Reputation: 99
Multitenant application not fetching my active directory users
I have two tenants application-tenant and customer-tenant. application-tenant has Azure AD Free license and customer-tenant has Azure AD Premium P1. Our .NET application is using application-tenant client id and tenant id as application-tenant is main application tenant and its app registration application is marked to allow multi tenant login.
When I try to login using my credentials of customer-tenant account like [email protected] on my application it logs in successfully but right after login I try to fetch my active directory users using graph API but in response I only get users of application-tenant only.
Is there any permission missing for application-tenant to get access of customer-tenant users?
Upvotes: 0
Views: 197
Answers (1)
Reputation: 16056
When we have a multi-tenant azure ad application, we usually want to use it in different tenants to realize the same feature, in your scenario is that you want to use it to query users. But it doesn't mean we don't need to do anything then the aad app registered in application tenant can be used to query users in customer tenant. We first need to make the app appeared in customer's tenant right?
You can go to Azure portal for customer tenant -> azure ad -> Enterprise applications -> all applications to check if the aad app now existed in the customer tenant, if not, pls follow this document to add admin consent for this app. The URL should be https://login.microsoftonline.com/{tenant_id_of_customer_tenant}/adminconsent?client_id={app_client-id_in_application_tenant}. Then the app should be able to be found in customer tenant and we can use this application to query users in customer tenant.
Then another question appeared, we can use this app to query users in application tenant, the same for customer tenant, then how can your .NET application know which tenant should be queried now? According to the signed in user? Or you should tell your .net app which tenant should be query? Since you mentioned that your .net app is trying to query users in the tenant, so I'm afraid you are now using client credential flow to query all users.
Then the code may look like this:
var scopes = new[] { "https://graph.microsoft.com/.default" };
string tenantId = "TenantId";
string clientId = "aad_app_id";
string clientSecret = "ClientSecret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var user = await graphClient.Users.Request().GetAsync();
And if you set the customer tenant id/tenantname.onmicrosoft.com here, I think the app will query users in customer tenant.
Upvotes: 1
Related Questions
- Multitenant Web App with Asp .NET Core Sign in Issue
- Azure AD Authentication of Angular app with MVC Core on Azure AppService
- Get user details with azure active directory as authentication provider
- Problem with getting AD user info inside angular from .net core
- Azure AD Auth with Angular and .NETCore2 WEBAPI
- Azure multitenant app cant access
- ASP.NET Core 2 - Angular 5 Azure Active Directory Authentication
- Azure AD 2.0 application - can't access scope from angular client
- Getting 401 (Unauthorized) error in Active Directory user image in Multi tenant Application
- Azure AD 401 error - Authenticating from angular client