question

ShimingWu-5485 avatar image
0 Votes"
ShimingWu-5485 asked JamesTran-MSFT answered

How to pre-configure gallery app to support provisioning with multitenant style tenant URL

Hi, I would like to know if there is a documentation to describe how to configure the "Admin Credentials" section under "provision" tab.

What I want to achieve:
1. We would like to prepare an azure app (single tenant) and publish it to azure app gallery.
2. When admins added this app into their active directory, they will use their AAD as IDP to configure the SSO
3. This app allows provisioning. The client can use the url with pattern "https://www.example.com/Tenants/{tenant_id}/v2/" and secret token to conduct the provision.
4. Users should be able to get a tenant URL and secret token from us

Background:
We have a SCIM app to support the provisioning for different clients.
We would like to follow the multi-tenancy model (RFC7644), thus, we will issue different tenant ID for different AAD respectively. Currently, my finding is that, if I do not configure anything, the AAD admin is going to fill in the tenant URL and secret token as shown below:

84422-provisioning.png



Questions:

  1. Is it possible to have certain pre-configured parameters for gallery app? For example, can we make it like:
    84423-parameters.png

  2. Or is it possible to make certain constraints for tenant URL? For example, the tenant URL filled in by admin does not follow https://www.example.com/Tenants/{tenant_id}/v2/, the configuration will not be saved. May I ask that what if admin just uses any valid tenant URL and secret Token which is not related to the branding the current app has? For example, install app A but use the B's provision url + secret token? How does Azure AD check this?

  3. In slack gallery app, their provisioning configuration is different from the default one. May I ask that is there any documentation on how to do this?
    84392-slack-pro.png







azure-ad-user-provisioning
provisioning.png (3.4 KiB)
parameters.png (4.0 KiB)
slack-pro.png (17.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@ShimingWu-5485
Thank you for the detailed post and I apologize for the delayed response!


  1. Is it possible to have certain pre-configured parameters for gallery app? Or is it possible to make certain constraints for tenant URL? For example, the tenant URL filled in by admin does not follow https://www.example.com/Tenants/{tenant_id}/v2/, the configuration will not be saved. May I ask that what if admin just uses any valid tenant URL and secret Token which is not related to the branding the current app has? For example, install app A but use the B's provision url + secret token? How does Azure AD check this?

    • Based off my research, it doesn't look like it's possible to have pre-configured parameters, or pre-determined constraints for the gallery app. The TenantID and Secret token that should be inputted is from the tenant that will be enabled for automatic provisioning. For example, if you're going to use Atlassian Cloud for automatic user provisioning, you'll input the TenantID and Secret token from Atlassian into those parameters. For more info - Tutorial: Configure Atlassian Cloud for automatic user provisioning


  2. In slack gallery app, their provisioning configuration is different from the default one. May I ask that is there any documentation on how to do this?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.