Secure multi-tenant access to MS Graph with ConfidentialClientApplication

Question

I have been working a while trying to find out how to connect multiple tenants to the same Azure APP to access graph. I end up using ConfidentialClientApplication because I have a daemon service which can't ask for authentication all the time, so tenant admin grants permissions once to my Azure app and I able to access tenant's data with MS Graph API.

I need help understanding whats wrong with the following scenario:

Consider we have 2 tenants: tenant1, tenant2. Both granted permissions to my app. But this means tenant2 can access tenant1's data by specifying tenant1 authority like https://login.microsoftonline.com/tenant1 and email. How to overcome this situation security-wise, should I use one azure app per customer, may be some other MSAL authentication flow for daemon apps? Totally confused.

Answer 1

If your customers can control the authority your daemon app uses, it sounds like you cannot use the approach of a single app with app permissions to all customer tenants. This approach can be used when you have a multi-tenant app with a background process that runs in your infrastructure that the customer cannot control.

Either your app needs to talk to infrastructure that only you control, which then uses the app permissions, or you need separated applications. An application would need to be created as a single-tenant app in each customer's AAD. Either they do it, you do it, or you provide a script to do it. Then they can enter those credentials into your app's config and start using it.