question

DevendrasinghKhurana-5288 avatar image
0 Votes"
DevendrasinghKhurana-5288 asked SaurabhSharma-msft commented

Grant Admin Consent tenant wide for multi-tenant Azure AD B2C app

I've created a multi-tenant application in Azure AD B2C. Now lets say if this application is made in tenant A and I want to allow this application to access users of tenant B, I have to provide admin consent for this.
Url will be of form https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}. I can sign in with a user that has the required permissions and give consent for this and its done.
What I've understood from docs is that the above process creates a service principal in the specified tenant with required permissions.
Is there a way to achieve this programmatically or are there any Api's available for this?

azure-ad-b2c
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@devendrasinghkhurana-5288 Thanks for using Microsoft Q&A !!

I do not think there is a way to do admin consent programmatically for multi tenant applications. For single tenant apps you could try use oAuth2PermissionGrant to create a delegated permissions grant using Microsoft Graph as mentioned in this blog.

Thanks
Saurabh


0 Votes 0 ·

Thanks Saurabh for you answer, I've got few doubts here.
1. By giving admin consent we are creating service principal for the application in another tenant.
2. If 1. is correct then is there a way I can create service principal in another tenant programmatically because that will solve my purpose.

Another Scenario, let say if above one is not possible then is there an existing permission which allows multi-tenant application to access users of different tenants?

Thanks



0 Votes 0 ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft commented

Hi @devendrasinghkhurana-5288,

  1. Service principal gets created either by providing an admin or user consent. Please refer to the documentation.

  2. You can create a service principal in another tenant for a registered application by using Azure CLI az ad sp create --id <App Id> but either user consent (if using delegated permissions) or global admin consent is required (if using application permissions) so that service principal can access the resources.
    You can provide a tenant level consent from Azure Portal by going to Azure AD > Enterprise applications > Your application > Permissions > Click "Grant admin consent for <tenant>".
    Once Admin Consent is granted all API permissions will start showing under Admin Consent tab (See screenshot below)

97608-image.png

However I do not see a way to do it automatically for a multi tenant. For single tenancy you can use az ad app permission admin-consent.

Please let me know if you have any other questions.

Thanks
Saurabh


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.





image.png (78.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @devendrasinghkhurana-5288,
I have not heard back from you. Did my answer solve your issue? If so, please mark as accepted answer. If not, please let me know how I may better assist.

Thanks
Saurabh

0 Votes 0 ·