Deploy SA with 3 separate app registrations, Fixes #686 #698
Conversation
| $ISADMTApplicationIDProvided = ($ADMTApplicationIDAdmin && $ADMTApplicationIDPortal) | ||
|
|
||
| if($ISADMTApplicationIDProvided -eq $null){ | ||
| Write-Host "🔑 Multi-Tenant App Registrations provided." |
There was a problem hiding this comment.
Maybe we can call it , "Login App Registration.."
| { | ||
| "requestedAccessTokenVersion" : 2 | ||
| }, | ||
| "signInAudience" : "AzureADandPersonalMicrosoftAccount", |
There was a problem hiding this comment.
This should be single Tenant
There was a problem hiding this comment.
This is a good way to restrict users further. That said, sometimes the individual responsible for actions on the admin portal may not even be part of the tenant hosting the app registrations. In those cases, partner will need to invite the user to the tenant before being able to manage subscriptions.
| @@ -96,7 +97,7 @@ public void ConfigureServices(IServiceCollection services) | |||
| .AddOpenIdConnect(options => | |||
| { | |||
| options.Authority = $"{config.AdAuthenticationEndPoint}/common/v2.0"; | |||
There was a problem hiding this comment.
this should change to /tenantid/ not common
There was a problem hiding this comment.
Will make this change too if you no longer want multitenant access to the admin portal (comment above)
There was a problem hiding this comment.
--sign-in-audience AzureADMYOrg
Fixes #686
Creates unique App Registrations for both landing page and admin portal
Associates appropriate App registrations and URI redirects
Added both app registrations to web app config
Added additional Client ID to supporting interface