Is it possible to manipulate tenant from another tenant in Azure?

AliHasan
February 20, 2023
262 views
1 vote
2 Answers

I am new to Azure, and one question bothers me.

Is it possible to create a multi-tenant logic in Azure with one "General" AAD that contains function apps and other tenants (more than 20) that should use these apps to manipulate their own tenants?

For example, there is an app for managing users (UserManagement). When this function is "called" from another tenant (Tenant "B"), let’s say for adding a new user, it should add the user only in the called AAD (Tenant "B").

I try to accomplish this by storing app registration credentials in a table or service principal – app registration logic, but it has no effect.

Thank you .

Answers

- TinyWang
- February 20, 2023 at 10:04 am
- 0 votes
0
I did a test in my side with Azure AD Multi-tenant application with an asp.net core application, the feature is allowing users from different tenant to sign in then using Microsoft Graph API to query all the users.

My Azure AD application is registered in tenant A which is a multi-tenant application. Then I used user in tenant B to sign in the application, then the query result is that all the users in tenant B is listed in the query result.

Here’s the sample I followed. And in the contoller, my request is like this: var users = await _graphServiceClient.Users.Request().GetAsync();

Do not forget to set the tenant id as common for enabling the multi-tenant feature.

Login or Signup to reply.

- Rukmini
- February 20, 2023 at 12:19 pm
- 0 votes
0
I agree with @Tiny Wang, you need to create Multi-Tenant Azure AD Application to achieve your scenario.

I tried to reproduce the same in my environment and got the results as below:

I created an Azure AD Application in TenantA:

Now, I tried to sign-in with the TenantB user using the below authorize endpoint:
```
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
```
The user will be prompted the screen as below:

Once the user Accepts the consent, the TenantB user will be authorized successfully.

I generated the access token by using below parameters:
```
https://login.microsoftonline.com/organizations/oauth2/v2.0/token

grant_type:authorization_code
client_id:ClientID
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
```
If you want the Personal Microsoft accounts to access your App, then Register your application as below and make use of common endpoint:
- Based on your requirement, you can assign the Azure AD API Permissions and permit the users to access the Application.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.