JHH
JHH

Reputation: 9315

Access MS Graph data across tenants and ext principals

Let's say I have two or more O365 tenants and an external application using Azure client credentials that wants to read user data in these tenants.

Is it then possible to set access up so that the external application can obtain an OAuth access token for tenant 1, and use it to also read data in tenant 2, by some sort of tenant delegated access? For example let's say I have two users foo@tenant1.com and bar@tenant2.com, where foo belongs to tenant 1 and bar belongs to tenant 2, and I want to read e.g. e-mail or calendar events for these two users - is it then possible to authenticate once and read the data for both users using the same access token? Or is it absolutely necessary to group users by tenancy, i.e., find the matching tenant of each user, authenticate into that tenant and then read the data for the users within that tenant, separately?

What if the data itself spans multiple tenants, such as a user in tenant 1 creating a calendar event where users from tenant 2 are attendees, and perhaps using a resource such as a meeting room from tenant 3. How does O365 handle this? I've seen sometimes that principals from one tenant are being allowed into another tenant and given a special "guest" or "external" principal such as foo@tenant1.com being let into tenant 2 as foo_tenant1.com#EXT#@tenant2.com. Does this happen automatically? What if this external principal was used in the scenario above - could I obtain an access token for tenant2 and then fetch user data for the foo_tenant1.com#EXT#@tenant2.com principal even though it actually resides in tenant1?

If possible, what needs to be set up in Azure/AD to allow for this delegation of access between tenants?

Upvotes: 0

Views: 1408

Answers (1)

Kartik Bhiwapurkar
Kartik Bhiwapurkar

Reputation: 5165

• As per what you have described in your question, I have understood that you must access other tenant’s users’ data through your tenant’s ID. Also, you want that your tenant’s ID can be used to access user data from multiple tenants. Thus, in your scenario, you can use federation between the various external domains to allow your tenant’s ID to access user data and applications from another tenant. Azure AD B2B collaboration can be leveraged successfully to implement multi-tenant user management in your case.

• Azure AD B2B collaboration helps you securely share your company’s applications and services with external guest users as well as internal guest users while also helping you maintain control over access to IT environment and data. Please find the below link for more details on Azure AD B2B collaboration best practices and its implementation: -

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/multi-tenant-user-management-introduction

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/multi-tenant-user-management-scenarios

Upvotes: 1

Related Questions