This sample is a web project that allows sign in from multiple tenants

• incorporate api permission in terraform script
• add documentation on providing consent
• use accesstoken to call webapi
• register webapi with a different tenant (enterprise application)
• restrict tenant user access to different tenant owned web apis
• rearrange terraform script to prevent needing to run twice (something messed up in terraform deployment sequence?)
• add app api id into knownClientApplications section of application registration manifest (here?)
• provisioning application (link)
• set the homepage
• work on "my notes" section. it should exist and all notes should be worked into system through automation and/or code
• add another webapi for different tenant
• move webapi config out of .json and into a sample in-memory source
• accessTokenAcceptedVersion => 2 in application manifest (webapp and web api): at time of writing, this needs to be done manually as there is no api for it
• put secrets into keyvault
• use same source for webapi details in 'inmemorywebapioptions' - they are independent but need to be in sync
• user secrets not being loaded at runtime

Terraform is used to build the environment and set the local user secrets. Unfortunately, because I cant solve a quirk in multiline commands on MacOS I have to create a local-exec for each command I want to run.

The environment has now been setup and the local environment has been configured using user secrets. We now need to register consent for the application in the tenant.

The application relies on resources in the API permissions section of Application Registrations. These need to be consented to by an administrator (or user) in the Enterprise Application configuration.

Application Registration --> Managed Application --> Permissions

The web project has two ServiceCollectionExtension methods. One sets up authentication using the traditional methods and the other uses the new Microsoft.Identity.Web MSAL preview packages.

Add Microsoft.Identity.Web and Microsoft.Identity.Web.UI packages to handle authentication and challenge screens respectively

Change the area in the _LoginPartial partial views from AzureAd to MicrosoftIdentity. The Microsoft.Identity.Web.UI package is responsible for the challenge screens and uses the MicrosoftIdentity MVC area for the login and logout pages.

Source

This is set up in the Startup.cs in this order:

exceptionHandler -> httpsRedirection -> staticFiles -> routing -> authN -> authZ -> myMiddleware -> endpoints (controller etc.)

This order is also used in reverse on the way back unless a short circuit has been introduced

• usesterraform to create the cloud resources
• usesdonet user-secrets to set the client side configuration values in a secret store
• spins up a protected multi tenant web api
• spins up a protected multi tenant web app
• allows you to login into web app and subsequently call the underlying web service with an on behalf of call

1. delete enterprise apps from client tenants
2. check service principals on client tenants
3. tear down terraform/home tenant resources

1. run terraform
2. home tenant: knownClientApplications in webapi manifest must include appId of webclient
3. login to application with home tenant credentials
4. consent permissions on appreg -> managed app -> permissions
5. add enterprise application to client tenant : az ad sp create --id <home tenant webapi appId> and az ad sp create --id <home tenant client application appId> (make sure any old ones are deleted)
6. consent permission in client tenant enterprise applications -> permissions

override files dont override everything. Use docker-compose config to see what the effective result it. eg: ports are concatenated not overriden Source