question

SomanshReddy-4380 avatar image
0 Votes"
SomanshReddy-4380 asked ChetanKrishnaSangoram-8613 answered

How to use a single application to access resources in multiple tenants in Azure AD?

My client application ( hosted on a web server which is not on Azure ), needs to access Azure Storage accounts for various Organizations.

Say there are three Organizations - Org1, Org2 and Org3. I would have one instance of my application running on my server for each of these 3 organizations, so basically they are isolated instances. There would be a UI based form for an organization to enter their details ( like subscription id, storage account name etc ).

I was under the impression that I have two options.

Option A - Create an app registration in each Organization. So there would be 3 apps created ( one in each of the Organization's tenant ). Each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. So 3 apps and 3 service principals in total.

Option B - Create an app registration in my Organization ( tenant ). For ease of understanding let us call this SomanshOrg. Can we create a service principal in Org 1, Org2, Org3 where each Organization would have to give their respective app's service principal a role to be able to access their Storage Accounts. And then from my client application I would be able to access their resources. So 1 app and 4 service principals ( 3 Org + mine ) in total.

The end goal is to only take credentials from the User in the initial UI form. And then we can access their Azure Storages without any more user involvement.

Which of these options would be better? Or is a different option more suitable for my use case?

azure-active-directoryazure-ad-app-registrationazure-ad-tenantazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

alfredorevilla-msft avatar image
2 Votes"
alfredorevilla-msft answered SomanshReddy-4380 commented

Option B trough a multi-tenant application. An additional service principal will get created in each organization.


Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But the credentials ( secret ) of the Application would be able to access data in all the service principals and hence in all the tenants that have granted consent, right?

I think a way to avoid this would be to use service principals 'passwords' instead so one set of creds wouldn't be able to access the other set of credentials?

0 Votes 0 ·

@alfredo-revilla-msft @JamesTran-MSFT ?

0 Votes 0 ·
alfredorevilla-msft avatar image
0 Votes"
alfredorevilla-msft answered alfredorevilla-msft commented

Signed in users will be able to access only their tenant data. Same with applications using the client credentials flow.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@alfredo-revilla-msft But applications using client credentials can access all the data in tenants that have granted them consent - since the credentials belong to the entire application object. And the same application object is used to create service principals in each of these tenants.

0 Votes 0 ·

That's correct. You can avoid that using your suggestion, to avoid any credential being created for the multitenant app and use per tenant service principal credentials.

1 Vote 1 ·

@alfredo-revilla-msft Okay, so that is with the Client Credential workflow. Two follow up questions:

1) In Client Credentials workflow, is admin consent the only way to allow the application to access resources on its own behalf? Any way to not have an admin involved in the entire app registration process?

I assume assigning the role to the service principal would ultimately require an admin who has permissions to grant roles so we wouldn't be able to avoid it completely.

2) If there is a user signed it ( interactive workflow ), then how long can the application act on the user's behalf before the user has to re-enter / re-login to Azure so that the application can continue accessing resources on his / her behalf? Is it until the refresh token expires?

0 Votes 0 ·
Show more comments
ChetanKrishnaSangoram-8613 avatar image
0 Votes"
ChetanKrishnaSangoram-8613 answered

@SomanshReddy-4380 I was trying for something similar, hence resurrecting the thread. In your chosen option B, then you plan to host your app on Azure?
As you spoke of
"Create an app registration in my Organization ( tenant ). For ease of understanding let us call this SomanshOrg"

You have mentioned your app hosted on webserver not on Azure hence asking as my use case is exactly app not on Azure.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.