Integration :Azure AD tenant and Other IDP using Client Credentials Flow

Question

Hi

We have two Azure AD tenants ( A and B). We created API in Tenant-A(Multitenant) and exposed a scope (api://tenant-A/application.Write) ,we have created client Application in Tenant B.

In this process we will create Service Principal of Tenant A in Tenant B.

What if Tenant B is not Azure AD (any Other IDP). What would be the procedure in this process to create service principal and get the access token to access API in tenant A.

Flow we want to follow is: Client Credential Flow

Thanks,
Subbu

Answer 1

Hello @Subramanyam k , thank you for reaching out. For third party IDP, it would depend on their app model and architecture. In an ideal scenario, when we register and expose and api in Azure AD, it means that we are protecting that API using Azure AD. Hence, we need to request an access token from Azure AD to access this API exposed on AAD.

If you take the example of Microsoft Graph API, it is also an AAD protected API, and to access Microsoft Graph API, we don't need its service principal to be registered in the other tenant where the client App is registered. Just you need to fetch an access token from the AAD and then send that access-token as the bearer and access the Graph API.

Similarly in your scenario too, you just need the API to be exposed in Tenant-A, and the other Tenant-B where your client app is registered, can straightaway reach to the AAD of Tenant-A and ask for an access-token using Client_Credentials Flow (for this make sure your app is registered in Tenant-A) and client App hosted in Tenant-B.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.