Skip to main content

Overview

Altoura Remote Expert uses a multitenant Microsoft Entra ID (Azure AD) app registration for the Teams meeting experience. The app is multitenant because remote assist sessions are Teams meetings where participants from different tenants may need to join — a single-tenant app would block external participants from authenticating. This multitenant app handles Teams SSO authentication, Microsoft Graph API access (meeting creation, chat notifications, contact lookup, and user profile resolution), and app identity configuration (authentication callback URL and exposed API scope). It is separate from the single-tenant Entra app used for Frontline application login, which is covered in the Entra ID & SSO Setup Guide. In addition, the setup requires an Azure Communication Services (ACS) resource. ACS provides the real-time communication infrastructure and is used to authenticate and impersonate the actual signed-in user during remote assist sessions.

Choose Your Deployment Path

Use the path that matches your environment: Both paths use the same multitenant app and consent model. The main operational difference is the app host URL used in network allowlists and Teams manifest configuration. In both paths, configure the app from Entra ID -> App registrations (not Enterprise applications).

Why Multitenant?

Remote assist sessions are Teams meetings. In many real-world scenarios, the field worker and the remote expert belong to different organizations (different Entra ID tenants). A single-tenant app registration would only allow users from the app’s home tenant to authenticate. By using a multitenant app:
  • Users from any consented tenant can authenticate via Teams SSO.
  • External experts can join meetings and use the annotation tools without being blocked by tenant boundaries.
  • Each participating organization grants admin consent independently, keeping control over their own tenant.

How Multitenant SSO Authentication Works

Here is how the authentication flow works end-to-end:
  1. A user opens the Altoura Remote Expert app inside a Teams meeting.
  2. The Teams SDK calls authentication.getAuthToken(), which requests an SSO token from Microsoft Entra ID using the multitenant app’s client ID (configured in the Teams manifest’s webApplicationInfo).
  3. Entra ID verifies that the user’s tenant has granted consent for the app, then issues a token scoped to the user.
  4. The app sends this token to the Altoura backend, which extracts the tid (tenant ID) and aud (audience / client ID) claims to identify the tenant.
  5. The backend uses the token to call Microsoft Graph API on behalf of the signed-in user (delegated permissions).
Because all permissions are delegated, the app can only act on behalf of the currently signed-in user. It cannot access data belonging to other users in your tenant unless those users also sign in.