Is it possible to manipulate tenant from another tenant in Azure? - azure

I am new to Azure, and one question bothers me.
 
Is it possible to create a multi-tenant logic in Azure with one "General" AAD that contains function apps and other tenants (more than 20) that should use these apps to manipulate their own tenants?
For example, there is an app for managing users (UserManagement). When this function is "called" from another tenant (Tenant "B"), let's say for adding a new user, it should add the user only in the called AAD (Tenant "B").
I try to accomplish this by storing app registration credentials in a table or service principal - app registration logic, but it has no effect. 
Thank you .

I did a test in my side with Azure AD Multi-tenant application with an asp.net core application, the feature is allowing users from different tenant to sign in then using Microsoft Graph API to query all the users.
My Azure AD application is registered in tenant A which is a multi-tenant application. Then I used user in tenant B to sign in the application, then the query result is that all the users in tenant B is listed in the query result.
Here's the sample I followed. And in the contoller, my request is like this: var users = await _graphServiceClient.Users.Request().GetAsync();
Do not forget to set the tenant id as common for enabling the multi-tenant feature.

I agree with #Tiny Wang, you need to create Multi-Tenant Azure AD Application to achieve your scenario.
I tried to reproduce the same in my environment and got the results as below:
I created an Azure AD Application in TenantA:
Now, I tried to sign-in with the TenantB user using the below authorize endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The user will be prompted the screen as below:
Once the user Accepts the consent, the TenantB user will be authorized successfully.
I generated the access token by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
If you want the Personal Microsoft accounts to access your App, then Register your application as below and make use of common endpoint:
Based on your requirement, you can assign the Azure AD API Permissions and permit the users to access the Application.

Related

Allow Azure B2C App Registration access to regular organization AD App Registration

I have the following scenario:
An organization has an internal application, X, which is registered under the 'main' tenant, allowing employees to utilize it.
App X has an API exposed for other applications (which are also registered under the main organization tenant) to used, and thus, this is all setup in AD.
A new B2C tenant has been created, where another public facing application, Y, will be registered.
How do I allow my App Registration for Y in my B2C tenant to use the exposed API of X?
Any feedback would be appreciated.
Edit 1:
I'm assuming I'd need to setup a Daemon auth flow, as the backend of Y will be authenticating with X as the app itself, and not as or on behalf of the user logged into Y.
Edit 2:
After some looking into this today, I'm considering creating an AD App Registration for Y in the main organization of X, allowing me to set up any connections that need to be made there, and I'd update the backend of Y to make a call as a Daemon to X, passing all the relevant information and client secret.
Seems a bit unusual, so will look for alternatives, but would also appreciate some feedback from someone who has more experience :)
Edit 3:
To clarify, I am looking to facilitate the communication between backend applications between two tenants, where one is a B2C tenant, and the other is an internal organization tenant.
This can be achieved using multi-tenancy. Both the applications need to register as multi-tenant application.
1.In Tenant A - Create an app registration as multi-tenant application in tenant A (eg: TenantA) and expose it as an API (api://app-id) and add the app roles in the application.
2.In Tenant B - Create an app registration as multi-tenant application in tenant B and note the client-id of the application.
3.The client id of application in Tenant B need to be added in known client application in the manifest of application registered in tenant A.
4.Provide consent to the application and permission in Tenant B to create the service principal using https://login.microsoftonline.com/common/adminconsent?client_id=clientIdOfTenantA&redirect_uri=redirectURIOfTenantA
5.In Tenant B, service principal of Tenant A has been created under Enterprise applications
6.Now tenant A is available in Tenant B. You can go ahead and make the API exposed in tenant A to the tenant B.
• Yes, you can surely allow the App registration considered Y in Azure AD B2C tenant to use the exposed API of another ‘App registration’ named X in an Azure AD tenant. For that purpose, you will have to configure the ‘Application Y’ registered in Azure AD B2C tenant as a ‘multitenant’ application and use it to start an authentication request to the authorization endpoint via a user flow. Thus, in here, the user flow defines and controls the user experience. After users complete the user flow, Azure AD B2C generates a token and then redirects users back to your application.
For this purpose, you will have to configure a user flow in your Azure AD B2C application.
Please refer to the below snapshots and steps defined for more details on this: -
a) You might be having a front end and a back end to your application registered for authentication purposes with your web app. The backend application might have the authentication with the application registration X in an Azure AD tenant while the frontend application might have the authentication with the application registration Y registered in the Azure AD B2C tenant.
Then, you will have to modify the front-end code for the web API and the back-end code for the web API as given in the below relevant link: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-back-end-api-from-front-end
For further configuring the authentication and authorization for the two apps, you can configure the front-end app to generate an access token that you can use to make authenticated calls to the back-end app. For this purpose, you will have to configure Azure AD as the identity provider with the app service configured for the front end as well as the back end as given in the link below: -
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
b) Once the above has been done, ensure that you are granting front end app access to the back end as below through the ‘Authentication’ section in the Azure AD app: -
Then configure the app service to return a usable access token for the front-end app to access the back-end app with the required permissions for configuring the App service authentication and authorization on behalf of the ‘App registration Y’ in the Azure AD B2C tenant for it to access the ‘App registration X’ in Azure AD tenant as below by adding the scope parameter to the authentication setting ‘identityProviders.azureActiveDirectory.login.loginParameters’. Replace and in the below commands: -
authSettings=$(az webapp auth show -g myAuthResourceGroup -n <front-end-app-name>)
authSettings=$(echo "$authSettings" | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid profile email offline_access api://<back-end-client-id>/user_impersonation"]}')
az webapp auth set --resource-group myAuthResourceGroup --name <front-end-app-name> --body "$authSettings"
The commands effectively add a ‘loginParameters’ property with additional custom scopes. Here's an explanation of the requested scopes: -
openid, profile, and email are requested by App Service by default already.
For information, see OpenID Connect Scopes: -
api://<back-end-client-id>/user_impersonation is an exposed API in your back-end app registration. It's the scope that gives you a JWT token that includes the back-end app as a token audience.
offline_access is included here for convenience (in case you want to refresh tokens)
Thus, thereby you can call the back-end API (Azure AD app registration) from the front-end API (Azure AD B2C app registration) by injecting a X-MS-TOKEN-AAD-ACCESS-TOKEN header to each authenticated request as shown below: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-api-securely-from-server-code
Thus, in this way, you can surely expose an API for an application registered in Azure AD B2C for it to access the application in Azure AD.

MS Graph API permission for multiple tenant

We have an web application that use Graph APIs, we granted it application permissions in app registration. Now we want to put the application to Microsoft App Source, is it possible to allow user of other tenants to use the permission of the app registration in our tenant? For example, one of the APIs is for creating calendar event to some users in this tenant, if use multi-tenant app registration, can people from other tenant create calendar event in their tenant successfully?
if use multi-tenant app registration, can people from other tenant
create calendar event in their tenant successfully?
Agree with #Tiny Wang, Yes we can do this , the multi-tenant Azure AD app should obtain authorization from other tenants, and when other tenants wish to create calendar events in their own tenant, they should specify their own tenant id when generating access tokens.
You can implement Get access without a user and use Application permission to access for create calender event .
Make sure that we need to get administrator consent for each tenant where we need to access.
For example if one app is registered in TenantA . And you want to access for create calender event in TenantB. Then we need to do admin consent as mentioned below
and Log in with an admin account of TenantB to do the admin consent for TenantB
To access the following url in a browser.
https://login.microsoftonline.com/{TenantB}/adminconsent
?client_id={ app registered in TenantA}
&state=12345
&redirect_uri={app registered in TenantA}
Then we will get an access token to create an calender event for the tenant B.
For more information please refer the below links:
SO THREAD| Error trying to access other tenant users calendars, using MS Graph API & Multi tenant support for Microsoft Graph API

How to acces AzureRM with a AzureAD Multi-Tenant App using personal Microsoft account?

My target is simple: use an Azure AD multi-tenant app to be able to call Azure Resource Manager API on other tenants. However, I cannot figure out how to do it when you sign in with a personal Microsoft account.
I created an Azure AD multi-tenant app using a company's tenant
Then created a test ASP.NET Core Web application which goes to a such URL:
The Microsoft's login page shows up and I'm able to log in successfully with a personal LIVE.COM, where the test Web app receives the callback with given redirect URL. I have another Azure tenant created with my personal MS account which I'm trying to access.
The Multi-Tenant AAD App gets added to the "personal space" at https://account.live.com/consent/Manage, but not to the Azure AD tenant.
It probably makes sense from the technical standpoint, but how do I add the AAD app to another tenant when logged in with a personal account?
I figured that the "authorize" URL must include the AAD tenant name/ID instead of "common" (confirm that a Service Principal gets created on the target tenant):
However, that tenant name/ID is unknown when a user logs in, and I don't really know what API to use to query it.
Should be done by hand - detecting a personal MS account and finding the association with AAD tenant, or is there an API that can facilitate this? In both cases, how? What if an account is associated with multiple tenants ("Switch Directory" in Azure Portal)?
P.S. using URLs https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize ("orgainzations" instead of "common") or https://login.microsoftonline.com/common/oauth2/authorize (without "v2.0") won't allow using a personal MS account to log in.
UPDATE
To demonstrate the problem, there are 4 tests were made to access resource "https://management.azure.com/" with a multi-tenant app:
Authorize Microsoft's "Microsoft Azure" app with v1 endpoint - it works with personal accounts:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize the same "Microsoft Azure" app with v2 endpoint - now it does not allow to use personal accounts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=1950a258-227b-4e31-a9cf-717495945fc2&response_type=code&response_mode=form_post&scope=https://management.azure.com/.default&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v1 endpoint (insert your client id) - shows error AADSTS50020 "User account 'user#live.com' from identity provider 'live.com' does not exist in tenant 'contoso.com' and cannot access the application ''(app name) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&response_mode=form_post&resource=https://management.azure.com/&nonce=123&state=common&redirect_uri=http%3A%2F%2Flocalhost%3A64696%2FAuthCallback
Authorize a custom multitenant app against v2 endpoint - same as test #2 - does not allow personal accounts.
Thoughts.
The v2 endpoint does not allow personal accounts for the resource https://management.azure.com/, where the v1 endpoint does.
Microsoft Azure app probably has a manifest with undocumented or hardcoded settings that allows to use personal accounts for the desired resource.
ANSWER
Long story short, it's not possible for general public as per Microsoft.
Only V2.0 endpoint supports personal account(even it doesn't belong to any Azure AD tenants) to login.
It works with personal account when you use v1.0 endpoint.
That's because that personal account belongs to at least one Azure AD tenant. Then this personal account will be recognized as a guest user in the tenant.
The v2 endpoint does not allow personal accounts for the resource
https://management.azure.com/
Yes, if you login in with personal account when you use v2.0 endpoint, it will detect that you belong to personal account and will redirect you to the personal account login endpoint https://login.live.com/oauth20_authorize.srf.
You must identify the tenant to login in with personal account when use v2.0 endpoint
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=20244877-ae8f-4325-b4cf-c6dc239cb124
&response_type=code
&redirect_uri=https://localhost
&response_mode=fragment
&scope=https://management.azure.com/.default
&state=12345
&nonce=default
Then you can call https://management.azure.com/tenants?api-version=2016-06-01 to list all the tenants that account belongs to.
Update:
It is normal that you can't do that. You are not telling Azure AD that
the which tenant the MSA user is an external user, so Azure AD is
making a guess and checking in the tenant where the app is registered
(tenant A). If you expect external users to be able to sign in, you
must specify the tenant where the guest has previously been invited to
(e.g. tenant B).

Azure AD - Multi-Tenant with Daemon Service and Authorization Code Grant flow, can a target tenant generate a client_secret?

I am working with Azure AD through OAuth 2.0 protocol and also creating a Service/ Dameon application to handle the authentication process for Microsoft Graph SDK. For the service/daemon, I make a HttpWebRequest and pass along the client_id and client_secret to generate an access_token where I then can supply to the Microsoft Graph SDK.
I also have successfully created a corresponding service principal to the target tenant, in which an admin has granted permissions to the application using the authorization code grant flow. The application then shows in Overview -> Quick tasks -> Find an enterprise app, within the (portal.azure.com).
My question is there an approach where I can leverage the service/daemon approach while also allowing an admin from the target tenant to authorize the application, that would allow the target tenant to create a client_secret to pass which would be unique to that tenant?
Short answer is no. When an admin consents your multi-tenant app:
A Service Principal is created for it in their tenant
Permissions requested by the app are granted in that tenant
This means your app can now authenticate with its client credentials (id + secret) against their tenant as well. So the same keys work in all approved tenants.
What that means is your app is free to get an access token for any of them at any given time, no matter who is signed in. So it puts some responsibility to your app to keep data separated.
If you get an access token from https://login.microsoftonline.com/company.com/oauth2/token, the resulting token will contain that tenant's identifier. And APIs like the Microsoft Graph API will only give you data for that tenant with that token. So your app must make sure to only use a token that has a tenant id equal to the user's tenant id claim.
I would say that juunas' answer is 99% correct. The short answer is basically no, and the considerations he mentions are also solid.
But I believe that this would be technically possible under certain considerations. When the admin consents to your daemon service, a service principal is created in your customer's tenant. Service principals do allow addition of credentials that can be used as client secrets on a per-tenant basis. The thing is, there's not really a way to add a credential to a service principal programmatically from your app. You would have to get an administrator to run some script to add the new credential to their tenant's service principal.
Even if you went through all this, you would need to make sure that your service is also isolated on a customer/tenant basis. Security-wise, it's sort of pointless to create per-tenant client secrets if your singular daemon has access to all of the secrets.

Azure AD - Multi-Tenant with Daemon Service Authentication flow, what limits tenants from accessing other tenants users?

I have created a Service/Dameon application to handle the authentication process for Microsoft Graph SDK. I pretty much created a HttpWebRequest and created a URL which I passed in my application's secret and client_id which generated an access_token. This access_token was then used with the Microsoft Graph CSharp SDK to authenticate for OneDrive for Business.
I have successfully proofed this out for a single tenant and it is able to pull back all the user's OneDrive metadata on files and folder facets. My question is if I wanted to allow access for other tenants to this application, what users would they see?
If Tenant A creates an application that reads all the non-global admin accounts to pull back OneDrive for Business meta-data and Tenant B has its own list of non-global admin accounts where Tenant B wishes to read from - Where is the restrictions to limit Tenant B to only having access to their own list of non-global users.
The only thing I can think of is that Tenant B would need to create their own client_id and secret- is there another way of doing this?
The only thing I can think of is that Tenant B would need to create their own client_id and secret- is there another way of doing this?
Before the application could interact with Azure AD through OAuth 2.0 protocol, we need to create the corresponding service principal to the target tenant. When we register the application on the Azure portal, the portal already create the service principal for us in the developer's tenant.
And if we are developing an multi-tenant app, the users on the other tenant need to grant the permission. After users consent, a service principal is created in users' tenant.
So another way is, we need to provide a way to enable users in other tenant to able to consent. For example, we can use the authorization code grant flow. Here is an example for your reference( refer here):
// Line breaks for legibility only
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345
And after the service principal is created on users' tenant, we need to use the users's tenant to acquire the token like below
POST https://login.microsoftonline.com/{users' tenantId}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<resource>
Here are some helpful documents for your reference:
Application and service principal objects in Azure Active Directory
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern

Resources