英文:
Adding custom domain to tabs and make it work as multi-tenant
问题
目标: 使选项卡支持多租户。
场景: 我们有一个机器人,我们添加了一个静态选项卡作为一个功能。在 Teams 工具包版本 4.x.x 中,添加功能是可用的。在部署到组织后,该选项卡正常工作。
作为我们进展的下一步,我们将我们的应用程序提交给 Microsoft 团队进行测试,得知我们的选项卡在其他组织中无法呈现。
在我们自己的组织中,没有错误,但在另一个组织中使用该应用程序时,我们无法获取令牌以连接到图形 API 和 Azure。
**error_description **:
"AADSTS500011: 名为 api://xxxxxxxxx6tab.z13.web.core.windows.net/botid-4xxxxxxx-1xxx-xxxx-xxxx-xxxxxxxxxxxx 的资源主体在名为 4z8g2m 的租户中未找到。如果尚未由租户的管理员安装该应用程序或由租户中的任何用户同意,可能会发生这种情况。您可能已将您的身份验证请求发送到错误的租户。\r\n跟踪 ID: xxxxxxx5-xxx4-xxx9-xxxc-xxxxxxxxxx0\r\n关联 ID: xxxxxxxxce-xxx3-xxx8-xxx5-xxxxxxxxxxxxx3\r\n时间戳: 2023-05-30 01:45:04Z" error_uri : "https://login.microsoftonline.com/error?code=500011" 时间戳 : "2023-05-30 01:45:04Z" 跟踪 ID : "xxxxxxx5-xxx4-xxx9-xxxc-xxxxxxxxxx0"
进一步探索后,我们得知我们的 Azure AppName-add 在部署过程中生成为 单租户。为了使应用程序在多个组织中可访问,我们需要将应用程序设置为 多租户。
为此,我们必须更改应用程序的受支持帐户类型。
**阻碍 **:
要更改此设置,我们必须使用自定义域,因为它不允许在未经验证的域上更新帐户类型。此域和 URI 在部署期间自动生成,因此我们无法直接访问它。
如果我们检查文档和其他相关博客,它说我们将在列表中获得自定义域选项,但我们没有任何选项。请参见上面的截图。
问题: 当我们添加自定义域时,它也不起作用,我们的自定义域报错。
仍然无法将我们的应用程序设置为多租户。当我们打开生成的静态选项卡 URL 时,它会打开我们的 Web 应用程序并显示错误。我们用错误屏幕处理了这种错误。
如果需要更多详细信息,请回复评论。
跟踪修复问题的资源:
- https://www.c-sharpcorner.com/blogs/azure-new-restrictions-to-azurewebsitesnet-domain
- https://azure.github.io/AppService/2020/07/28/zero_to_hero_pt5.html#upate-dns
- https://learn.microsoft.com/en-us/azure/virtual-machines/custom-domain?wt.md_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=37f4413221b54953aa1b751b4fb8a130
- https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains
- https://stackoverflow.com/questions/74132982/error-after-changing-my-application-id-uri-to-cdn-endpoint?r=SearchResults&s=1%7C49.1596
- https://stackoverflow.com/questions/69500264/cannot-provision-teams-app-due-to-storage-domain-conflict?r=SearchResults&s=2%7C47.1204
- https://stackoverflow.com/questions/76090110/redirect-uri-for-msal-authentication-in-react-app-for-ms-teams?r=SearchResults&s=3%7C37.2275
问题的当前状态(添加自定义域并使应用程序成为多租户):未解决
可能的问题
- 不确定选项卡 URL 的重定向是否正常工作到自定义域。
- 进行了多次重定向。
- 无法从 DNS 查询中找到线索。
- 如果需要,应用程序无法托管在所需的 URL 上。
- 实施了上述博客和文档中提到的所有方法,但没有效果。
- 困难:Bot Framework 在(2023 年 05 月 17 日)升级到版本 5。文档和选项与旧版本不一致。
与问题和错误相关的类似问题:
- https://stackoverflow.com/questions/60393330/cannot-update-authentication-as-multi-tenant-under-registered-application-in-azu
- https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=root%2Cazurecli
- https://dev.to/dailydevtips1/adding-a-custom-domain-to-azure-app-service-28bh
上述列出的方法均未起作用。
英文:
Objective: Make the Tab multi-tenant.
Scenario: There is a bot and we added a static tab as a feature. Add a feature was available in the Teams toolkit version 4.x.x. The tab is working fine after deploying to the organization.
As the next step in our progress, we submitted our app for testing to the Microsoft team and came to know that our tab is not rendering in other organizations.
In our own organization, there is no error but in case of using the app in another org, we are unable to get the token to connect to graph API and azure.
**error_description **:
"AADSTS500011: The resource principal named api://xxxxxxxxx6tab.z13.web.core.windows.net/botid-4xxxxxxx-1xxx-xxxx-xxxx-xxxxxxxxxxxx was not found in the tenant named 4z8g2m. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: xxxxxxx5-xxx4-xxx9-xxxc-xxxxxxxxxx0\r\nCorrelation ID: xxxxxxxxce-xxx3-xxx8-xxx5-xxxxxxxxxxxxx3\r\nTimestamp: 2023-05-30 01:45:04Z"
error_uri :
"https://login.microsoftonline.com/error?code=500011"
timestamp :
"2023-05-30 01:45:04Z"
trace_id :
"xxxxxxx5-xxx4-xxx9-xxxc-xxxxxxxxxx0"
On exploring more details we came to know that our Azure AppName-add that got generated during the deployment was single-tenant. To make the app accessible in multiple org we need to make the app Multi-Tenant.
For this, we had to change our app's supported account type.
**Blockers **:
To change this we have to use a custom domain as it does not allow to update the account type on an unverified domain. This domain and uri was auto-generated during deployment so we don't have direct access to it.
If we check the documentation and other associated blogs it says we will get Custom domain option in list but we dont have any. Check above screenshot for the same.
Issue : When we added custom domain it also didn't worked and our custom domain threw error.
Still our app is not multi-tenant. When we open the generated static tab url it opens our web app with the error. We handled such error with error screen.
Please comment back if more details are needed.
Followed Resources to fix :
- https://www.c-sharpcorner.com/blogs/azure-new-restrictions-to-azurewebsitesnet-domain
- https://azure.github.io/AppService/2020/07/28/zero_to_hero_pt5.html#upate-dns
- https://learn.microsoft.com/en-us/azure/virtual-machines/custom-domain?wt.md_id=searchAPI_azureportal_inproduct_rmskilling&sessionId=37f4413221b54953aa1b751b4fb8a130
- https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains
- https://stackoverflow.com/questions/74132982/error-after-changing-my-application-id-uri-to-cdn-endpoint?r=SearchResults&s=1%7C49.1596
- https://stackoverflow.com/questions/69500264/cannot-provision-teams-app-due-to-storage-domain-conflict?r=SearchResults&s=2%7C47.1204
- https://stackoverflow.com/questions/76090110/redirect-uri-for-msal-authentication-in-react-app-for-ms-teams?r=SearchResults&s=3%7C37.2275
Current status of issue (Addition of custom Domain and make the app multi-tenant ): Not worked
Possible issues
- Not sure if the redirection of the tab url is working properly to custom domain.
- Multiple redirections taking place.
- Unable to find clues from DNS lookup
- App is unable to get hosted on the desired URL (if required).
- Implemented all approaches mentioned in above blogs and docs but nothing worked.
- Difficulties: Bot Framework got upgraded to version 5 on (17/05/2023). Documents and the options are not aligning as they are old.
Similar Questions Associated with problem & errors :
- https://stackoverflow.com/questions/60393330/cannot-update-authentication-as-multi-tenant-under-registered-application-in-azu
- https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=root%2Cazurecli
- https://dev.to/dailydevtips1/adding-a-custom-domain-to-azure-app-service-28bh
None of the above listed methods are working
答案1
得分: 1
-
在
.fx/states/state.{env}.json中的fx-resource-frontend-hosting下,记下前端域名,键名为domain。 -
将您的自定义域名指向上述域名。
-
在
templates\azure\provision\azureStorageTab.bicep中更新前端信息。 -
打开
.fx/configs/azure.parameter.${env}.json并将m365TenantId的值设置为 "common"。 -
再次进行配置和部署。
这样您的 Teams 应用程序应该配置为多租户。
英文:
You can follow the instruction here.
- Note your frontend domain with key
domainunderfx-resource-frontend-hostingin.fx/states/state.{env}.json - Point your Custom Domain to the above domain
- Update frontend info in
templates\azure\provision\azureStorageTab.bicep - Open
.fx/configs/azure.parameter.${env}.jsonand set value ofm365TenantIdto "common" - Provision and deploy again
And your Teams app should be config as multi-tenant.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论