Multi-tenant MS 365 support

urrman · March 29, 2022, 3:33pm

Hi,
currently, Zammad allows to configure a single MS 365 tenant, see admin documentation:
https://admin-docs.zammad.org/en/latest/channels/microsoft365/accounts.html

Thus so far it only possible to add email accounts that belong to a single MS 365 tenant.

Consider adding to Zammad’s roadmap a feature to configure more than one (unlimited) MS 365 tenant - please add/develop a multi-tenant MS 365 support.

Here is a link to a similar technical assistance request:

MrGeneration · March 29, 2022, 4:03pm

That is not correct.
If you don’t use tennant specific apps this should work out of the box already.

urrman · March 29, 2022, 4:23pm

I in my on-prem v5.0 community Zammad, once configured a Microsoft 365 app, I can only add email accounts that belong to the same MS Azure/MS365 tenant, where I configured the Microsoft 365 app.
Trying to add MS365 email accounts from other tenants - the browser navigates to url:
https://login.microsoftonline.com/[currently_added_tenant_tld]/oauth2/v2.0/authorize?

When providing MS365 account credentials that belong to another MS tenant the MS service throws an error:

Sorry, but we’re having trouble with signing you in.
User account 'xxxxx@tenant2-domain.com' from identity provider 'https://sts.windows.net/XXXXXXXXXXX/' does not exist in tenant '[Configure-tenant-name]' and cannot access the application 'YYYYYYYYYYYYYY'(Zammad) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

MrGeneration · March 29, 2022, 4:25pm

As I said: You’re using tennant specific app configurations.
The documentation does roughly state the differences.

You’lll wanna look at “Supported account types”.
This is as far as I can help.

urrman · March 29, 2022, 4:54pm

Evidently, you mean adding an MS365 email account via IMAP protocol.
Adding via IMAP works well for a personal outlook/hotmail account.
However, it doesn’t work for an MFA-enabled MS365 email account.

urrman · March 30, 2022, 6:16am

Ok, I got that you refer to the following URL in admin documentation:
https://admin-docs.zammad.org/de/latest/settings/security/third-party/microsoft.html?highlight=Supported%20account%20types#limitations

This states the following:

Supported account types:
Please note that Zammad only supports these account types (App dependent):
> * Accounts in this organizational directory only (Default Directory only - Single tenant)
> * Accounts in any organizational directory (Any Azure AD directory - Multitenant)
> * Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

I need to say that I have configured Zammad in my Azure to allow the most open concept:
- Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts
Would you be so kind to share the know-how on how to add email accounts from other MS365/Azure tenants once you have added first MS tenant?

urrman · March 30, 2022, 7:57am

I need to confess that I could succeed in adding another tenant’s emails - to achieve it you should clear (left empty) “TENANT UUID/NAME” field on the “Configure (MS365) App” form.

The topic can be closed.

MrGeneration · June 14, 2022, 9:19pm

Wrong thread. Please don’t hijack / recycle other topics - especially not in feature request categories. Open your own technical assistance thread, please.

Samenhaus · June 14, 2022, 9:22pm

Sorry, thought the topic would fit.
Moving it to here: Use multiple office 365 channels

system · May 20, 2023, 7:33am

This topic was automatically closed after 416 days. New replies are no longer allowed.