Background information.
I have an application (MS Teams Bot) that I have hosted in Microsoft Azure as an "App Service". This application. This application has its own application Id. In its "Settings" I have amended the "Authentication/Authorization" to be enabled as such,
So I have created a new Azure Active Directory Application within my existing app service in Azure. Now this application has its own application ID and key. The Multi-tenant feature has been enabled on this.
This application has the following permissions,
Application permissions.
Delegated permissions.
Problem.
I have 2 unrelated environments in Azure. One (we can call this Azure A), which is for hosting test applications and the other (Azure B) is for hosting live applications and is host to our live active directory. My bot application is in Azure A but when a user from Azure B uses the bot, the bot tries to authenticate the user against the active directory it came from, it is unable to do so. My bot application gains an access token to run against the api "https://graph.microsoft.com", which it successfully acquires.
Here I have a class, which acquires an access token for my bot application to run against,
class AzureAuthenticationProvider : IAuthenticationProvider
{
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
string clientId = "client-id"; // azure ad app id
string clientSecret = "client-secret"; // azure ad app secret
string authority = "https://login.microsoftonline.com/tenant-id"; // Authentication URI. tenant-id taken from Azure B
AuthenticationContext authContext = new AuthenticationContext(authority);
ClientCredential creds = new ClientCredential(clientId, clientSecret);
AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", creds);
request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
}
}
I then run the following to try and access user information from Azure B,
GraphServiceClient client = new GraphServiceClient(new AzureAuthenticationProvider());
string userId = user object id from Azure B;
User user = await client.Users[userId].Request().GetAsync();
I then receive the following error,
Microsoft.Graph.ServiceException: Code: Authorization_IdentityNotFound Message: The identity of the calling application could not be established.
So my questions are,
i) Should the client id and secret used in AuthenticateRequestAsync() be of the Azure Active Directory application or should this be taken from my bot application? These 2 are run in the same app service in Azure A.
ii) If the Azure Active Directory application has multi-tenant enabled for it, will it be able to authenticate against users from an active directory from outside of my domain?
iii) I suspect the authentication URI has to contain the tenant id of where the user is from (Azure B) and not the tenant id of where the application is hosted (Azure A), is this correct?