I have a Web app / API deployed on Microsoft Azure working in single tenant mode. I need to enable users from other tenants to be able to use my API.
I found this post with step-by-step guide to enable multi-tenant authentication,
https://blog.mastykarz.nl/configuring-multi-tenant-authentication-azure-app-service-authentication-options/
but when I try to change Web API's Multitenanted property to Yes, it says "failed to update App ID URI application property" with following error detail:
{"errorCode":"HostNameNotOnVerifiedDomain","localizedErrorDetails":
{"errorDetail":"Host name in property identifierUris is not on any verified
domain of the company or its subdomain."},
"operationResults":null,"timeStampUtc":"2017-01-11T00:14:37.3270764Z",
"clientRequestId":"...","internalTransactionId":"...",
"upn":"...@gmail.com","tenantId":"...","userObjectId":"..."}
Currently App ID URI holds address of my Web API (and it is working in single tenant mode as expected) https://(..).azurewebsites.net is this not correct for multi tenanted mode?
No. With multi-tenant apps the App ID URI has to be in a domain in your AAD. So if my AAD contains domains like test.onmicrosoft.com and company.com, then allowed URIs would be:
- https://test.onmicrosodt.com/MyApi
- https://company.com/MyApi
You don't own the azurewebsites.net domain and thus can't use it.
From the helper text for App ID URI in the management portal:
The URI is used as a unique logical identifier for your app. The URI must be in a verified custom domain for an external user to grant your app access to their data in Microsoft Azure AD
That being said, since the App ID URI doesn't have any functional implications, you should still be able to do your testing by setting your App ID URI to something along the lines of:
http://<localhost_or_whatever>.<tenantName>.onmicrosoft.com
But keeping your Reply URLs as they are pointing to your .azurewebsite.net URIs.
This should let you proceed with configuring your app as multi-tenant and do your testing with whatever site you want.
Note: I'm reusing my answer from very similar question: From my response to similar question:
Azure AD Error after editing manifest to enable availableToOtherTenants
