What is the behaviour when publishing a single-tenant Open ID Connect application to the EntraID Gallery?
I've gone through the exercise of creating a multitenant enterprise application using OIDC on EntraID, and I understand the behaviour. Whilst, I haven't gone through the process of publishing it to the gallery, I know what the behaviour in the customer's tenant will be, and what they have to configure as I can test this via using the consent URL. I see that the user in the customer's tenant has no control at all over the app registration where I define the redirect URLs, tokens to issue, app-roles, etc.
However, I do not know what the behaviour would be if I were to publish a single-tenant Open ID Connect application, as listed here, where the documentation reads
If your application requires additional per-instance configuration, such as customers needing to control their own secrets and certificates, you can publish a single-tenant Open ID Connect application.
What is the difference between this approach and allowing a user to create their own app registration and enterprise application? What is configurable and what is not?
In my case, I'm interested in allowing the customer to define their own roles, but preferably not their own redirect URLs or what goes in the tokens, etc.
Is there anywhere I can test this behaviour? I'm assuming that some things are not allowed to be controlled by the customer user, e.g. documentation links, terms of service URLs, etc. But I can't see this documented anywhere so I'm going in blind.
I'm the product manager that worked on the single tenant OIDC gallery feature.
When publishing into the gallery, you are able to pre-populate information such as reply URIs, terms of service links, needed permissions, etc.. You can think of this as a step you take to help simplify the onboarding process for your customers -- instead of a multi-step process for them, you've prefilled information that they no longer need to configure themselves, and they can get all that goodness with a click of a button.
In its current state, the customer will get full control of the app registration and service principal that will be instantiated within their tenant. This information could be changed by the customer (i.e. there is no block preventing them from doing so) so keep that in mind.
Hope this helps!
Erin
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions