question

prabhakarb-2711 avatar image
prabhakarb-2711 asked ·

In Azure AD, how to access an API registered as multi-tenant(Tenant-A) from another tenant (Tenant-B)

We have created API in Tenant-A and exposed a scope (api://tenant-A/app.read) ,we have created Web Application in Tenant-B. Now we are trying to register permissions of Tenant-A in Tenant-B web application. How can we request permission of Tenant-A in Tenant-B web application.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
soumi-MSFT answered ·

@prabhakarb-2711, You can perform the steps mentioned below:

In Tenant A:
Create a app registration as multi-tenant application in tenant A (eg: TenantAAPI) and expose it as an API (api://app-id/app.read).

In Tenant B:

  1. Try to access that TenantAAPI multi-tenant application using a user of Tenant B, so that the application gets added to Tenant B as a service principal.

  2. Once the application TenantAAPI gets added to Tenant B, you should be able to see its entry under the Enterprise Registration section.

  3. Create another App Registration in Tenant B (eg: TenantBApp).

  4. In the API Permissions section of TenantBApp, you can add a permission: Add a Permission --> Select an API --> APIs my Organization Uses --> here search for the api of tenant A i.e TenantAAPI

  5. Once you find the TenantAAPI, Add its exposed permission i.e app.read as it would be listed there.

In this way you can go ahead and make the api exposed in tenant A available in tenant B.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.




















4 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @soumi-MSFT thank you,I followed the steps, I have small confusion about the first point "Try to access that TenantAAPI multi-tenant application using a user of Tenant B". In this step can you please help with sample URL to access tenant A.

1 Vote 1 · ·
soumi-MSFT avatar image soumi-MSFT prabhakarb-2711 ·

@prabhakarb-2711, Sure, I used the following url to test on my end:

 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={App Id of TenantAAPI}&response_type=code&redirect_uri={redirect URI for TenantAAPI}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345

Since, a user of tenant B would be logging here, so I used the Authorization Code Grant flow of OAuth and this is the first step from that flow, where I asked for a code from the /authorize endpoint of AAD. While you perform this step, it would ask you to consent for the permissions that you have asked for in the scope parameter of the request and once you provide the consent, the service principal for this corresponding application would get created in Tenant B


Hope this helps. Do let me know if any more queries around this, so that we can help you further.

1 Vote 1 · ·

Hi @soumi-MSFT thanks for helping out. I have a similar requirement where an application registered in the customer's tenant (let's say Tenant A) has to access the API registered in my tenant(Tenant B).

I tried the steps that you mentioned in your comment with another tenant that I had for test purposes(Tenant C). I tried to access the web api registered in my main tenant(Tenant B) as mentioned before, with the account registered in Tenant C. However, I get an error on the login page which basically says:

"Selected user account does not exist in tenant 'Tenant B' and cannot access the application 'Tenant B client ID' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."

I am confused because, I have already registered the web API as multitenant but it still complains about the user not being registered in the same tenant. Any help will be appreciated.

Thanks.

0 Votes 0 · ·

@Varun-5012, thank you for reaching out. So as I understand, you have a web api registered in tenant B that is a multitenant webapp/api and then you want to access it from tenant C.
So in this case, the steps remains the same for you too and just make sure, when you are accessing the webAPI to get registered in Tenant C, using the following URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={App Id of TenantAAPI}&response_type=code&redirect_uri={redirect URI for TenantAAPI}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345 make sure you login using the user of Tenant C. So that after the user of Tenant C logs in successfully the service-principal for that multi-tenant web api can get successfully registered in AAD of tenant C.

Hope this helps. Do let me know if any more queries around this, so that we can help you further.

0 Votes 0 · ·