question

Hello @ElliotStansfield-5757 ,

If I understand correctly, you have a structure where you own a Multi-academy trust which has many schools as members. every school has Office 365 subscription which means all of them have a n azure AD/Office 365 tenant directory for their schools. Every school having their own website is fine but would not be related to this query. you are trying to setup Capita Reading cloud library system with the MA trust so that it can be accessed by any students office 365 credential.

You can certainly setup the same without an issue of two students with same name matching and creating conflict in the identity system. the students will use their office365 Id (like user@school21.com) and it will authenticate them within their office365 tenant . So if a user john@school21.com logs on , the user will be searched in directory of school21.com and will be considered different from john@school22.com .

Now coming back to the solution on how to achieve this. I am assuming that you have a separate Office365 subscription for Multi academy trust as well where you would setup Capta Reading Cloud library system application. I checked the existing Azure AD gallery and this is not available as a gallery application. Hence in this case you would need to add this to your MA trust's azure AD tenant as a multi tenant application. You can use azure AD app registration section in order to do that .

Now you can add the Capita Library application details. If Capita library system can be used with Office 365 they would have a endpoint which will consume the token provided by Office 365 and that will be the redirect URI value which you need to add in the screen below. you also need to select the option Accounts in any organisational directory (any Azure AD directory - multitenant )

Now once the application is registered you will require to setup the authentication options. Here you will need help from the Capita application support team who can tell you how their application is designed and what options you need to select here as this depends on the application. Also they may need to change some option within their application to send the authentication request to login.microsoftonline.com/common endpoint .

If they are selling their application to office 365 customers they would surely have this option for their customers. You would then need to setup homepage of the application on the branding section of the application you registered as shown below.

In order for your users to know that they are accessing a trusted application , you need to update the publisher domain as a verified domain within your tenant else the user would get a consent screen which will show as publisher unverified creating confusion for your users. After this you would need to setup API permissions as per the requirement of the app . Generally an application needs the following permissions as shown in the pic below on Microsoft Graph API which is used to call Azure AD tenants in the backend by the application to access user data for the user logging in to the application. You also need to provide consent for users within your tenant for this application so that every user can sign in and is not prompted for providing consent every time they try to logon. You require to be logged in as a global administrator in order to consent for any permission tenant-wide. you should check this with the Capita support team on what details to add here.

Once this all is done , you can access this app using the following url .

http://login.microsoftonline.com/common/oauth2/authorize?response_type=code&prompt=admin_consent&client_id=[client ID of the application you registered from azure portal]&state=12345&redirect_uri=[redirect URI set for Capita in the directory]

You can use this URL and share it with each of the Office365 global administrators of the schools and they can add this as a link on their website and grant admin consent for their respective schools. The first time the global admin tries to provide the admin consent for the application , a service principal for this application will be created in each of their Office 365 tenant which can be seen in the enterprise applications section of the tenant . Once admin has consented, they can decide whether they would like to restrict user assignment and user visibility for their app in https://myapps.microsoft.com portal or not .

After that any first time login from any user will see a consent screen which will not be seen once the user consent and starts using the application.

The URLs would differ depending upon the consent and Capita support would know the details about this as they are ones who will have to tell whether the Office365 application will work this way or not . This would work unless Capita imposes any custom restrictions for multi-tenant access. Hope this helps you with the desired solution you seek. Hope the answer helps. If the information in this post helps you please do accept this as answer so that it helps other members of the community with this. In case you have any further queries or I have misunderstood your requirement, do let us know and we will continue to help you further on this.

Thank you.