Reputation: 2131
Inviting Azure application into a tenant
I'm able to invite a user into a tenant. After the user confirms the invitation and is assigned a role in a subscription, he/she can view this subscription together with subscriptions from other tenants.
I can list user's subscription from all different tenants using az account list
Is it possible to do the same for an Azure application? Somehow invite it and grant it access to a subscription in different tenant? Or, in general, how an application can access resources in different tenant (without using Lighthouse)?
Upvotes: 4
Views: 1177
Answers (1)
Reputation: 14336
The security principal for an app is the ServicePrincipal object (much like the security principal for a user is the User object). If an app is configured to be a multi-tenant application, a service principal for that app can be created in any other tenant. Once that service principal has been created, it can be granted a role assignment.
Example using Azure CLI:
Log in to tenant A.
$ az login --tenant "{tenant-A-id-or-domain}"In tenant A, configure the app registration (the Application object) to be multi-tenant. (Here we're creating a new one, but you can also update an existing one with
az ad app update.)$ az ad app create --display-name "App in Tenant A" \ --available-to-other-tenants true \ --query "appId" "74dde9de-56e2-4750-a7cc-5da5f021b897"Log in to tenant B.
$ az login --tenant "{tenant-B-id-or-domain}"Create a service principal for the app (which was registered in tenant A) in tenant B. Note the value used for
idis theappIdof the app registration created in step 2.$ az ad sp create --id "74dde9de-56e2-4750-a7cc-5da5f021b897" \ --query "{appId:appId,displayName:displayName}" { "appId": "4c3e3be1-b735-41b1-a842-f095b9a45849", "displayName": "App in Tenant A" }At this point, you can grant the service principal access to something. For example, you can give it a role assignment to a resource in your Azure subscriptions.
You can now use the credentials configured on the app registration (i.e. the certificate or client secret), when authenticating into Tenant B, as the app.
Manually creating the service principal object as we've done here is just one approach. Another approach, particularly useful when the app has some sort of user-facing interface (e.g. a web app), is for a user in tenant B to sign in to the app and consent to it. After at least one user has consented to the app, the app's service principal object will be present in Tenant B and it can be granted a role assignment.
Upvotes: 6
Related Questions
- Allow Azure B2C App Registration access to regular organization AD App Registration
- Invite user once created in the AD B2C to sign on my app
- Connect App in Azure with Azure AD in a different tenant
- Proper way to register Azure AD multi-tenant app in Azure AD B2C
- Does App need to be multi-tenant when using B2B invite
- Azure Active Directory - supporting multi-tenant consented app scenario
- Connecting Azure AD B2C tenant policies to a registered app
- B2B access in multi tenant application
- How to make multi-tenant app in azure ad available to other organizations/applications?
- Azure Active Directory | Multi-tenant Application