Reputation: 157
Is it possible to manipulate tenant from another tenant in Azure?
I am new to Azure, and one question bothers me. Is it possible to create a multi-tenant logic in Azure with one "General" AAD that contains function apps and other tenants (more than 20) that should use these apps to manipulate their own tenants?
For example, there is an app for managing users (UserManagement). When this function is "called" from another tenant (Tenant "B"), let's say for adding a new user, it should add the user only in the called AAD (Tenant "B").
I try to accomplish this by storing app registration credentials in a table or service principal - app registration logic, but it has no effect.
Thank you .
Upvotes: 1
Views: 237
Answers (2)
Reputation: 16064
I agree with @Tiny Wang, you need to create Multi-Tenant Azure AD Application to achieve your scenario.
I tried to reproduce the same in my environment and got the results as below:
I created an Azure AD Application in TenantA:
Now, I tried to sign-in with the TenantB user using the below authorize endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The user will be prompted the screen as below:
Once the user Accepts the consent, the TenantB user will be authorized successfully.
I generated the access token by using below parameters:
https://login.microsoftonline.com/organizations/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
If you want the Personal Microsoft accounts to access your App, then Register your application as below and make use of common endpoint:
- Based on your requirement, you can assign the Azure AD API Permissions and permit the users to access the Application.
Upvotes: 1
Reputation: 16066
I did a test in my side with Azure AD Multi-tenant application with an asp.net core application, the feature is allowing users from different tenant to sign in then using Microsoft Graph API to query all the users.
My Azure AD application is registered in tenant A which is a multi-tenant application. Then I used user in tenant B to sign in the application, then the query result is that all the users in tenant B is listed in the query result.
Here's the sample I followed. And in the contoller, my request is like this: var users = await _graphServiceClient.Users.Request().GetAsync();
Do not forget to set the tenant id as common for enabling the multi-tenant feature.
Upvotes: 1
Related Questions
- Create a Dataframe from a dictionary in python
- Creating a Dataframe from a Dictionary
- Creating a pandas dataframe from a dictionary
- Create a dictionary from pandas dataframe
- How to create pandas dataframe from my oredered dictionary?
- create a pandas data frame from dictionary
- Create Pandas DataFrame from dictionary
- Pandas - Create df from list of dicts
- pandas: creating a dataframe from a dictionary
- How to create pandas dataframe from python dictionary?