I have create a application in one tenant and added the relevant api permission to create a application through programmatically. it is creating the application in same tenant but it is giving the problem while creating in another b2c tenant. I got the authorization_identitynotfound error message while creating the application.
@SeshaphaniSingamsetti-3295, let's say we have two tenants, Tenant-A and Tenant-B. In Tenant-A we have the actual application that is responsible for creating another application in Tenant-B (B2C Tenant). To achieve this scenario, you need to register the application in Tenant-A as a multi-tenant app. Once the app is registered as multi-tenant app in Tenant-A, this app can be added to Tenant-B by logging in to this app with the credentials of Tenant-B user. You can read more on Multi-Tenant Apps here.
Using this multi-tenant app, you can utilize the Graph API and create resources in the Tenant-B.
Hi Soumi-MSFT,
Thanks for your quick response.
Can I create the app in Tenant-B using the Tenant-A app client id and client secret credentials without using the Tenant-B user credentials.
My requirement is to create a new b2c tenant. Under new Tenant we have to create a app and users using the Tenant-A app client_credentials grant type.
@SeshaphaniSingamsetti-3295, you do not have to create the app registration in Tenant-B. So what happens in a multitenant scenario is that, you initially register an app in Tenant-A. When this app is registered in Tenant-A, you see two types of objects for this app available in Tenant-A i.e an Application Object and a Service Principal Object. Application object is what you see under the App Registration section and Service Principal Object is that you see in the Enterprise Registration Section of AAD. Now when you access this app, and login with the credentials of Tenant-B, and post providing the consent for the permission that the app uses, the service principal object of this app gets automatically created in Tenant-B. Though the admin of Tenant-B wont be able to make any changes to the configuration of this app, but the admin can surely add specific users of that tenant to access the app or make it available for all the users in his org to access that app. In this way there is no need for any app registration to be created in Tenant-B. This is what the power and beauty of Multi-Tenant apps are.
Thanks for your quick response.
while creating the users in new b2c tenantB using the tenantA app client credentials I got the following message "The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization." could you please help me on this.
If possible could you please let me know your convenient time for scheduling a call, I will explain the process of creation of new tenant and users.
thanks,
Seshaphani
Hi Soumi,
I am getting the Authorization_IdentityNotFound message while creating the user in TenantB using the client credentials grant type.
I am passing the below details to create user rest api
POST https://graph.microsoft.com/v1.0/users
Access token url : https://login.microsoftonline.com/tenantB/oauth2/token
Scope : User.ReadWrite.All;Directory.ReadWrite.All;Directory.AccessAsUser.All
client id and client secreat are TenantA application details.
Thanks in advance
8 people are following this question.
