We have created API in Tenant-A and exposed a scope (api://tenant-A/app.read) ,we have created Web Application in Tenant-B. Now we are trying to register permissions of Tenant-A in Tenant-B web application. How can we request permission of Tenant-A in Tenant-B web application.

@prabhakar b , You can perform the steps mentioned below: In Tenant A: Create a app registration as multi-tenant application in tenant A (eg: TenantAAPI ) and expose it as an API (api://app-id/app.read) . In Tenant B: Try to access that TenantAAPI multi-tenant application using a user of Tenant B , so that the application gets added to Tenant B as a service principal . Once the application TenantAAPI gets added to Tenant B , you should be able to see its entry under the Enterprise Registration section. Create another App Registration in Tenant B (eg: TenantBApp ). In the API Permissions section of TenantBApp , you can add a permission: Add a Permission --> Select an API --> APIs my Organization Uses --> here search for the api of tenant A i.e TenantAAPI Once you find the TenantAAPI , Add its exposed permission i.e app.read as it would be listed there. In this way you can go ahead and make the api exposed in tenant A available in tenant B. Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer ; if the above response helped in answering your query.

In Azure AD, how to access an API registered as multi-tenant(Tenant-A) from another tenant (Tenant-B)

Accepted answer

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-06T07:31:02.657+00:00
@prabhakar b , You can perform the steps mentioned below:

In Tenant A:
Create a app registration as multi-tenant application in tenant A (eg: TenantAAPI) and expose it as an API (api://app-id/app.read).

In Tenant B:

Try to access that TenantAAPI multi-tenant application using a user of Tenant B, so that the application gets added to Tenant B as a service principal.

Once the application TenantAAPI gets added to Tenant B, you should be able to see its entry under the Enterprise Registration section.

Create another App Registration in Tenant B (eg: TenantBApp).

In the API Permissions section of TenantBApp, you can add a permission: Add a Permission --> Select an API --> APIs my Organization Uses --> here search for the api of tenant A i.e TenantAAPI

Once you find the TenantAAPI, Add its exposed permission i.e app.read as it would be listed there.

In this way you can go ahead and make the api exposed in tenant A available in tenant B.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
Please sign in to rate this answer.
prabhakar b 36 Reputation points

2020-05-07T07:54:37.663+00:00

Hi @soumi-MSFT thank you,I followed the steps, I have small confusion about the first point "Try to access that TenantAAPI multi-tenant application using a user of Tenant B". In this step can you please help with sample URL to access tenant A.

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-05-08T07:37:20.417+00:00

@prabhakar b , Sure, I used the following url to test on my end:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={App Id of TenantAAPI}&response_type=code&redirect_uri={redirect URI for TenantAAPI}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345

Since, a user of tenant B would be logging here, so I used the Authorization Code Grant flow of OAuth and this is the first step from that flow, where I asked for a code from the /authorize endpoint of AAD. While you perform this step, it would ask you to consent for the permissions that you have asked for in the scope parameter of the request and once you provide the consent, the service principal for this corresponding application would get created in Tenant B

Hope this helps. Do let me know if any more queries around this, so that we can help you further.

Varun 1 Reputation point

2020-09-21T06:39:57.717+00:00

Hi @soumi-MSFT thanks for helping out. I have a similar requirement where an application registered in the customer's tenant (let's say Tenant A) has to access the API registered in my tenant(Tenant B).

I tried the steps that you mentioned in your comment with another tenant that I had for test purposes(Tenant C). I tried to access the web api registered in my main tenant(Tenant B) as mentioned before, with the account registered in Tenant C. However, I get an error on the login page which basically says:

"Selected user account does not exist in tenant 'Tenant B' and cannot access the application 'Tenant B client ID' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."

I am confused because, I have already registered the web API as multitenant but it still complains about the user not being registered in the same tenant. Any help will be appreciated.

Thanks.

soumi-MSFT 11,716 Reputation points Microsoft Employee

2020-09-21T13:20:34.333+00:00

@Varun , thank you for reaching out. So as I understand, you have a web api registered in tenant B that is a multitenant webapp/api and then you want to access it from tenant C.
So in this case, the steps remains the same for you too and just make sure, when you are accessing the webAPI to get registered in Tenant C, using the following URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={App Id of TenantAAPI}&response_type=code&redirect_uri={redirect URI for TenantAAPI}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345 make sure you login using the user of Tenant C. So that after the user of Tenant C logs in successfully the service-principal for that multi-tenant web api can get successfully registered in AAD of tenant C.

Hope this helps. Do let me know if any more queries around this, so that we can help you further.

Varun 16 Reputation points

2020-10-27T19:52:58.99+00:00

Hi @soumi-MSFT , your procedure worked for Azure Active Directory. Thanks for your help! I have another question regarding the B2C tenants, can we use the same procedure for B2C application to access an API in another tenant?

I went ahead and tried it with my B2C tenant, looks like the service principal gets created in the B2C tenant but I cannot get the access token for it from the user flow, it complains about the scope not being supported.

Thanks in advance!
Sign in to comment

In Azure AD, how to access an API registered as multi-tenant(Tenant-A) from another tenant (Tenant-B)

0 additional answers