This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Good morning.
I'm currently trying to create an application designed to run natively on Azure App Service leveraging a PostgreSQL Flexible Server, using Entra ID for authentication (with OAuth2) and relying on the Graph API to interact (through application permissions) with Teams and Sharepoint.
My final objective is to create a Managed Application that, once listed in the Commercial Marketplace, can be freely downloaded by whoever wants to install in on their Tenant.
The problem I'm trying to solve, in fact, regards exactly this last point: if I want the application to be installable in an arbitrary Tenant, I need to fully automate its deployment.
The creation of Azure resources is - obviously - straightforward: using a Bicep template I can easily deploy the App Service, Database and Virtual Network needed to link them. With the App Registration needed to use OAuth2 and the Graph API, however, there seems to be nothing I can do: the ARM template itself can't create it as it resides in Entra and have nothing to do with Azure Resources, and all the guides that teach how to work around this issue with Deployment Scripts (like this QuickStart template) assume that I have prior access to the target Tenant to create a User Assigned Managed Identity via PowerShell, but this is not the case!
So my question is: what is the best practice to deal with this situation? I can obviously create a multitenant registration in my Tenant and then bundle the secrets in the installations making them Publisher-managed and restricting the Customer access, but it doesn't feel quite secure...
Thank you in advance to anyone who will dedicate some time to share some advice.
Hello @Riccardo Sacchetto !
Welcome to Microsoft QnA!
I understand your issue to be able to provide your APP the ability to be installed from Multiple Tenants
There is a specific link that points to Azure Managed Applications and all the steps required to do that :
AND:
AND HERE:
I believe you will find everything you need there !
You most probably need to make the App able for Multi-Tenancy when registered , but this is just a small detail
I hope this helps !
Kindly mark the Answer as Accepted and upvote or post your feedback to provide additional help !
Regards !
Good morning, @Konstantinos Passadis
Thank you very much for your reply.
Unfortunately, those articles don't seem to include any detail useful to solve my problem, as they only explain how to create a Managed Application but not how to make sure that it can use OAuth2 to authenticate Entra users and access Graph API to interact with other Microsoft services.
What I'm tying to do, in fact, is to either automate the creation of an App Registration (the process that you can do through this blade of the Portal) in the Tenant where the Managed App is being installed and then provide its ID and Secret to the App Service that is deployed with the Bicep template included in the Managed App Definition or to find a way to deploy for every client a common secret associated with a multitenant App Registration in my Tenant.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Riccardo Sacchetto ,
I understand that you are trying to automate the creation of an app registration and then provide its ID and Secret to the app service so that it can use OAuth2 to authenticate Entra users and access Graph API.
The best practice for programmatic app registrations would be to create the app registration via Graph API:
POST https://graph.microsoft.com/beta/applications
You can generate the application credentials (including client secret) using Graph.
var graphClient = new GraphServiceClient( authProvider );
var passwordCredential = new PasswordCredential
{
DisplayName = "Password name"
};
await graphClient.Applications["{application-id}"]
.AddPassword(passwordCredential)
.Request()
.PostAsync();
Multi-tenant vs single tenant is based on the signInAudience value. The signinAudience needs to be updated to "signInAudience": "AzureADandPersonalMicrosoftAccount" for multi-tenant apps.
PATCH https://graph.microsoft.com/v1.0/applications/{id}
Content-type: application/json
{
"signInAudience": "AzureADMyOrg"
}
That said, I don't believe Graph supports changing the default 100% as there are some manual validation involved by switching the account types. This is documented here Validation differences by supported account types - Microsoft Entra | Microsoft Learn screenshot for manual change on the UX:
https://video2.skills-academy.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http