Share via

how to allow external users to access graph api in azure portal without adding them to tenant

Hamza Iqbal 0 Reputation points
2023-05-01T13:53:03.6566667+00:00

Hi,
I just want to know that how to allow external users to authenticate themselves using graph API without adding them tenant in azure portal?

Microsoft Security Microsoft Entra Microsoft Entra External ID
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Authenticator
Microsoft Security Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 46,366 Reputation points
    2023-05-02T06:39:00.98+00:00

    Hi @Hamza Iqbal

    If you want external users to sign in to your app and authenticate, you must configure your app as a multi-tenant app.

    User's image

    Then use the auth code flow to interactively log in the external user in the browser to obtain the authorization code, and use the authorization code to redeem the access token of the graph API.

    Note that you must change /{tenant id} to /common to allow external users to log in.

    1.Request an authorization code in the browser.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id={client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=openid offline_access User.Read
&state=12345

    2.Redeem token.

    https://login.microsoftonline.com/common/oauth2/v2.0/token 
client_id={client id}
&scope=openid offline_access User.Read
&code={code}
&redirect_uri={redirect_uri}
&grant_type=authorization_code
&client_secret={client_secret}

    8

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    3 people found this answer helpful.
  2. Konstantinos Passadis 19,586 Reputation points MVP
    2023-05-01T14:01:49.7233333+00:00

    Hello @hamza iqbal !

    Welcome to Microsoft QnA!

    To allow external users to authenticate themselves using Graph API without adding them to your Azure AD tenant in the Azure portal, you can use Azure AD B2B collaboration. Azure AD B2B collaboration allows you to invite external users to collaborate with your organization by granting them access to resources in your tenant.

    Here are the steps you can follow to allow external users to authenticate themselves using Graph API:

    Set up Azure AD B2B collaboration: In the Azure portal, go to Azure Active Directory > External Identities > B2B Collaboration and set up B2B collaboration for your tenant.

Invite external users: In the Azure portal, go to Azure Active Directory > External Identities > B2B Collaboration > Invitation and invite external users to collaborate with your organization.

Configure the application permissions: In the Azure portal, go to Azure Active Directory > App registrations and select your app registration for the Graph API. Under the API permissions section, add the necessary application permissions for the Graph API.

Grant consent: Once you have configured the necessary application permissions, you need to grant consent to the external users to allow them to use the Graph API. You can do this by having the external users sign in to your app using their own credentials and grant consent to the required permissions.

    Once these steps are completed, the external users can use the Graph API to access the resources in your tenant that they have been granted access to through B2B collaboration. Note that the external users will need to authenticate themselves using their own credentials and will not have access to your Azure AD tenant in the Azure portal.

    Kindly mark this answer as Accepted in case it helped or post your feedback !

    Regards

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.