I have a multi-tenant app registered in my Azure tenancy (TENANT A). I am trying to get the groups and group members of tenants that have logged into the app. I have the following permissions set up under App Registrations in TENANT A.
When I signed into the app as an admin user from TENANT B, I had to grant consent for the permissions and login worked as expected.
I want to be able to see all groups/members of TENANT B. I am not sure how to do this. I have tried following the explanations here but am having no luck. I am performing a post to https://login.microsoftonline.com/*TENANT B*/oauth2/v2.0/token and getting a response
However, when I use the response token and call the Graph API https://graph.microsoft.com/v1.0/groups/*GROUP OBJECT ID*/members it says that I have insufficient permissions.
Any help would be much appreciated
You created a multi-tenant application in tenant A for generating access token and call graph api to get all the groups. When you created the app and it's consented to the api permissions, it would work for tenant A, but not for tenant B as this app hasn't registered in tenant B and got the consent. You may refer to this section
and grant tenant-wide admin consent by hitting the url below. Then you may check if this app appeared in the azure portal -> azure ad -> enterprise applications in tenant B and click the app -> permissions to see if it has consent.
https://login.microsoftonline.com/{tenant_id_of_tenant_B}/adminconsent?client_id={app_client-id_in_tenant_A}
By default, web app/API registrations in Azure AD are single-tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. (see pic below)
Before an application can be made multi-tenant, Azure AD requires the App ID URI of the application to be globally unique. The App ID URI is one of the ways an application is identified in protocol messages. For a single-tenant application, it is sufficient for the App ID URI to be unique within that tenant. For a multi-tenant application, it must be globally unique so Azure AD can find the application across all tenants. Global uniqueness is enforced by requiring the App ID URI to have a host name that matches a verified domain of the Azure AD tenant.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant
Related
I have the following scenario:
An organization has an internal application, X, which is registered under the 'main' tenant, allowing employees to utilize it.
App X has an API exposed for other applications (which are also registered under the main organization tenant) to used, and thus, this is all setup in AD.
A new B2C tenant has been created, where another public facing application, Y, will be registered.
How do I allow my App Registration for Y in my B2C tenant to use the exposed API of X?
Any feedback would be appreciated.
Edit 1:
I'm assuming I'd need to setup a Daemon auth flow, as the backend of Y will be authenticating with X as the app itself, and not as or on behalf of the user logged into Y.
Edit 2:
After some looking into this today, I'm considering creating an AD App Registration for Y in the main organization of X, allowing me to set up any connections that need to be made there, and I'd update the backend of Y to make a call as a Daemon to X, passing all the relevant information and client secret.
Seems a bit unusual, so will look for alternatives, but would also appreciate some feedback from someone who has more experience :)
Edit 3:
To clarify, I am looking to facilitate the communication between backend applications between two tenants, where one is a B2C tenant, and the other is an internal organization tenant.
This can be achieved using multi-tenancy. Both the applications need to register as multi-tenant application.
1.In Tenant A - Create an app registration as multi-tenant application in tenant A (eg: TenantA) and expose it as an API (api://app-id) and add the app roles in the application.
2.In Tenant B - Create an app registration as multi-tenant application in tenant B and note the client-id of the application.
3.The client id of application in Tenant B need to be added in known client application in the manifest of application registered in tenant A.
4.Provide consent to the application and permission in Tenant B to create the service principal using https://login.microsoftonline.com/common/adminconsent?client_id=clientIdOfTenantA&redirect_uri=redirectURIOfTenantA
5.In Tenant B, service principal of Tenant A has been created under Enterprise applications
6.Now tenant A is available in Tenant B. You can go ahead and make the API exposed in tenant A to the tenant B.
• Yes, you can surely allow the App registration considered Y in Azure AD B2C tenant to use the exposed API of another ‘App registration’ named X in an Azure AD tenant. For that purpose, you will have to configure the ‘Application Y’ registered in Azure AD B2C tenant as a ‘multitenant’ application and use it to start an authentication request to the authorization endpoint via a user flow. Thus, in here, the user flow defines and controls the user experience. After users complete the user flow, Azure AD B2C generates a token and then redirects users back to your application.
For this purpose, you will have to configure a user flow in your Azure AD B2C application.
Please refer to the below snapshots and steps defined for more details on this: -
a) You might be having a front end and a back end to your application registered for authentication purposes with your web app. The backend application might have the authentication with the application registration X in an Azure AD tenant while the frontend application might have the authentication with the application registration Y registered in the Azure AD B2C tenant.
Then, you will have to modify the front-end code for the web API and the back-end code for the web API as given in the below relevant link: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-back-end-api-from-front-end
For further configuring the authentication and authorization for the two apps, you can configure the front-end app to generate an access token that you can use to make authenticated calls to the back-end app. For this purpose, you will have to configure Azure AD as the identity provider with the app service configured for the front end as well as the back end as given in the link below: -
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
b) Once the above has been done, ensure that you are granting front end app access to the back end as below through the ‘Authentication’ section in the Azure AD app: -
Then configure the app service to return a usable access token for the front-end app to access the back-end app with the required permissions for configuring the App service authentication and authorization on behalf of the ‘App registration Y’ in the Azure AD B2C tenant for it to access the ‘App registration X’ in Azure AD tenant as below by adding the scope parameter to the authentication setting ‘identityProviders.azureActiveDirectory.login.loginParameters’. Replace and in the below commands: -
authSettings=$(az webapp auth show -g myAuthResourceGroup -n <front-end-app-name>)
authSettings=$(echo "$authSettings" | jq '.properties' | jq '.identityProviders.azureActiveDirectory.login += {"loginParameters":["scope=openid profile email offline_access api://<back-end-client-id>/user_impersonation"]}')
az webapp auth set --resource-group myAuthResourceGroup --name <front-end-app-name> --body "$authSettings"
The commands effectively add a ‘loginParameters’ property with additional custom scopes. Here's an explanation of the requested scopes: -
openid, profile, and email are requested by App Service by default already.
For information, see OpenID Connect Scopes: -
api://<back-end-client-id>/user_impersonation is an exposed API in your back-end app registration. It's the scope that gives you a JWT token that includes the back-end app as a token audience.
offline_access is included here for convenience (in case you want to refresh tokens)
Thus, thereby you can call the back-end API (Azure AD app registration) from the front-end API (Azure AD B2C app registration) by injecting a X-MS-TOKEN-AAD-ACCESS-TOKEN header to each authenticated request as shown below: -
https://learn.microsoft.com/en-us/azure/app-service/tutorial-auth-aad?pivots=platform-windows#call-api-securely-from-server-code
Thus, in this way, you can surely expose an API for an application registered in Azure AD B2C for it to access the application in Azure AD.
I set up sign-up and sign-in through a custom policy in Azure Active Directory B2C.
I have 2 app registrations in the Azure AD B2C tenant:
a web application, which exposes an API
a Single-page application (SPA), which has been granted access to the API described above
I don’t have any app registration in my corp tenant, only in my B2C tenant.
Everything works fine, but the application shows up as unverified in the user consent prompt: https://1drv.ms/u/s!AhEACHgzzcWq4jH6dbds5TaW6ylH?e=Y5aTvM and https://1drv.ms/u/s!AhEACHgzzcWq4jKH95a3JzBoojpU?e=kFLvPR
To show it as verified, I:
(from: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-custom-policy#verify-the-applications-publisher-domain)
verified my company’s identity with Microsoft Partner Network (MPN)
am trying to complete the publisher verification process to associate my MPN account with my app registration
The publisher domain of both apps is set to the primary verified custom domain of the tenant.
I am using Microsoft Graph to set my app’s verified publisher:
POST /applications/<app-object-id>/setVerifiedPublisher
{
"verifiedPublisherId": "<my-MPN-id>"
}
But I get the following error message: “The MPN ID you provided does not exist, or you do not have access to it. Please provide a valid MPN ID and try again.”. The MPN id I am using is the Global MPN ID.
This error is listed in the common issues in the documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification#common-issues. Following the documentation, when I open the MPN tenant management page, the tenant where the app is registered in (the B2C tenant) is not on the list of the associated tenants. Only my corp tenant is on the list. However, even following the instructions in the documentation to associate a new tenant to the MPN account, I am not able to associate the B2C tenant. That process seems to be intended to associate Azure AD tenants to the MPN account, not Azure AD B2C tenants.
How can I set my app’s verified publisher so that it shows up as verified in the user consent prompt?
• You might be facing this issue because the publisher domain might not be correctly verified as it should be like the custom domain whose DNS records have been verified in normal Azure AD tenant. Thus, would suggest you to please check the custom domain verification in corresponding Azure AD tenant and similarly ensure that the domain is verified for your application in Azure AD B2C tenant according to the below documentation link: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-configure-publisher-domain#configure-publisher-domain-using-the-azure-portal
• Also, do ensure that you have global administrator privileges on the tenant in which your application is registered, and your user account is a global administrator in that tenant in which your application is registered. You should be an ‘MPN Admin’ or ‘Accounts Admin’ for your tenant. You can verify that by signing on the below MPN management page: -
https://partner.microsoft.com/dashboard/account/v3/tenantmanagement
• And finally, when the above conditions are met, then using the graph API, mark the app as publisher verified by executing the below command with the verified MPN ID. Ensure that you are logging into the Microsoft Graph API with the Global Administrator credentials and executing the command. Also do refer the below documentation for this purpose: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification#making-microsoft-graph-api-calls
POST /applications/0cd04273-0d11-4e62-9eb3-5c3971a7cbec/setVerifiedPublisher
{
"verifiedPublisherId": "12345678"
}
Azure AD B2C tenants can be associated. Click the associate button and use your B2C (not your corp tenant) Global Admin credentials.
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
I'd like to use Microsoft Graph Explorer to work with my Azure AD B2C Tenant.
Initially, all I want to do is retrieve a Custom Attribute that I've assigned to an application registration. The custom attribute will store the UserAppPermission value, a 'role' replacement for B2C since it doesn't natively support them.
Can I get a second set of eyes on my process? I'd like to make sure I'm reading this properly.
First goal: Get a list of applications registered to my B2C Tenant. Reasoning is... if the app registration doesn't appear then future queries are unlikely to be successful.
Resource#1 "Manage Azure AD B2C with Microsoft Graph" (Note B2C in the title)
(1) I registered an application in my B2C tenant with permissions in excess of the minimum, checked this process twice: Register a Microsoft Graph application (Note B2C in the opening paragraph, and throughout the document).
(1a) Uncertain if the Azure portal was being buggy, I also registered this application with the 'Global Administrator Role' ... absolute overkill & insecure ..
(1b) I am certain that I assigned the appropriate Microsoft Graph API permissions in the app registration tab
(1c) As described in the doc, I also granted the application the user administrator role, although that is contained within the global administrator role.
(1d) Per the doc, "Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API."
When I run "https://graph.microsoft.com/beta/applications" to get a list of registered applications, all I see is the single App Registration our 'root' Azure account has for our Azure Functions App. Since this was an article on managing azure ad B2C with Microsoft Graph, I was expecting to see the applications registered to my B2C Tenant.
? Does anyone read (1d) to mean that I should not be able to use https://developer.microsoft.com/en-us/graph/graph-explorer, logged in as the B2C global administrator, and granting all permissions the endpoint requires, to make Microsoft Graph API queries?
Next goal: Get a list of users registered to my B2C Tenant
Resource#2 "List Users" - the link to this resource was provided by Resource #1, link provided above.
(1) There only mention of B2C in this article is: "The $count and $search parameters are currently not available in Azure AD B2C tenants."
(2) The request to get all users is GET "https://graph.microsoft.com/v1.0/users"
(2a) The request returns a list of users for the MyOrg's root AD tenant, not the application's B2C tenant. Not surprising since there's nothing in the request to specify the B2C tenant.
(3) Another resource provides this request format: https://graph.microsoft.com/beta/.onmicrosoft.com/users, which specifies the b2c tenant.
(3a) This executes without error in Graph-Explorer but does not return any of the users that registered for the application using the sign-up/sign-in policy (Consumer B2C Users). It still returns a list of users for the 'root' Azure account.
Update re:specifying tenant in graph-explorer:
While logged in to Graph Explorer us my work MS email which is registered as a global admin for our Azure account and owner of the B2C tenant I specified:
This returns a list of applications for the root Azure account, not app registrations for the B2C Tenant I specified. Perhaps I misunderstood the intent of this Graph API call.
I optimistically ran 'https://graph.microsoft.com/beta/identity/b2cUserFlows' with the tenant specified in the URL (as in screenshot). Result:
"error": {
"code": "AADB2C",
"message": "'4fba2ea8-XXXX-XXXX-964e-99f48b79d925' is not an Azure AD B2C directory...
I'm still not certain what the UUID returned in the message represents. The UUID has no correlation, that I can find, with the tenant I specified in the URL.
The reason is that you are using an Azure account which is from your root AAD tenant.
You have two options to resolve it.
Specify the tenant in the Graph Explorer URL:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant={Your b2c tenant}.onmicrosoft.com. Still use that Azure account from root
AAD tenant to sign in and you can get a list of applications and
users of your B2C Tenant now.
Another method is creating a new user in your B2C tenant and assign
Global admin role to it. And then sign into
https://developer.microsoft.com/en-us/graph/graph-explorer with
this new user. Now you can list applications and users of your B2C
Tenant as well.
Update:
Don't use a Consumer account (local account) for the second suggestion. You should create an AAD user (work account, format: mytenantname.onmicrosoft.com ) in Azure portal in B2C tenant and assign it global admin role.
Overview of user accounts in Azure Active Directory B2C for your reference.
#AllenWu's second solution was, in effect, correct but not explicit enough for me.
The New user interface in the B2C Tenant offers three options for creating users: Create user, Invite user and Create Azure AD B2C user. Most of my work has revolved around B2C users so I did that and gave the user Global Admin rights and my Graph Explorer results were unchanged.
Another user provided this suggestion and made it clear that I needed to create a user w/an email address of #my-tenant-name.onmicrosoft.com. I created such a user, assigned it Global Admin rights, and I was able to use Graph Explorer as I expected.
Note that users with an email of "SomeTestUser_gmail.com**#EXT#**#my-tenant-name.onmicrosoft.com do not behave in the same way.
Thanks for the suggestions & feedback & I hope this helps if you ended up here with the same question.
I have a service registered as a multi-tenanted Web API in an AAD tenant “A”. And a client registered as a web app in a different AAD tenant “B”. The question is, whether do I need any additional configuration on Azure portal in order for the client app in tenant “B” to successfully access the web API in the tenant “A” (app to app authentication) ? Does AAD support such scenario? Currently, I get Unauthorized status code as response from the service when the service is deployed to Azure.
The service in tenant A doesn’t show up when I try to manually manage permissions for the client app in tenant B. Is this step necessary or am I missing some config set up?
The service is built on asp.net MVC application and it uses JWT bearer authentication scheme. The client successfully acquires its token from its own AAD tenant. So it doesn't seem like an authentication issue. On the service side, I have added the client's tenant to be one of the valid token issuers as well.
I'm not sure if a service principal for the service app is created in the client's tenant automatically (the consent page has never showed up so far).
The scenario is supported.
You'll just have to consent to the API from tenant B first before it shows up in the list.
You can define your application permissions on the Web API as normal (check here).
Then you can go through consent for the API by accessing a URL like this:
https://login.microsoftonline.com/tenant-b-id/oauth2/authorize?client_id=your-api-client-id&response_type=code&redirect_uri=reply-url-defined-on-api&prompt=admin_consent
You'll have to replace 3 values there with yours:
tenant-b-id: the directory id for tenant B
your-api-client-id: The application id/client id of your API in tenant A
reply-url-defined-on-api: URL-encoded reply URL defined on your API in tenant A (e.g. https%3A%2F%2Flocalhost%2F)
That should then result in a service principal getting created in tenant B for the API, allowing you to assign app permissions to apps in tenant B.