Here's my components:
Tenant A:
Azure_WebApp_A
AAD multi tenant App registration
Keyvault_A
Tenant B:
Keyvault_B
Background: I'm able to access the secrets of Keyvault_A from Azure_WebApp_A using MSI authentication.
But when I try to add my multi tenant app registration(from Tenant A) to Keyvault_B's access policies, I don't even see the appId being detected there.
Question: How do I access secrets in the Keyvault_B from Azure_WebApp_A?
It is possible to add multi tenant app(from tenant A) to keyvault_B's access policy, if B tenant user has consent to use multi tenant app(tenant A), this app will exist under enterprise applications in tenant B.
How to grant consent to application?
When the user from A tenant sign in the application from tenant B, the application will then be registered under A tenant in enterprise applications.
Requesting individual user consent.
Requesting consent for an entire tenant
Related
I have a multi-tenant app registered in my Azure tenancy (TENANT A). I am trying to get the groups and group members of tenants that have logged into the app. I have the following permissions set up under App Registrations in TENANT A.
When I signed into the app as an admin user from TENANT B, I had to grant consent for the permissions and login worked as expected.
I want to be able to see all groups/members of TENANT B. I am not sure how to do this. I have tried following the explanations here but am having no luck. I am performing a post to https://login.microsoftonline.com/*TENANT B*/oauth2/v2.0/token and getting a response
However, when I use the response token and call the Graph API https://graph.microsoft.com/v1.0/groups/*GROUP OBJECT ID*/members it says that I have insufficient permissions.
Any help would be much appreciated
You created a multi-tenant application in tenant A for generating access token and call graph api to get all the groups. When you created the app and it's consented to the api permissions, it would work for tenant A, but not for tenant B as this app hasn't registered in tenant B and got the consent. You may refer to this section
and grant tenant-wide admin consent by hitting the url below. Then you may check if this app appeared in the azure portal -> azure ad -> enterprise applications in tenant B and click the app -> permissions to see if it has consent.
https://login.microsoftonline.com/{tenant_id_of_tenant_B}/adminconsent?client_id={app_client-id_in_tenant_A}
By default, web app/API registrations in Azure AD are single-tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. (see pic below)
Before an application can be made multi-tenant, Azure AD requires the App ID URI of the application to be globally unique. The App ID URI is one of the ways an application is identified in protocol messages. For a single-tenant application, it is sufficient for the App ID URI to be unique within that tenant. For a multi-tenant application, it must be globally unique so Azure AD can find the application across all tenants. Global uniqueness is enforced by requiring the App ID URI to have a host name that matches a verified domain of the Azure AD tenant.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant
I want to create a multi-tenant application where users will log in using Azure AD B2C. I will grant access to certain tenants that are our customers using policies. Only business customers from select tenants will have access.
I have a customer that requires granular control over which of their users can access my application. From what I've understood, my application will be registered as a service principal in their tenant as soon as a user consents to the applications requested permissions.
That as all well, but the service principal is only a kind of account, with access to certain resources in their tenant that was granted when the application was accepted. When the application has been registered in their AD, anyone from that organization can sign in. When someone signs in, that automatically creates a Consumer account in Azure AD B2C in our tenant.
The consumer user can sign in to applications secured by Azure AD B2C, but cannot access Azure resources such as the Azure portal. The consumer user can use a local account or federated accounts, such as Facebook or Twitter. A consumer account is created by using a sign-up or sign-in user flow, using the Microsoft Graph API, or by using the Azure portal.
Now, I have a customer that also wants to control that only certain accounts within their AD can login. So basically, a user identity should not be able to access a service principal?
Is this a use case that is supported, and if so, how do I handle it and what terminology am I looking for? I don't want my organization to handle any of this if possible. I just want to give all users in a tenant access, and then it is up to the customer to grant/revoke access to individual users.
If I understand correctly, As you have created a multi-tenant application it will be registered in your tenant as a Service Principal and for the customers tenant it will be in Enterprise Application . So , if they want to give access to few users or a particular group then they can assign user/group to that particular Enterprise application.
Example:
Service Principal Created on my tenant :
It gets registered as a Enterprise application in other tenant So in there we can select Assign Users and Groups to give access to this Application from their tenant or they can set conditional access policy as well for specified set of conditions.
Reference:
Restrict Azure AD app to a set of users - Microsoft identity platform | Microsoft Docs
I created an Azure AD Multi-tenant app within my own tenant.
When I try and call the Admin consent endpoint from within another tenant, and signing in as another tenant's administrator, I get the error:
AADSTS700016: Application with identifier 'guid' was not found in the directory 'directory-id'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
How can another tenant provision and allow access to my multi-tenant app?
In this endpoint GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent? client_id={client id}, set {tenant} as the tenant id of another tenant. Set it as common should also work.
Make sure you are using the admin account of that tenant.
There is no need to register this app in other tenant. It will work for other tenant if it is already multi tenant and if it is using a end point which supports multi tenant i.e.,common.
Pleace check your application manifest has "signInAudience": "AzureADandPersonalMicrosoftAccount" and "accessTokenAcceptedVersion": 2 and Please update them if they are not same.
I found this api to register the application in a different tenant.
https://login.microsoftonline.com/<new-tenant-id>/oauth2/authorize?client_id=<client-id>&response_type=code&redirect_uri=<redirect-uri>
This will create a new enterprise application in the target tenant with the same client id and new object id.
I have user A in tenant A and a multi-tenant AD app B in tenant B. I am trying to get token from user A's context for the AD app
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=a573ddda-b34a-4206-a73b-d67ff6e98aec&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=a573ddda-b34a-4206-a73b-d67ff6e98aec%2F.default&response_mode=fragment&state=12345&nonce=678910
I logged in using user A's credentials and got error
AADSTS700016: Application with identifier 'a573ddda-b34a-4206-a73b-d67ff6e98aec' was not found in the directory 'domainA.onmicrosoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I have configured AD app B with id - a573ddda-b34a-4206-a73b-d67ff6e98aec to be multi-tenant. Any idea why this might not be working?
I had the same error caused by completely different factors:
I configured the Oauth2 client using Secret ID and Secret Value instead of App ID and Secret Value.
It took few hours browsing tons of config pages to figure out that the reason is stupidly simple and responses from MS API are useless.
As #juunas mentioned, if you use a guest user to login, use the tenant id of the tenant A instead of common, it will force the user to authenticate against tenant A instead of his home tenant.
And if your guest user is the first login the app, make sure some settings are like below in tenant A, otherwise, the user will not be able to consent for the app in tenant A.
Navigate to the Azure Active Directory in tenant A -> User settings -> Manage external collaboration settings -> set Guest users permissions are limited to No.
Navigate to the Azure Active Directory in tenant A -> Enterprise applications -> User settings -> set Users can consent to apps accessing company data on their behalf to Yes.
For more details about the member user and guest user, see this https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
My application is registered in tenant A and requires the Microsoft Graph permission Invite guest users to the organization. The application is an API app without a GUI.
To give the application Graph access in Tenant A I do the following:
1. go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=
<My application ID>&prompt=admin_consent
2. Login with admin credentials for tenant A
Done - my Service Principal in tenant A now has Invite guest users to the organization permission
So far so good. Now I want to give the same application access to invite guest users in tenant B. How do I do that?
I've tried the same flow as before:
1. go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=
<My application ID>&prompt=admin_consent
2. Login with admin credentials for tenant B
This results in the following error message:
AADSTS50020: User account 'xxx#yyy.com' from identity provider 'yyy.com' does not exist in tenant 'Tenant A' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
It seems that this action tries to give the application the required permissions in Tenant A even though I login with admin credentials from Tenant B.
How do I give the application the required permissions in Tenant B? Is it possible to use the admin consent flow with a Service Principal ID from Tenant B instead of the global Application ID for my application?
Found the problem.
The admin account I tried to use for consent in tenant B had previously been invited as a guest account in tenant A. The guest account had since been removed from tenant A but it seems some kind of connection still exists somewhere that disrupts the admin consent flow.
When I created a new admin account in tenant B and used the new account (with no history at all in tenant A) to consent, it worked as expected.