Azure Function accessing resources from another tenant

Ano Acco 191 Reputation points
2023-03-10T11:33:19.46+00:00

Our tenant (let's call it Tenant A) acquired a small start-up - Tenant B.

We have an app - an Azure Function running under assigned Identity in Tenant A. It needs permissions in Tenant B. It's not a classic multi-tenancy scenario, because I do not expect Tenant C and D and so on... It's also acceptable if Users from Tenant A see the data from Tenant B.

How can I assign Graph Sites.ReadWrite.All permissions in Tenant B to my Tenant A app? Should I create an app registration for AzFunction in Tenant B? If yes, how do I assign it - "user-assigned identities" tab doesn't let me choose an ID that doesn't belong to Tenant A.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,215 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
{count} votes

Accepted answer
  1. Andriy Bilous 10,896 Reputation points MVP
    2023-03-13T13:52:46.1466667+00:00

    Hello @Ano Acco

    There are two ways to achieve this:
    Using App Registration or Federated Managed Identity

    App Registration

    In order to assign Graph Sites.ReadWrite.All permissions in Tenant B to your Tenant A app, you will need to create an app registration for your Azure Function in Tenant

    Here are the steps you can follow:

    • 1)Register your Azure Function in Tenant B: a. Sign in to the Azure portal (https://portal.azure.com/) using an account with admin privileges in Tenant B. b. Navigate to "Azure Active Directory" > "App registrations" > "New registration". c. Provide a name for your app registration (e.g., "AzFunction-TenantB"), and then click "Register".
    • 2)Grant Graph Sites.ReadWrite.All permissions to the app registration in Tenant B: a. In the app registration page for "AzFunction-TenantB", go to "API permissions" > "Add a permission". b. Select "Microsoft Graph" and choose the "Application permissions" tab. c. Expand the "Sites" group and check the "Sites.ReadWrite.All" permission. d. Click "Add permissions" to save your changes.
    • 3)Grant admin consent for the permissions: a. Still in the "API permissions" tab, click on the "Grant admin consent for [Tenant B]" button. You'll need to be an admin in Tenant B to perform this action.
    • 4)(Share the client ID and tenant ID with Tenant A: a. In the "Overview" tab of the "AzFunction-TenantB" app registration, make a note of the "Application (client) ID" and "Directory (tenant) ID" values.
    • 5)Configure your Azure Function in Tenant A to use the new app registration in Tenant B: a. Sign in to the Azure portal (https://portal.azure.com/) using an account with privileges to manage your Azure Function in Tenant A. b. Go to the Azure Function App, navigate to the "Configuration" tab, and update the following values:
      TENANT_B_CLIENT_ID: Set this to the "Application (client) ID" from step 4.
      TENANT_B_TENANT_ID: Set this to the "Directory (tenant) ID" from step 4.
    • 6)Update your Azure Function code to use the new app registration when calling Microsoft Graph: a. Use the new TENANT_B_CLIENT_ID and TENANT_B_TENANT_ID values when acquiring a token for Microsoft Graph. This will ensure that your Azure Function uses the app registration from Tenant B when calling the API.

    Federated Managed Identity

    https://svrooij.io/2022/12/16/poc-multi-tenant-managed-identity/#post
    https://blog.identitydigest.com/azuread-federate-mi/

    Note: You may also need to configure the necessary network and firewall settings to allow access to Tenant B from Tenant A.

    You may also want to consider granting the necessary permissions to users in Tenant A to access the data in Tenant B. This can be done using Azure AD B2B collaboration.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful