![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 71%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,359 questions
Hello @Ano Acco
There are two ways to achieve this:
Using App Registration or Federated Managed Identity
App Registration
In order to assign Graph Sites.ReadWrite.All permissions in Tenant B to your Tenant A app, you will need to create an app registration for your Azure Function in Tenant
Here are the steps you can follow:
- 1)Register your Azure Function in Tenant B: a. Sign in to the Azure portal (https://portal.azure.com/) using an account with admin privileges in Tenant B. b. Navigate to "Azure Active Directory" > "App registrations" > "New registration". c. Provide a name for your app registration (e.g., "AzFunction-TenantB"), and then click "Register".
- 2)Grant Graph Sites.ReadWrite.All permissions to the app registration in Tenant B: a. In the app registration page for "AzFunction-TenantB", go to "API permissions" > "Add a permission". b. Select "Microsoft Graph" and choose the "Application permissions" tab. c. Expand the "Sites" group and check the "Sites.ReadWrite.All" permission. d. Click "Add permissions" to save your changes.
- 3)Grant admin consent for the permissions: a. Still in the "API permissions" tab, click on the "Grant admin consent for [Tenant B]" button. You'll need to be an admin in Tenant B to perform this action.
- 4)(Share the client ID and tenant ID with Tenant A: a. In the "Overview" tab of the "AzFunction-TenantB" app registration, make a note of the "Application (client) ID" and "Directory (tenant) ID" values.
- 5)Configure your Azure Function in Tenant A to use the new app registration in Tenant B:
a. Sign in to the Azure portal (https://portal.azure.com/) using an account with privileges to manage your Azure Function in Tenant A.
b. Go to the Azure Function App, navigate to the "Configuration" tab, and update the following values:
TENANT_B_CLIENT_ID: Set this to the "Application (client) ID" from step 4.
TENANT_B_TENANT_ID: Set this to the "Directory (tenant) ID" from step 4. - 6)Update your Azure Function code to use the new app registration when calling Microsoft Graph: a. Use the new TENANT_B_CLIENT_ID and TENANT_B_TENANT_ID values when acquiring a token for Microsoft Graph. This will ensure that your Azure Function uses the app registration from Tenant B when calling the API.
Federated Managed Identity
https://svrooij.io/2022/12/16/poc-multi-tenant-managed-identity/#post
https://blog.identitydigest.com/azuread-federate-mi/
Note: You may also need to configure the necessary network and firewall settings to allow access to Tenant B from Tenant A.
You may also want to consider granting the necessary permissions to users in Tenant A to access the data in Tenant B. This can be done using Azure AD B2B collaboration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 7.000000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPE%3C/text%3E%3C/svg%3E)