You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 2-WebApp-graph-user/2-3-Multi-Tenant/README-National-Cloud.md
+12-12Lines changed: 12 additions & 12 deletions
Original file line number
Diff line number
Diff line change
@@ -30,26 +30,26 @@ This sample shows how to build an ASP.NET Core MVC web application that uses Ope
30
30
31
31
It also introduces developers to the concept of
32
32
33
-
- Microsoft National cloud environments
34
33
- Multi-tenant Azure Active Directory application
34
+
-[Azure National cloud deployments](https://docs.microsoft.com/en-us/graph/deployments)
35
35
36
-
> :grey_exclamation: If you want to run this sample in Microsoft worldwide Cloud, navigate to the [README.md](README.md).
36
+
> :grey_exclamation: If you want to run this sample in [Azure Worldwide Cloud](https://portal.azure.com/), please navigate to the [README.md](README.md).
37
37
38
38
### Microsoft National cloud environments
39
39
40
40
National clouds (aka Sovereign clouds) are physically isolated instances of Azure. These regions of Azure are designed to make sure that data residency, sovereignty, and compliance requirements are honored within geographical boundaries.
41
41
In addition to the public cloud, Azure Active Directory is deployed in the following National clouds:
42
42
43
-
-Azure US Government
44
-
-Azure China 21Vianet
45
-
- Azure Germany
43
+
-Microsoft Cloud for US Government
44
+
-Microsoft Cloud Germany
45
+
- Azure and Office 365 operated by 21Vianet in China
46
46
47
47
### Overview
48
48
49
49
When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the [Azure portal](https://portal.azure.com).
50
50
51
51
-`Single-tenant` apps are only available in the tenant they were registered in, also known as their home tenant.
52
-
-`Multi-tenant` apps are available to users in both their home tenant and other tenants where they are provisioned.
52
+
-`Multi-tenant` apps are available to users in both their home tenant and other tenants where they are provisioned. Apps that allow users to sign-in using their personal accounts that they use to sign into services like Xbox and Skype are also multi-tenant apps.
53
53
54
54
For more information about apps and tenancy, see [Tenancy in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps)
55
55
@@ -66,7 +66,7 @@ The application puts forward a scenario where a SaaS application invites the adm
66
66
1. On the onboarding page, you will be asked to sign-in as a tenant **administrator** and accept the permissions requested in the **admin consent** screen to successfully provision the application in your tenant.
67
67
1. Once you have **registered your tenant**, all users from that tenant will be able to sign-in and explore the ToDo list.
68
68
69
-
> :grey_exclamation: Azure Government applications can use Azure AD Government identities, but can also use Azure AD Public identities to authenticate to an application hosted in Azure Government. A multi-tenant application **will not** be accessible using Azure AD Public identities. To know more about choosing identity authority go to [choose identity authority in Azure Government](https://docs.microsoft.com/azure/azure-government/documentation-government-plan-identity#choosing-your-identity-authority).
69
+
> :grey_exclamation: Azure Government applications can use Azure AD Government identities, but can also use Azure AD Public identities to authenticate to an application hosted in Azure Government. A multi-tenant application **will not** be accessible using Azure AD Public identities. To know more about choosing identity authority go to [choosing your identity authority in Azure Government](https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-plan-identity#choosing-your-identity-authority).
70
70
71
71
## How to run this sample
72
72
@@ -217,7 +217,7 @@ The list of users will be presented in the **Assigned To** dropdown:
217
217
This sample details the following aspects of a multi-tenant app.
218
218
219
219
- usage of the `/common` endpoint.
220
-
- Service Principle provisioning of an app in Azure AD tenants
220
+
- Service principal provisioning of an app in Azure AD tenants
221
221
- Custom Token Validation to allow users from onboarded tenants only.
222
222
- Data partitioning in multi-tenant apps.
223
223
- Acquiring Access tokens for Microsoft Graph for each tenant.
You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
241
241
242
-
### Service principle provisioning for new tenants (onboarding process)
242
+
### Service principal provisioning for new tenants (onboarding process)
243
243
244
-
For a multi-tenant app to work across tenants, its service principle will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principle provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
244
+
For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
245
245
246
246
```csharp
247
247
[HttpPost]
@@ -260,7 +260,7 @@ public IActionResult Onboard()
260
260
}
261
261
```
262
262
263
-
This results in an OAuth2 code grant request that triggers the admin consent flow and creates the service principle in the admin's tenant. The `state` parameter is used to validate the response, preventing a man-in-the-middle attack. Then, the `ProcessCode` action receives the authorization code from Azure AD and, if they appear valid, we create an entry in the application database for the new customer.
263
+
This results in an OAuth2 code grant request that triggers the admin consent flow and creates the service principal in the admin's tenant. The `state` parameter is used to validate the response, preventing a man-in-the-middle attack. Then, the `ProcessCode` action receives the authorization code from Azure AD and, if they appear valid, we create an entry in the application database for the new customer.
264
264
265
265
The `https://graph.microsoft.com/.default` is a static scope that allows the tenant admin to consent for all permissions in one go. You can find more about static scope on [this link.](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent#request-the-permissions-from-a-directory-admin)
266
266
@@ -340,7 +340,7 @@ If you are receiving the following error message, you might need to **delete old
340
340
341
341
> OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS650051: Application '{applicationId}' is requesting permissions that are either invalid or out of date.
342
342
343
-
If you had provisioned a service principle of this app in the past and created a new one, the tenants that had signed-in in the app might still have the previous service principle registered causing a conflict with the new one. The solution for the conflict is to delete the older service principle from each tenant in the **Enterprise Application** menu.
343
+
If you had provisioned a service principal of this app in the past and created a new one, the tenants that had signed-in in the app might still have the previous service principal registered causing a conflict with the new one. The solution for the conflict is to delete the older service principal from each tenant in the **Enterprise Application** menu.
Copy file name to clipboardExpand all lines: 2-WebApp-graph-user/2-3-Multi-Tenant/README.md
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -33,7 +33,7 @@ This sample shows how to build an ASP.NET Core MVC web application that uses Ope
33
33
When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the [Azure portal](https://portal.azure.com).
34
34
35
35
-`Single-tenant` apps are only available in the tenant they were registered in, also known as their home tenant.
36
-
-`Multi-tenant` apps are available to users in both their home tenant and other tenants where they are provisioned.
36
+
-`Multi-tenant` apps are available to users in both their home tenant and other tenants where they are provisioned. Apps that allow users to sign-in using their personal accounts that they use to sign into services like Xbox and Skype are also multi-tenant apps.
37
37
38
38
For more information about apps and tenancy, see [Tenancy in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps)
39
39
@@ -193,7 +193,7 @@ The list of users will be presented in the **Assigned To** dropdown:
193
193
This sample details the following aspects of a multi-tenant app.
194
194
195
195
- usage of the `/common` endpoint.
196
-
- Service Principle provisioning of an app in Azure AD tenants
196
+
- Service principal provisioning of an app in Azure AD tenants
197
197
- Custom Token Validation to allow users from onboarded tenants only.
198
198
- Data partitioning in multi-tenant apps.
199
199
- Acquiring Access tokens for Microsoft Graph for each tenant.
You can read about the various endpoints of the Microsoft Identity Platform [here](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols#endpoints).
217
217
218
-
### Service principle provisioning for new tenants (onboarding process)
218
+
### Service principal provisioning for new tenants (onboarding process)
219
219
220
-
For a multi-tenant app to work across tenants, its service principle will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principle provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
220
+
For a multi-tenant app to work across tenants, its service principal will need to be provisioned in the users' tenant. It can either happen when the first user signs in, or most tenant admins only allow a tenant admin to carry out the service principal provisioning. For provisioning, we will be using the [admin consent endpoint](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent) for the onboarding process. The code for this is provided in the `OnboardingController.cs`. The `Onboard` action and corresponding view, simulate the onboarding flow and experience.
221
221
222
222
```csharp
223
223
[HttpPost]
@@ -236,7 +236,7 @@ public IActionResult Onboard()
236
236
}
237
237
```
238
238
239
-
This results in an OAuth2 code grant request that triggers the admin consent flow and creates the service principle in the admin's tenant. The `state` parameter is used to validate the response, preventing a man-in-the-middle attack. Then, the `ProcessCode` action receives the authorization code from Azure AD and, if they appear valid, we create an entry in the application database for the new customer.
239
+
This results in an OAuth2 code grant request that triggers the admin consent flow and creates the service principal in the admin's tenant. The `state` parameter is used to validate the response, preventing a man-in-the-middle attack. Then, the `ProcessCode` action receives the authorization code from Azure AD and, if they appear valid, we create an entry in the application database for the new customer.
240
240
241
241
The `https://graph.microsoft.com/.default` is a static scope that allows the tenant admin to consent for all permissions in one go. You can find more about static scope on [this link.](https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent#request-the-permissions-from-a-directory-admin)
242
242
@@ -316,7 +316,7 @@ If you are receiving the following error message, you might need to **delete old
316
316
317
317
> OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'AADSTS650051: Application '{applicationId}' is requesting permissions that are either invalid or out of date.
318
318
319
-
If you had provisioned a service principle of this app in the past and created a new one, the tenants that had signed-in in the app might still have the previous service principle registered causing a conflict with the new one. The solution for the conflict is to delete the older service principle from each tenant in the **Enterprise Application** menu.
319
+
If you had provisioned a service principal of this app in the past and created a new one, the tenants that had signed-in in the app might still have the previous service principal registered causing a conflict with the new one. The solution for the conflict is to delete the older service principal from each tenant in the **Enterprise Application** menu.
0 commit comments