@PRUTHWIRAJ JAGADALE
Thank you for your time and patience! I received an update from my team regarding this and will post the update below.
Update:
Question 1: I have chain of 100 App registration then do I need to give the permission to all 99 Apps in to the 100th App to access those?
- Theoretically, yes, you'll need to give permission to all the middle tier applications. As you're using a chain of apps/APIs, hence, client must require access to all APIs in the chain, no matter if it uses them directly or not. Again, not to forget here you're using multi-tenant apps. Depending on the architecture or usage of the application, you may consider the following strategies to optimize the flow. The ultimate goal is to ensure proper consent is given so that the client apps can call the middle-tier apps, and the middle tier app has permission to call the back-end resource. For more info.
Question 2: I don't want to give the direct access to App C from App A. App C should not be accessible using the token generated for App A. Using your approach is it possible?
- The above is not possible using this approach. But you can explore the Conditional Access developer guide which talks about a similar scenario.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.