question

SashinSahasra-8499 avatar image
0 Votes"
SashinSahasra-8499 asked SashinSahasra-8499 commented

Do multi-tenant applications gives ability to manage resources of users' accounts(tenants) individually by their own?

I want to create an application using java sdk that can create storage accounts on azure cloud. So currently I'm using tenant_id, client_id, client_secret and subscription_id for get the access to the user tenant. My current approach is to do this by registering the application as multitenant. So, if I provide this application to users from a different tenants, will the storage account be created in their tenants seperately? Also can they get access to the resources in my tenant?




azure-active-directoryazure-cloud-servicesazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered SashinSahasra-8499 commented

Hi @SashinSahasra-8499 · Thank you for reaching out.

When you create Multi-tenant application (e.g. App001) in tenant1 and users of tenant2 access that application, a service principal corresponding to App001 gets created in tenant2. The tenant2 can then issue token with audience App001's App ID URI and only App001 can consume the token.

In order to create resources (e.g. Storage Account) in Azure, the audience must be https://management.core.windows.net/, which you cannot get in context of the service principal created in tenant2 corresponding to App001.

Can they get access to the resources in my tenant?
No, the users will not be added to your tenant when they access multi-tenant application. So you can't use RBAC to grant them access to the resources in the subscription linked to your tenant.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SashinSahasra-8499 · Just checking if you have any further question.

0 Votes 0 ·

"The tenant2 can then issue token with audience App001's App ID URI and only App001 can consume the token." Can you plz explain this further.

I want to create this type of architecture https://miro.medium.com/max/749/1*1gJoOjs-meGUk8btzxtsSw.png. (Same application, separate resources)

0 Votes 0 ·