Taylor Artunian

The recent deprecation of the built-in Azure/Office365 authentication option has left us without a convenient way to allow users to sign in to our Zendesk using their Azure identities.

Currently there are two relevant tutorials on setting up SAML authentication in Zendesk, one from Zendesk and the other from Microsoft:
Enabling SAML single sign-on – Zendesk help
Tutorial: Azure AD SSO integration with Zendesk - Microsoft Entra | Microsoft Learn

Both of these tutorials, however, explain how to create an authentication option that works for a single tenant. In our case, the end users logging in to our Zendesk instance exist in their own Azure tenants.

Using the Zendesk application from the Azure marketplace we can edit the app registration to enable multitenant logins, but in practice it does not work.

Has anyone successfully setup SAML authentication between Zendesk and Azure that supports multitenant logins?

For anyone running into issues with Azure AD integration in 2023, the Zendesk app from the Azure gallery asks for the Entity ID in the https://*.zendesk.com format. However, the SAML Issuer field from Zendesk comes in the .zendesk.com format (and these are supposed to match). We also had to change the AppID field in the corresponding App Registration.

That is the same callback url that I used in Azure. I also set it as Web platform (not single-page) and enabled Access tokens (not ID tokens).

I remember getting the 422 error, but I just can't remember what caused it.

I think what ended up making it work for me was setting the OAuth scope to:

openid offline_access https://[your_subdomain].crm.dynamics.com/user_impersonation

Thank you Eric. That did the trick!

For anyone else looking for long term Azure tokens:
Prepending the scope with "openid offline_access" should do it.

Hi Eric,

Thank you for the reply. Below is a picture of my manifest file.
(Edit)
As for authentication, I don't do that explicitly in the code. I use the `Authentication: Bearer {{setting.token}}` placeholder in my requests to get the token provided by the proxy.

I have an app that connects to an Azure based app to read data. The app is successfully using the Zendesk authentication proxy, but after the token expires the app no longer works. From what I've read, the Zendesk documentation says that the proxy should handle the refreshing of the access token.

I have an OAuth enabled app that is successfully authenticating to Azure AD but is receiving authorization errors when accessing MS Dynamics CDS through the Zendesk Proxy.

On the Zendesk side, the app is successfully authenticating using my App Registration in Azure. Using the same settings in Postman, I am able to authenticate and also query data, whereas in the Zendesk app I receive a 401 unauthorized error.

I followed this ZD guide to add OAuth to my app.
https://developer.zendesk.com/documentation/apps/app-developer-guide/using-the-apps-framework/

My best guess is that it is related to the OAuth grant type and that the Zendesk app is getting the wrong type of token from my Azure App Registration.

Failed Web Request:
zendesk_powerapps_connector_web.PNG

Postman - Authorization Settings:
zendesk_powerapps_connector_auth.PNG

Postman - Variables Used:
zendesk_powerapps_connector_vars.PNG

Postman - Successful Response:
zendesk_powerapps_connector_res.PNG

Zendesk - App Manifest:
zendesk_powerapps_connector_zd_manifest.PNG

Zendesk - Successful App Authentication:
zendesk_powerapps_connector_sshot1.PNG