Hello @Ano Acco
There are two ways to achieve this:
Using App Registration or Federated Managed Identity
App Registration
In order to assign Graph Sites.ReadWrite.All permissions in Tenant B to your Tenant A app, you will need to create an app registration for your Azure Function in Tenant
Here are the steps you can follow:
- 1)Register your Azure Function in Tenant B: a. Sign in to the Azure portal (https://portal.azure.com/) using an account with admin privileges in Tenant B. b. Navigate to "Azure Active Directory" > "App registrations" > "New registration". c. Provide a name for your app registration (e.g., "AzFunction-TenantB"), and then click "Register".
- 2)Grant Graph Sites.ReadWrite.All permissions to the app registration in Tenant B: a. In the app registration page for "AzFunction-TenantB", go to "API permissions" > "Add a permission". b. Select "Microsoft Graph" and choose the "Application permissions" tab. c. Expand the "Sites" group and check the "Sites.ReadWrite.All" permission. d. Click "Add permissions" to save your changes.
- 3)Grant admin consent for the permissions: a. Still in the "API permissions" tab, click on the "Grant admin consent for [Tenant B]" button. You'll need to be an admin in Tenant B to perform this action.
- 4)(Share the client ID and tenant ID with Tenant A: a. In the "Overview" tab of the "AzFunction-TenantB" app registration, make a note of the "Application (client) ID" and "Directory (tenant) ID" values.
- 5)Configure your Azure Function in Tenant A to use the new app registration in Tenant B:
a. Sign in to the Azure portal (https://portal.azure.com/) using an account with privileges to manage your Azure Function in Tenant A.
b. Go to the Azure Function App, navigate to the "Configuration" tab, and update the following values:
TENANT_B_CLIENT_ID: Set this to the "Application (client) ID" from step 4.
TENANT_B_TENANT_ID: Set this to the "Directory (tenant) ID" from step 4. - 6)Update your Azure Function code to use the new app registration when calling Microsoft Graph: a. Use the new TENANT_B_CLIENT_ID and TENANT_B_TENANT_ID values when acquiring a token for Microsoft Graph. This will ensure that your Azure Function uses the app registration from Tenant B when calling the API.
Federated Managed Identity
https://svrooij.io/2022/12/16/poc-multi-tenant-managed-identity/#post
https://blog.identitydigest.com/azuread-federate-mi/
Note: You may also need to configure the necessary network and firewall settings to allow access to Tenant B from Tenant A.
You may also want to consider granting the necessary permissions to users in Tenant A to access the data in Tenant B. This can be done using Azure AD B2B collaboration.