How to use a single application to access resources in multiple tenants in Azure AD?

Somansh Reddy 136 Reputation points
2020-09-24T22:15:32.15+00:00

My client application ( hosted on a web server which is not on Azure ), needs to access Azure Storage accounts for various Organizations.

Say there are three Organizations - Org1, Org2 and Org3. I would have one instance of my application running on my server for each of these 3 organizations, so basically they are isolated instances. There would be a UI based form for an organization to enter their details ( like subscription id, storage account name etc ).

I was under the impression that I have two options.

Option A - Create an app registration in each Organization. So there would be 3 apps created ( one in each of the Organization's tenant ). Each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. So 3 apps and 3 service principals in total.

Option B - Create an app registration in my Organization ( tenant ). For ease of understanding let us call this SomanshOrg. Can we create a service principal in Org 1, Org2, Org3 where each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. And then from my client application I would be able to access their resources. So 1 app and 4 service principals ( 3 Org + mine ) in total.

The end goal is to only take credentials from the User in the initial UI form. And then we can access their Azure Storages without any more user involvement.

Which of these options would be better? Or is a different option more suitable for my use case?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
660 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,388 questions
0 comments
Accepted answer
  1. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points
    2020-09-24T23:57:59.78+00:00

    Option B trough a multi-tenant application. An additional service principal will get created in each organization.

    --
    Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 26,936 Reputation points
    2020-09-28T21:00:22.21+00:00

    Signed in users will be able to access only their tenant data. Same with applications using the client credentials flow.

  2. Chetan Krishna Sangoram 61 Reputation points
    2021-11-29T13:02:10.847+00:00

    @Somansh Reddy I was trying for something similar, hence resurrecting the thread. In your chosen option B, then you plan to host your app on Azure?
    As you spoke of
    "Create an app registration in my Organization ( tenant ). For ease of understanding let us call this SomanshOrg"

    You have mentioned your app hosted on webserver not on Azure hence asking as my use case is exactly app not on Azure.

    0 comments