Multi Tenant Azure AD apps not visible in Office 365 My Apps Launcher

1
votes

I have two Office 365 tenants one for Production and one for Testing. I can see in manage.windowsazure.com my two Active Directories.

I noticed the following behavior when creating multi tenant user consent application.

When a multi tenant Azure AD application is registered in Azure AD 'X' then, this app is not available in the "My Apps Launcher" for Office 365 users in tenant 'X'. On the other hand, the app is accessible in launcher (after pinning it from 'View all my apps') for all users and tenants except 'X'.

Is that an expected behavior?

Here is the app launcher I am referring to

1
azureoffice365azure-active-directory
Can you clarify the scenario a little bit? When you say "is registered in Azure AD 'X'", what exactly do you mean? Does this mean you that you clicked on "Add" and selected "Add an application my organization is developing" in the Azure Management portal? Likewise, for "the app is accessible (...) for all users and tenants except 'X'", is this after consenting to the app? If so, how are you consenting to the app?Saca
Question 1. Yes, I mean I selected "Add an application my organisation is developing". Question 2. Yes after consenting the app, the consent is approved when sign-in when we get the web page that sums up what will be accessed by my application (user flow consent, no need for admin consent)Benoit Patra
You can have a test directly on our application app.keluro.com or using our Office365 web add-in store.office.com/…Benoit Patra

1 Answers

2
votes

I think only apps that the user is assigned to show up in the Office portal.

If you create the app in your tenant, admin consent is applied automatically in your tenant, meaning that all users automatically get consented to it but none of them get assigned.

On the other hand, what you've been testing with users from another tenant is user consent, which consents just that user to the app, and also assigns them to it.

If that other tenant went through admin consent (by adding prompt=admin_consent to the login.microsoftonline.com), you'd see the same behavior as your tenant where everyone gets consented but no one assigned, and therefore no one would (by default) see it in the Office portal.

To have it show up in the case of admin_consent (whether it's in your tenant or some other one) you need to:

  1. Go to the classic Azure portal and navigate Azure AD and your app.
  2. Once in your app's Azure AD page, select Users & Groups
  3. Select "All Users" from the Show filer and click on the check mark.
  4. Select a user and click on the bottom at the bottom that says "Assign"

Doing that should make your app show up for that user in the Office Portal.