MS ENTRA ID MULTI-TENANT AUTHENTICATION

As of CDESK version 3.2.6, it is possible to allow external users to log in from different Microsoft Entra ID tenants (multi-tenant authentication). This setting ensures that users can log in with their Office 365 account regardless of which tenant they are in, provided they have created an account in CDESK with a matching email.

To use this feature, you must first set up basic authentication using Microsoft Entra ID. If you have not already done so, we recommend that you go through the MS Entra ID Basic Authentication Setup.

Below is a detailed procedure for activating multi-tenant authentication when creating a connector or even in an existing connector.

Multi-tenant setup when first linking CDESK with MS Entra ID

If you have not yet created a connector and registered your application in MS Entra ID, go through the basic settings for MS Entra ID authentication. There are only two changes you need to make during this setup.

1. Multi-Tenant activation in the CDESK connector

When creating a Microsoft Entra ID Authentication connector in CDESK (CDESK→ Global Settings → Connectors, API), enable the Multi-Tenant switch.

Tip: If you have already created a connector, you can edit it by following the instructions in the next section of this guide.

2. Registering the CDESK application in MS Entra ID

When registering the CDESK application in MS Entra ID, under Supported Account Types select Accounts in any Organizational Directory (Any Microsoft Entra ID Tenant – Multi-tenant). This setting ensures that authentication works for users from other tenants.

Multi-Tenant setup with already created connector and registered CDESK application in MS Entra ID

Go to CDESK→ Global Settings→ Connectors, API and find your created Microsoft Entra ID Authentication connector. Once it is open, enable the Multi-Tenant switch. Save your changes by clicking the Save button.

Next, go to office.com and log in with an Office 365 account that has permission to manage the MS Entra ID. Find the Admin application in the Apps menu on the left side of the window.

Click to open the Admin splash screen. From the menu on the left, select Show All. From the expanded menu, click Identity.

A new window will open. Select App Registrations from the left-hand menu. Then open the All Applications tab, locate and open the registered CDESK application from the connector. Check that it is the correct application – you can check this by comparing the Application (Client) ID.

When you open the app, go to Authentication and scroll down to the Supported Account Types section. Select Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant). Be sure to save the settings by clicking the Save button.

Granting application permissions on first login

Please note that when a user logs in for the first time, Microsoft requires application permissions to be granted. The administrator of each tenant from which users will be logging in can check ‘Consent on behalf of your organization‘ box at the first login, granting Admin Consent for the entire organization. This ensures that the application will work for that tenant without any further requests for consent from other users in the organization. Without Admin Consent, each user must grant these permissions themselves.

Admin Consent can also be granted via the MS Entra ID portal, in the Enterprise Applications section, where you select the application, go to Permissions and click on Grant admin consent for your company.