Has anyone successfully implemented authentication with any Microsoft 365 tenant?
My use case is that i'm developing a customer portal for my clients and I want these clients to be able to authenticate against their own Microsoft 365 tenant.
This also applies later when I want to build a product that can be accesses by any user in any other tenant.
It looks like this should be possible using the OpenID Connect identity provider against Microsoft as shown here: https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider
IT even suggests that the above is possible in that document:
"Enable authentication by using a multitenant Azure AD application
You can configure your website to accept Azure AD users from any tenant in Azure, and not just from a specific tenant, by using the multitenant application registered in Azure AD."
I've found no videos or walkthroughs that explicitly show you the settings required and i've been unable to to implement this myself.
Hi Ian, sorry I'm on leave now so won't get you any screenshots for a while. That's a pity you can't get it going on your instance. There must be something somewhere in the config or setup.
One thing in response to your theory, I did get it going with a non D365 template portal - I did POC on a new Power Pages template before replicating on a customer environment, then with D365 Customer self service template.
I have a horrible feeling Microsoft have locked out this functionality on any templates other than the Dynamics 365 ones meaning you have to pay a hefty monthly fee from the get go.
Come on Microsoft...
Hi dokane, Many thanks for the response. Im still having issues after replicating what you have. When I click to sign in i just get "This page isn't working at the momentIf the problem continues, contact the site owner. HTTP ERROR 401"
Any chance i can get a screen shot or export of all of your site settings?
Hi Ian,
I just did a proof of concept on this very thing, this very morning!
Found that manually creating the Site Settings did the trick as the wizard creates and insists on some settings which left me with invalid sign in errors. I haven't yet been able to figure out why and what knock on I have for excluding those settings, for now.
Rough steps:
Create the App Registration in Azure (named CustomerAzureAD in my case)
Follow instructions in the Msft doc but select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and make sure under Implicit grant, you have selected the ID tokens check box.
Then in Portal Management Studio manually create your site settings:
Authentication/OpenIdConnect/OpenId_1/AllowContactMappingWithEmail = true
Authentication/OpenIdConnect/OpenId_1/Authority = https://login.windows.net/common/ (documentation said (the newer!) https://login.microsoftonline.com/common but it would not work for me!)
Authentication/OpenIdConnect/CustomerAzureAD/Caption = (whatever you want to call your button)
Authentication/OpenIdConnect/CustomerAzureAD/ClientId = the Application ID from Azure
Authentication/OpenIdConnect/CustomerAzureAD/ExternalLogoutEnabled = true
Authentication/OpenIdConnect/CustomerAzureAD/IssuerFilter = https://sts.windows.net/*/
Authentication/OpenIdConnect/CustomerAzureAD/RedirectUri = yourportal.powerappsportals.com/signin-openid_1
Authentication/OpenIdConnect/CustomerAzureAD/ValidateIssuer = false
Additonally I've configured:
Authentication/Registration/Enabled = true
Authentication/Registration/InvitationEnabled = true
Authentication/Registration/OpenRegistrationEnabled = false
You'll see that even though you have manually created the Identity Provider it does appear in the listed Providers in Authentication Settings for your Portal.
Let me know if you figure anything else out with this, that I haven't already 😀
Good luck!