I registered a mutitenant application in my tenant. This application is shown in both App Registration and Enterprise Application menu in my tenant as I registered it. And I'm getting the users by using Graph Api.
My Question is : - I provided my multitenant application to other tenants and I wanted to get all the users of that tenant who get to registered in my application. How do we get the other tenant's user if they registered in my multitenant application?
If it's not an B2C scene, I assume that the other tenants have added your multi-tenant application.
Then you should implement Get access on behalf of a user with an account of the target tenant. And use this account to query the users with Microsoft Graph API: List users.
You can't use an account of your tenant to query the users of other tenants unless you add your account as a guest into other tenants. But this is another scene, it doesn't require muti-tenant application.
Related
We have an web application that use Graph APIs, we granted it application permissions in app registration. Now we want to put the application to Microsoft App Source, is it possible to allow user of other tenants to use the permission of the app registration in our tenant? For example, one of the APIs is for creating calendar event to some users in this tenant, if use multi-tenant app registration, can people from other tenant create calendar event in their tenant successfully?
if use multi-tenant app registration, can people from other tenant
create calendar event in their tenant successfully?
Agree with #Tiny Wang, Yes we can do this , the multi-tenant Azure AD app should obtain authorization from other tenants, and when other tenants wish to create calendar events in their own tenant, they should specify their own tenant id when generating access tokens.
You can implement Get access without a user and use Application permission to access for create calender event .
Make sure that we need to get administrator consent for each tenant where we need to access.
For example if one app is registered in TenantA . And you want to access for create calender event in TenantB. Then we need to do admin consent as mentioned below
and Log in with an admin account of TenantB to do the admin consent for TenantB
To access the following url in a browser.
https://login.microsoftonline.com/{TenantB}/adminconsent
?client_id={ app registered in TenantA}
&state=12345
&redirect_uri={app registered in TenantA}
Then we will get an access token to create an calender event for the tenant B.
For more information please refer the below links:
SO THREAD| Error trying to access other tenant users calendars, using MS Graph API & Multi tenant support for Microsoft Graph API
I want Azure for my application's identity management. Also I require a customer to sign up and become the owner account of my application. And he should send invitations to others. Example consider a university principal sending invitations to his instructors. An instructor sending invitations to his students. This should look like an inverted tree structure. Also my application should have many owner accounts. For example, multiple university principals should have an account in my application. How can I implement this using Azure? Should I use Azure AD B2C or Azure AD B2B?
I need azure only for authentication.
Difference to see to choose between the services is which user (random cunsumer or user from same organization) .
You can make use Azure AD B2B which is a feature of AzureAD service if the Application is for organisations and their corporate users.
Azure AD B2C target is to build a directory for consumer applications where users can register themselves with e-mail ID or social providers like Google, FB, MSA, known as Federation Gateway. Azure AD B2C is not targeted at organisation users but consumers.
Both are azure ad identity management services .It depend on who your users are from same organization or random customers that registers themselves.
In both services,user can send invitation to other user through portal or bulk of users using csv template from portal or powershell.
First the user need to sign in as global administrator to assign roles to users and groups.
The user can be given owner role to the app.
You can make more than one member as owner to an application
References:
azure-ad-vs-azure-ad-b2c-vs-azure-ad-b2b -SO reference
add-users
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-assign-member-owner
I want to create a multi-tenant application where users will log in using Azure AD B2C. I will grant access to certain tenants that are our customers using policies. Only business customers from select tenants will have access.
I have a customer that requires granular control over which of their users can access my application. From what I've understood, my application will be registered as a service principal in their tenant as soon as a user consents to the applications requested permissions.
That as all well, but the service principal is only a kind of account, with access to certain resources in their tenant that was granted when the application was accepted. When the application has been registered in their AD, anyone from that organization can sign in. When someone signs in, that automatically creates a Consumer account in Azure AD B2C in our tenant.
The consumer user can sign in to applications secured by Azure AD B2C, but cannot access Azure resources such as the Azure portal. The consumer user can use a local account or federated accounts, such as Facebook or Twitter. A consumer account is created by using a sign-up or sign-in user flow, using the Microsoft Graph API, or by using the Azure portal.
Now, I have a customer that also wants to control that only certain accounts within their AD can login. So basically, a user identity should not be able to access a service principal?
Is this a use case that is supported, and if so, how do I handle it and what terminology am I looking for? I don't want my organization to handle any of this if possible. I just want to give all users in a tenant access, and then it is up to the customer to grant/revoke access to individual users.
If I understand correctly, As you have created a multi-tenant application it will be registered in your tenant as a Service Principal and for the customers tenant it will be in Enterprise Application . So , if they want to give access to few users or a particular group then they can assign user/group to that particular Enterprise application.
Example:
Service Principal Created on my tenant :
It gets registered as a Enterprise application in other tenant So in there we can select Assign Users and Groups to give access to this Application from their tenant or they can set conditional access policy as well for specified set of conditions.
Reference:
Restrict Azure AD app to a set of users - Microsoft identity platform | Microsoft Docs
We are developing a SaaS to analyze customer's data within office365 via Graph API and application permissions.
I'm trying to understand the best(and most automated) flow for onboarding the customers. Ideally, the Azure Global Administrator login in our webapp using Microsoft Identity and gives consent to create an account (app registration or enterprise application) with the relevant application permissions. With these permissions our SaaS has access to analyse data.
As of right now, I'm only able to solve this through manual procedure in making the App Registration together with customer on their Azure Tenant which gives me the Client ID, Tenant ID and Secret for our SaaS to authenticate with. I'm assuming something more fancy is possible :)
Also, I was hoping for a method which involved a multi-tenant registration, if that somehow enables reuse of a single app registration or Enterprise application (e.g. in our own Azure tenant) across multiple tenants (customers).
According to your description: you want to use a single application registration or enterprise application between multiple tenants, then you only need to change the application to a multi-tenant application, because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
I am developing a web application that allow users from any azure organization to give my application reading rights on their OneDrive using windows Graph-Api (scope: File.Read.All)
I registered a multi-tenants application in the azure portal and i configured the application like it is explained in the documentation
I need to Allow a user from other azure organisations to make a consentment for my application to read files content, but in my case i get a "Need admin aproval" after sending Authentication Code URL (tested with a user from another azure organization)
AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXX&response_type=code&redirect_uri=YYY&scope=user.read files.read.all offline_access&state=ZZZ
What a user get after authetification to his Office-365 account
I know that there is other applications who do not have this issue, for exemple the application app.diagrams.net need only user consentment and not admin consentment even if it ask for read write scopes
diagrams.net AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=b5ff67d6-3155-4fca-965a-59a3655c4476&response_type=code&redirect_uri=https%3A%2F%2Fapp.diagrams.net%2Fmicrosoft&scope=user.read files.readwrite.all offline_access&state=cId%3Db5ff67d6-3155-4fca-965a-59a3655c4476
What a user get with diagram application
This is not because of any particular scope. The answer to your question is discussed under "application provisioning" in Azure AD (AAD) terms. Put simply, an AAD application needs to be "provisioned" into an AAD tenant, and a tenant admin can choose whether users can initiate this by themselves or not. Here, it seems this is not allowed.
In more detail, when you create an AAD application, you create 2 objects: a representation of the application, and a "Service Principal" that handles access to that application. When you offer your AAD app to other tenants/organizations, they need their own service principal object to be able to access your application, and this happens through admin consent i.e. provisioning.
In general, there are 2 articles that you should take a look:
How and why applications are added to Azure AD
How to: Sign in any Azure Active Directory user using the multi-tenant application pattern
And these code samples should clarify the process:
Developing a Multi-tenant (SaaS) application with the Microsoft Identity Platform
Protect a multi-tenant SaaS web application that calls Microsoft Graph using Azure AD & OpenID Connect
EDIT: Correction: tenant admins can choose or not whether users are allowed to initiate app provisioning. Credits: #jasonJohnston.