Make a query to a sharepoint site in a multi-tenant scenario

[ayoubqrt]

Hi thank you for you work, I found some useful resources particularly on your mgwdev-m365-helpers repo.
So I wanted to use the sp-react application in a multitenant scenario.

Context :

• The application in Azure is registered in the 1234xx tenant and configured in multitenant mode
• The site collection in Sharepoint was created in public mode (so members of the organization can access the site)
• Added in the site collection a user from another tenant

Scenario :

• With any account from 1234xx tenant, I can authenticate myself and make requests to sharepoint within the sharepoint Rest API.
• With a user from another tenant, I can authenticate myself but not make requests to SharePoint, I get this error:
  {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}

Have you any ideas, do you think it's possible ?

[mgwojciech]

Hi Mate :)
Great to hear someone finds it useful.

When it comes to guests in such scenario, there is one thing You have to consider - even if Your app is registered as a multitenant, You have to know to which tenant You want to authenticate at runtime level, in other words - when navigating to /auth page, You have to already know to which tenant You want to authenticate to. If not - MS login page will always assume You want to authenticate to Your "main" tenant.

This of course presents a small problem - if You want to keep Your app functioning as multi tenant You have to figure out when user is using the app as a guest, and when as a internal user. I would suggest using link with ?tenantid=<tenant_id> when sharing the link to Your app, than if Your app detects tenant-id in query parameter - it uses it in auth endpoint, if not - go with common (or organizations).

If You are building an app for one customer (or You can handle that with subdomains) - there is no problem :)

Hope that helps :)