PME tenant Web App authentication/authorization through Microsoft tenant app registration

Question

Hi there,

I have a web app deployed in Microsoft tenant. And I have a service principal and app registration in Microsoft tenant with several app roles and api permissions like below:

And I have assigned those roles to a lot of users, groups and applications in Microsoft tenant. The app registration has been setup in web app authentication as an identity provider. And I could see claims in my app like below (response from /.auth/me):

Now we are asked to migrate our web app to PME tenant. We recreated the web app and deployed the app with the same code in PME tenant subscription. And we created a new app registration and service principal in PME tenant and setup multi-tenant to allow users in Microsoft tenant to login our app in PME by their microsoft.com user account. The authentication settings are like below:

app registration in PME tenant:

And now I could login my app deployed in PME successfully with my microsoft.com account. However, the problem is that all the app roles are missing in the token:

My app’s users and groups all exist in the Microsoft tenant, and it’s not possible for me to set up these roles again in the PME tenant. So, can I use the app registration in the Microsoft tenant as my authentication/authorization provider in the PME web app? This way, I can continue to use the app roles and API permissions of this Microsoft tenant’s app registration.

Answer 1

Hello @Yuchen Tang,

Thank you for posting your query on Microsoft Q&A.

Based on your explanation, I understand that you have an existing application under the Microsoft tenant with app roles added to it, which have been assigned to many users, groups, and applications within the Microsoft tenant. When users sign in to the application configured in the Microsoft tenant, all assigned roles are included in the token.

Now, you have moved the application from the Microsoft tenant to the PME tenant by recreating the web app and deploying it with the same code in the PME tenant. You have created a new app registration and service principal in the PME tenant, enabling it for multi-tenant users to access the application ("Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)"). Consequently, users in the Microsoft tenant can log into your app, which is created in the PME tenant, using their Microsoft.com user accounts.

I understand that all your application users and groups exist from the Microsoft tenant. Therefore, you are looking to use the same app roles and API permissions that already existed in the Microsoft tenant’s app registration as an authentication/authorization provider in the PME web app/PME tenant app registration. This way, when any Microsoft.com tenant user logs into your PME tenant application, the app roles will be passed similarly to how they were in the Microsoft tenant.

It is not possible to pass the app roles assigned in the Microsoft tenant application to the PME tenant application. In your PME tenant application, Microsoft tenant users are accessing it as a multi-tenant application only. However, there is no mechanism to pass the Microsoft tenant application app role information to your PME tenant application when they authenticate.

can I use the app registration in the Microsoft tenant as my authentication/authorization provider in the PME web app?

No, at present, it is not possible to achieve your end goal as explained above.

it’s not possible for me to set up these roles again in the PME tenant.

I agree that setting up all those app roles again in the PME tenant application will be a significant task. However, to pass those app roles in the claim when a user authenticates, you will need to set up those roles again in the PME tenant.

Hope this includes all the information that you were looking for.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.