We have an Azure resource app whose APIs we want to expose for access by a client app on Azure. The two apps are on different tenants. The users accessing the APIs (Office 365 account holders) are on different tenants.
The whole set up works when we manually provision a service principal on the tenant that is trying to authenticate from the client app against the resource app. By that I mean they are able to log in using their Office 365 account and are shown the consent screen.
If we do not provision a service principal on the AAD tenant of the user trying to authenticate, we get this error:
AADSTS65005 - The app needs access to a service <service> that your
organization org.onmicrosoft.com has not subscribed to or enabled. Contact
your IT Admin to review the configuration of your service subscriptions.
It is not feasible for us to provision a service principal on every tenant that is accessing our app (resource app). Is there something we are missing? Are we using the right flow?
You can find help for your scenario here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent. (Scroll down to Multiple tiers in multiple tenants)
In the case of an API built by an
organization other than Microsoft, the developer of the API needs to
provide a way for their customers to consent the application into
their customers' tenants.
The recommended design is for the 3rd party
developer to build the API such that it can also function as a web
client to implement sign-up:
Follow the earlier sections to ensure
the API implements the multi-tenant application registration/code
requirements
In addition to exposing the API's scopes/roles, ensure
the registration includes the "Sign in and read user profile" Azure AD
permission (provided by default)
Implement a sign-in/sign-up page in
the web client, following the admin consent guidance discussed earlier
Once the user consents to the application, the service principal and
consent delegation links are created in their tenant, and the native
application can get tokens for the API
Basically, all of the parts that your app needs must be present as service principals in the customer's tenant. This is a requirement of AAD.
The only way for that to happen is for an admin to go through consent for the API and app separately, since they are registered in different tenants.
If they were registered in the same tenant, you could use the knownClientApplications property in the manifest to allow consenting to both at the same time.
In my case, I am exposing my own API and trying to access this API from my other Application (Client Credentials mode), I removed the default permission on both of the app(consuming app and api app) - "Azure Active Directory Graph-> User. Read" since I thought I don't need that but that caused this problem "The app needs access to a service .... that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service+subscriptions.
I got the clue from the answer of #juunas - point 2. Thx Juunas
Related
We are developing a SaaS to analyze customer's data within office365 via Graph API and application permissions.
I'm trying to understand the best(and most automated) flow for onboarding the customers. Ideally, the Azure Global Administrator login in our webapp using Microsoft Identity and gives consent to create an account (app registration or enterprise application) with the relevant application permissions. With these permissions our SaaS has access to analyse data.
As of right now, I'm only able to solve this through manual procedure in making the App Registration together with customer on their Azure Tenant which gives me the Client ID, Tenant ID and Secret for our SaaS to authenticate with. I'm assuming something more fancy is possible :)
Also, I was hoping for a method which involved a multi-tenant registration, if that somehow enables reuse of a single app registration or Enterprise application (e.g. in our own Azure tenant) across multiple tenants (customers).
According to your description: you want to use a single application registration or enterprise application between multiple tenants, then you only need to change the application to a multi-tenant application, because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
I am developing a web application that allow users from any azure organization to give my application reading rights on their OneDrive using windows Graph-Api (scope: File.Read.All)
I registered a multi-tenants application in the azure portal and i configured the application like it is explained in the documentation
I need to Allow a user from other azure organisations to make a consentment for my application to read files content, but in my case i get a "Need admin aproval" after sending Authentication Code URL (tested with a user from another azure organization)
AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXX&response_type=code&redirect_uri=YYY&scope=user.read files.read.all offline_access&state=ZZZ
What a user get after authetification to his Office-365 account
I know that there is other applications who do not have this issue, for exemple the application app.diagrams.net need only user consentment and not admin consentment even if it ask for read write scopes
diagrams.net AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=b5ff67d6-3155-4fca-965a-59a3655c4476&response_type=code&redirect_uri=https%3A%2F%2Fapp.diagrams.net%2Fmicrosoft&scope=user.read files.readwrite.all offline_access&state=cId%3Db5ff67d6-3155-4fca-965a-59a3655c4476
What a user get with diagram application
This is not because of any particular scope. The answer to your question is discussed under "application provisioning" in Azure AD (AAD) terms. Put simply, an AAD application needs to be "provisioned" into an AAD tenant, and a tenant admin can choose whether users can initiate this by themselves or not. Here, it seems this is not allowed.
In more detail, when you create an AAD application, you create 2 objects: a representation of the application, and a "Service Principal" that handles access to that application. When you offer your AAD app to other tenants/organizations, they need their own service principal object to be able to access your application, and this happens through admin consent i.e. provisioning.
In general, there are 2 articles that you should take a look:
How and why applications are added to Azure AD
How to: Sign in any Azure Active Directory user using the multi-tenant application pattern
And these code samples should clarify the process:
Developing a Multi-tenant (SaaS) application with the Microsoft Identity Platform
Protect a multi-tenant SaaS web application that calls Microsoft Graph using Azure AD & OpenID Connect
EDIT: Correction: tenant admins can choose or not whether users are allowed to initiate app provisioning. Credits: #jasonJohnston.
I have created a Web application in my local Azure AD which I can successfully use to authenticate members of my AD tenant with (using oAuth2 flow). Now I need to extend my supported scenarios to allow a global admin from an external Azure AD tenant to sign-up their company to use this application as well.
Based on the Microsoft Docs this scenario, Multi-Tenant, is supported...
Authentication Scenarios for Azure AD
Multi-Tenant: If you are building an application that can be used by users outside your organization, it must be registered in your company’s directory, but also must be registered in each organization’s directory that will be using the application. To make your application available in their directory, you can include a sign-up process for your customers that enables them to consent to your application. When they sign up for your application, they will be presented with a dialog that shows the permissions the application requires, and then the option to consent. Depending on the required permissions, an administrator in the other organization may be required to give consent. When the user or administrator consents, the application is registered in their directory. For more information, see Integrating Applications with Azure Active Directory.
From my reading it appears that at some point a global admin for the foreign tenant should be presented with a URL which they can follow ( login.microsoftonline.com/common/??? ) which will somehow cause the external application to precipitate like a morning dew into their Azure AD. However, if this is the correct approach I would appreciate a tokenized example of how one correctly builds the login URL for a multi-tenant external Azure AD application which a group admin can follow to allow access in their AzureAD.
Ok, through trial and failure I have found the solution. The group admin for the remote tenant needs to be provided with the following URL which will allow them to register your Azure AD application as an Enterprise Application in their tenant.
https://login.microsoftonline.com/{remoteTenantUrl.com}/adminconsent?client_id={YourAppsClientID}&redirect_uri={YourAppsCallbackPage}
There is a Client in Tenant A. There is a Resource Server (Web API) in Tenant B. I'm developing both Client and Web API. I'm admin in both Tenant A and B. OAuth 2.0 grant type is Client Credentials so no End-Useris involved. My Web API (AAD App) exposes AppRoles which I described in Web API (AAD App) manifest (I named one of them client_access). For both AAD Apps(Client and Web API) I turned on multi-tenant option. And they have globally unique App ID URIs.
Now Client (AAD App) wants to request permissions to access Web APIin this role (client_access). Because they are in different tenants I created a Service Principal representing the Client in Tenant B. Now I want that Admin of Tenant B would provide this Service Principal with permissions/consent on requested role client_access providing by Web API.
But how (being an Admin of a Tenant) using Azure Portalcan I find this Service Principal? App registration page shows only AAD Appsbut not Service Principals. I don't see ClientAAD Appeither (in App registration page in Tenant B).
With single tenant situation everything is easy -- I select Client, go to Required permission section, push Add button, find there my Web APIand check client_access checkbox, then I push button Grant Permissions to provide my consent.
Anyone have a clue on How to provide permissions for Client to access Web API in multi-tenant scenario using Azure Portal or PowerShell or other means?
Maybe my overall approach is wrong? So advice please.
P.S.
We will publish/expose this Web APIto many of our partners so they will be able to develop their own Clients (residing in their tenants). They will requests access and I will grant/consent/approve their requests to my Web API. And after permission is established the Clients will communicate with Web APIusing OAuth 2.0 Client Credentials grant type with an access token.
Thank you
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.