How do I give access to my tenant using graph API to another account that has an multitenant app registration

Question

How do I give access to my tenant using graph API to another account that has an multitenant app registration

Paolo Grimaldi 25

I want to create an AppRegistration on Tenant A and specify delegated permissions over the graph API and Exchange Online, and then have an oauth 2 flow so that another user from tenant B can grant the authorization over his graph API using gdap.

I've seen this is possible if tenant A is a CSP (Partner) account is it possible any other way?

2 answers

Your answer

Answer 1

Hi @Paolo Grimaldi

I’m not sure if I understood you correctly. Are you trying to share your multi-tenant application with users from Tenant B so they can log in and access Tenant B’s resources, or do you want users from Tenant B to log in to your multi-tenant application to access your tenant’s (Tenant A’s) resources?

If you want to share your multi-tenant application with users from Tenant B so they can log in and access Tenant B’s resources, you need to run the admin consent URL in the browser and have Tenant B’s global administrator log in and grant consent. After that, the multi-tenant application will be added as an enterprise application to Tenant B, and users from Tenant B will be able to log in to the application and have the necessary permissions.

https://login.microsoftonline.com/{tenant id of the tenant B}/adminconsent?client_id={client-id}

https://login.microsoftonline.com/{id of the tenant B}/oauth2/v2.0/authorize?
client_id={id of the multi-tenant app}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

If you want users from Tenant B to log in to your multi-tenant application to access your tenant’s (Tenant A’s) resources, you must invite users from Tenant B to your tenant (Tenant A) as guests, and then they can log in to your application as guests.

https://login.microsoftonline.com/{id of the tenant A}/oauth2/v2.0/authorize?
client_id={id of the multi-tenant app}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Paolo Grimaldi 25 Reputation points

2024-08-09T16:38:14.76+00:00

Thank you for your reply. Let me be a little more specific, Tenant A is under my control and therefore I can create an AppRegistration on it with the required permissions I need for my application to work. Tenant B is not under my control, it's under my customers control (and will of course be multiple customers so multiple tenants and these customers might also be CSP accounts with access to multiple tenants as well), what I want is for tenant B or any other tenant to authorize access over it's own resources so that I can perform changes on their behalf over their tenants. So there are two questions here... 1 is this only possible if tenant A is a CSP account? 2. If it is possible with regular accounts can I do it without having to add the user principal as a guest on my tenant for every single customer (I want an automated way of doing it so the oauth 2 authorization flow seems appropiate) or how can the Invite users as guests process be done in an automated fashion?

Answer 2

Akhilesh Vallamkonda 15,320 Microsoft External Staff Moderator

Hi @Paolo Grimaldi

Thank you for reaching us!

I understand that you would like to delegate tenant A application access to tenant B.

To achieve this, register a multi-tenant app in tenant A and Assign the necessary API permissions for Microsoft Graph.
Post which Grant tenant-wide admin consent to an application.

Once the admin of Tenant B grants consent, your application will be added as an enterprise application in Tenant B, and you will have the necessary permissions to access Tenant B’s resources.
The other side to answer your questions

No, it is not limited to CSP accounts. Any Azure AD tenant can register an application and use the OAuth flow to access resources in other tenants, provided that the user in Tenant B consents to the permissions requested by the application.
Yes, you can achieve this without adding the user as a guest. The OAuth 2.0 flow allows users from Tenant B to grant permissions directly to your application without needing to invite them as guests in Tenant A.

Reference: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http

Hope this helps. Do let us know if you any further queries.

Thanks,

Akhilesh.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-08-14T07:13:39.9666667+00:00

Hi @Paolo Grimaldi
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-08-16T05:32:22.3466667+00:00

Hi @Paolo Grimaldi Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Paolo Grimaldi 0 Reputation points

2024-08-17T01:51:35.4333333+00:00

Thank you for the clarification. I have one last question regarding the CSP scenario. Are there any extra steps required if Tenant B is indeed a CSP account and I want to access from tenant A to all tenants registered as customers of tenant B, or just setting an Admin Relationship to the customers tenants is enough to access their tenants as well?

Share via

How do I give access to my tenant using graph API to another account that has an multitenant app registration

2 answers

Your answer