Add support for setting MICROSOFT_TENANT_ID

Added new conditionally optional environment variable. Required for single tenant app registration (#39).
microsoft · Nov 14, 2024 · cd62de8 · cd62de8
1 parent 2e7beae
commit cd62de8
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/api/ENVIRONMENT.md b/api/ENVIRONMENT.md
@@ -30,6 +30,7 @@ To emulate Azure Blob Storage locally. Azurite needs to be installed and running
 
 - `MICROSOFT_CLIENT_ID`
 - `MICROSOFT_CLIENT_SECRET`
+- `MICROSOFT_TENANT_ID`: Required if application registration is single tenant.
 
 ## Optional parameters
 

diff --git a/api/README.md b/api/README.md
@@ -102,7 +102,7 @@ Both work and personal accounts use the same application for authentication. The
 1. Register an Azure Registered Application following [official guideline](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#register-an-application)
 1. For option `Supported account types`:
    1. If you want to support both Personal and Work accounts, select `Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)`
-   1. If you want to only support Work accounts, choose either `Accounts in this organizational directory only (<your directory> - Single tenant)` or `Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)` depending if you want to support Single or Multitenant authorization
+   1. If you want to only support Work accounts, choose either `Accounts in this organizational directory only (<your directory> - Single tenant)` or `Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)` depending if you want to support Single or Multitenant authorization. Make sure to set `MICROSOFT_TENANT_ID` envrionment variable in case of using single tenant application.
    1. If you want to only support Personal accounts, select `Personal Microsoft accounts only`
 1. Set up Redirect URI(s) depending on the choice you made for `Supported account types`. If you choose both Personal and Work accounts, you need to add both redirect URIs, otherwise just one of the ones:
    1. Personal account: `https://codepush-<project-suffix>.azurewebsites.net/auth/callback/microsoft` (for local development it will be either http://localhost:3000/auth/callback/microsoft or https://localhost:8443/auth/callback/microsoft)

diff --git a/api/script/routes/passport-authentication.ts b/api/script/routes/passport-authentication.ts
@@ -488,7 +488,9 @@ export class PassportAuthentication {
       redirectUrl: this.getCallbackUrl(providerName),
       clientID: microsoftClientId,
       clientSecret: microsoftClientSecret,
-      identityMetadata: "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
+      identityMetadata: `https://login.microsoftonline.com/${
+        process.env["MICROSOFT_TENANT_ID"] || "common"
+      }/v2.0/.well-known/openid-configuration`,
       responseMode: "query",
       responseType: "code",
       scope: ["email", "profile"],