We have an web application that use Graph APIs, we granted it application permissions in app registration. Now we want to put the application to Microsoft App Source, is it possible to allow user of other tenants to use the permission of the app registration in our tenant? For example, one of the APIs is for creating calendar event to some users in this tenant, if use multi-tenant app registration, can people from other tenant create calendar event in their tenant successfully?
if use multi-tenant app registration, can people from other tenant
create calendar event in their tenant successfully?
Agree with #Tiny Wang, Yes we can do this , the multi-tenant Azure AD app should obtain authorization from other tenants, and when other tenants wish to create calendar events in their own tenant, they should specify their own tenant id when generating access tokens.
You can implement Get access without a user and use Application permission to access for create calender event .
Make sure that we need to get administrator consent for each tenant where we need to access.
For example if one app is registered in TenantA . And you want to access for create calender event in TenantB. Then we need to do admin consent as mentioned below
and Log in with an admin account of TenantB to do the admin consent for TenantB
To access the following url in a browser.
https://login.microsoftonline.com/{TenantB}/adminconsent
?client_id={ app registered in TenantA}
&state=12345
&redirect_uri={app registered in TenantA}
Then we will get an access token to create an calender event for the tenant B.
For more information please refer the below links:
SO THREAD| Error trying to access other tenant users calendars, using MS Graph API & Multi tenant support for Microsoft Graph API
Related
I am new to Azure, and one question bothers me.
Is it possible to create a multi-tenant logic in Azure with one "General" AAD that contains function apps and other tenants (more than 20) that should use these apps to manipulate their own tenants?
For example, there is an app for managing users (UserManagement). When this function is "called" from another tenant (Tenant "B"), let's say for adding a new user, it should add the user only in the called AAD (Tenant "B").
I try to accomplish this by storing app registration credentials in a table or service principal - app registration logic, but it has no effect.
Thank you .
I did a test in my side with Azure AD Multi-tenant application with an asp.net core application, the feature is allowing users from different tenant to sign in then using Microsoft Graph API to query all the users.
My Azure AD application is registered in tenant A which is a multi-tenant application. Then I used user in tenant B to sign in the application, then the query result is that all the users in tenant B is listed in the query result.
Here's the sample I followed. And in the contoller, my request is like this: var users = await _graphServiceClient.Users.Request().GetAsync();
Do not forget to set the tenant id as common for enabling the multi-tenant feature.
I agree with #Tiny Wang, you need to create Multi-Tenant Azure AD Application to achieve your scenario.
I tried to reproduce the same in my environment and got the results as below:
I created an Azure AD Application in TenantA:
Now, I tried to sign-in with the TenantB user using the below authorize endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The user will be prompted the screen as below:
Once the user Accepts the consent, the TenantB user will be authorized successfully.
I generated the access token by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
If you want the Personal Microsoft accounts to access your App, then Register your application as below and make use of common endpoint:
Based on your requirement, you can assign the Azure AD API Permissions and permit the users to access the Application.
I want to create a multi-tenant application where users will log in using Azure AD B2C. I will grant access to certain tenants that are our customers using policies. Only business customers from select tenants will have access.
I have a customer that requires granular control over which of their users can access my application. From what I've understood, my application will be registered as a service principal in their tenant as soon as a user consents to the applications requested permissions.
That as all well, but the service principal is only a kind of account, with access to certain resources in their tenant that was granted when the application was accepted. When the application has been registered in their AD, anyone from that organization can sign in. When someone signs in, that automatically creates a Consumer account in Azure AD B2C in our tenant.
The consumer user can sign in to applications secured by Azure AD B2C, but cannot access Azure resources such as the Azure portal. The consumer user can use a local account or federated accounts, such as Facebook or Twitter. A consumer account is created by using a sign-up or sign-in user flow, using the Microsoft Graph API, or by using the Azure portal.
Now, I have a customer that also wants to control that only certain accounts within their AD can login. So basically, a user identity should not be able to access a service principal?
Is this a use case that is supported, and if so, how do I handle it and what terminology am I looking for? I don't want my organization to handle any of this if possible. I just want to give all users in a tenant access, and then it is up to the customer to grant/revoke access to individual users.
If I understand correctly, As you have created a multi-tenant application it will be registered in your tenant as a Service Principal and for the customers tenant it will be in Enterprise Application . So , if they want to give access to few users or a particular group then they can assign user/group to that particular Enterprise application.
Example:
Service Principal Created on my tenant :
It gets registered as a Enterprise application in other tenant So in there we can select Assign Users and Groups to give access to this Application from their tenant or they can set conditional access policy as well for specified set of conditions.
Reference:
Restrict Azure AD app to a set of users - Microsoft identity platform | Microsoft Docs
I have an app that uses graph API to get some data from Office365 from multiple customers.
At the moment, every time I have a new customer I need to log in as admin on to their azure portal, create the app, add permissions and consent for the permissions.
Is there any way I can generate a link that I send to the customer, they just click it, consent and the application ID's are returned so they can provide us?
Regards
Instead of creating a separate app registration in each customer's tenant, you could have a single app registration, controlled by you in your tenant. Then, each of your customers would grant consent to your app in their tenants, for example by going to an admin consent URL that you provide to them.
I registered a mutitenant application in my tenant. This application is shown in both App Registration and Enterprise Application menu in my tenant as I registered it. And I'm getting the users by using Graph Api.
My Question is : - I provided my multitenant application to other tenants and I wanted to get all the users of that tenant who get to registered in my application. How do we get the other tenant's user if they registered in my multitenant application?
If it's not an B2C scene, I assume that the other tenants have added your multi-tenant application.
Then you should implement Get access on behalf of a user with an account of the target tenant. And use this account to query the users with Microsoft Graph API: List users.
You can't use an account of your tenant to query the users of other tenants unless you add your account as a guest into other tenants. But this is another scene, it doesn't require muti-tenant application.
I have created a Service/Dameon application to handle the authentication process for Microsoft Graph SDK. I pretty much created a HttpWebRequest and created a URL which I passed in my application's secret and client_id which generated an access_token. This access_token was then used with the Microsoft Graph CSharp SDK to authenticate for OneDrive for Business.
I have successfully proofed this out for a single tenant and it is able to pull back all the user's OneDrive metadata on files and folder facets. My question is if I wanted to allow access for other tenants to this application, what users would they see?
If Tenant A creates an application that reads all the non-global admin accounts to pull back OneDrive for Business meta-data and Tenant B has its own list of non-global admin accounts where Tenant B wishes to read from - Where is the restrictions to limit Tenant B to only having access to their own list of non-global users.
The only thing I can think of is that Tenant B would need to create their own client_id and secret- is there another way of doing this?
The only thing I can think of is that Tenant B would need to create their own client_id and secret- is there another way of doing this?
Before the application could interact with Azure AD through OAuth 2.0 protocol, we need to create the corresponding service principal to the target tenant. When we register the application on the Azure portal, the portal already create the service principal for us in the developer's tenant.
And if we are developing an multi-tenant app, the users on the other tenant need to grant the permission. After users consent, a service principal is created in users' tenant.
So another way is, we need to provide a way to enable users in other tenant to able to consent. For example, we can use the authorization code grant flow. Here is an example for your reference( refer here):
// Line breaks for legibility only
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&resource=https%3A%2F%2Fservice.contoso.com%2F
&state=12345
And after the service principal is created on users' tenant, we need to use the users's tenant to acquire the token like below
POST https://login.microsoftonline.com/{users' tenantId}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<clientId>
&client_secret=<clientSecret>
&resource=<resource>
Here are some helpful documents for your reference:
Application and service principal objects in Azure Active Directory
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern