Custom API dynamically authenticating to different SharePoint tenants

Question

I have a custom .NET API and have set up multi tenant authentication for Azure AD which works well. Customers from different Office 365 subscriptions will all call the same API and the API will access Office 365 on behalf of the user that is calling. So far so good.

We have called Microsoft Graph on behalf of the user without any problem. Now we also need to call SharePoint on behalf of the user and have stumbled upon a problem, which is that the location must be pre-configured in our App Service as illustrated below:

We can solve this by configuring all SharePoint tenants in this configuration, but as it may change often and without warning, we wish to find a solution where this can be set dynamically.

(I know I can update the Azure configuration with the Azure API, but I am looking for a solution that effectively will authenticate to "any" tenant)

Does anyone know if we can override this setting in our application dynamically and how?

Answer 1

According to your description, you are using the built-in App Service Authentication / authorization (Easy Auth). AFAIK, you could also explicitly specify the addtional login parameters as follows:

https://<your-webapp-name>.azurewebsites.net/.auth/login/aad?resource=https://graph.microsoft.com&response_type=code id_token

For your requirement, you may need to redirect your custom to the above endpoint with the corresponding resource parameter for authentication.

Moreover, if you want to both call the resources Microsoft Graph and SharePoint on behalf of the logged user, you may need to use the on-behalf-of flow in your code to obtain tokens for accessing another API. Since you are using the built-in authentication, you could focus on the process about acquiring the token from another resource (e.g. Microsoft Graph or SharePoint) in your .NET Web API project. Detailed code tutorial, you could follow Calling a downstream web API from a web API using Azure AD.