Share via

Authentication & communication between backend applications on different Azure tenants

Jarod Kurland 146 Reputation points
2022-10-27T08:14:02.373+00:00

Originally posted this here, but reposting here for visibility.

I have a regular 'primary' tenant for an organization that contains multiple internal applications. I'll refer to this as tenant A.
For the same (physical) company, I have setup a B2C tenant in Azure, which will host a public-facing/external application. I'll refer to this as tenant B.

For the application under tenant B, I'm looking to facilitate the communication for its backend to call the backend of another application under tenant A.

  • I would have exposed an API on the application for tenant A, and given the App Registration under tenant B the permission to use said API, however, this can't be done as they're in different tenants
  • What I'm thinking of doing, for now, is creating a separate App Registration in tenant A which the backend of the application in tenant B will get an auth token for using a Daemon auth flow (since it's application-to-application communication), but this seems a little unnecessary

Is this setup possible?

Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-10-31T15:28:51.387+00:00

    Hi @Jarod Kurland ,

    Thanks for reaching out.

    This can be achieved using multi-tenancy. Both the applications need to register as multi-tenant application.

    In Tenant A - Create an app registration as multi-tenant application in tenant A (eg: TenantA) and expose it as an API (api://app-id) and add the app roles in the application.

    255726-image.png

    In Tenant B - Create an app registration as multi-tenant application in tenant B and note the client-id of the application.

    255727-image.png

    The client id of application in Tenant B need to be added in known client application in the manifest of application registered in tenant A.

    255713-image.png

    and need to consent application and permission in Tenant B to create the service principal using https://login.microsoftonline.com/common/adminconsent?client_id=<clientIdOfTenantA>&redirect_uri=<redirectURIOfTenantA>

    255688-image.png

    In Tenant B, service principal of Tenant A has been created under Enterprise applications as:
    255689-image.png

    Now tenant A is available in Tenant B. You can go ahead and make the API exposed in tenant A to the tenant B.

    255715-image.png

    Hope this will help.

    Thanks,
    Shweta

    ----------------------------------------

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.