticate(creds, "<your tenant Guid>");    
            var domains = graphRbacManager.Inner.Domains.ListAsync().GetAwaiter().GetResult();

            string defaultDomain = string.Empty;
            foreach (var domain in domains)
            {  
                Console.WriteLine(domain.Name);
                if (domain.IsDefault.HasValue && domain.IsDefault.Value == true)
                    defaultDomain = domain.Name;                
                    // not breaking out of loop on purpose, just to print all domain names if multiple are there.
            }

            string identiferUri = string.Format("https://{0}/myuniqueapp1", defaultDomain);
            var app = azure.AccessManagement.ActiveDirectoryApplications
                .Define("My Unique App 1")
                .WithSignOnUrl("https://myuniqueapp1.azurewebsites.net")
                .WithAvailableToOtherTenants(true)
                .WithIdentifierUrl(identiferUri)
                .DefinePasswordCredential("string")
                .WithPasswordValue("string")
                .WithDuration(new TimeSpan(365,0,0,0))
                .Attach()
                .CreateAsync();

            Console.ReadLine();
        }        
    }
}

identifierUris and relation with verified domain(s) for your Azure AD Tenant

In your code to create application where you do .WithIdentifierUrl(identifierUrl) it goes in and adds the supplied Url to identifierUris collection for your application manifest. From Azure Portal, you will see this value specified in your app registration's properties > App ID URI. You can also edit the manifest and see it there directly in portal.

This value uniquely identifies your application. For single tenant application you could set it to any unique value that isn't used by any other application in your Azure AD, but for multi-tenant applications it has to be globally enforced and hence there is a restriction to use a URL where host name matches one of the verified domains for your Azure AD tenant. Since you are using .WithAvailableToOtherTenants(true) this concept becomes relevant for you.

Here are a couple of links on Microsoft Docs which talk about this -

• Application Manifest for Azure AD

  

• Update an application in Azure AD

  

Permissions required

Hopefully you have this step already covered, since you need permissions to create the application, but in case you don't or for anyone else reading this in future, since the code is reading information from Azure AD and Creating a new application in Azure AD, the service principal that you use for getting AzureCredentials for this code to run, should have enough privileges.

Go to your Azure AD > App Registrations > App registration for your service principal (you can find it by application id, it will have same application id as your service principal) > go to required permissions > add Windows Azure Active Directory and give appropriate application permissions required for your code.

At the end, make sure to do "Grant Permissions" as all the application permissions here require an Admin consent.

Answer 2

It seems that you are just trying to read the tenant name. You can get the name of the tenant you are logged into by calling

https://management.azure.com/tenants?$skiptoken={skiptoken}&api-version={api-version}

See this page for details. This will give you a list of all tenants that you authorized for.