Share via

how to allow external users to access graph api in azure portal without adding them to tenant

Hamza Iqbal 0 Reputation points
2023-05-01T13:53:03.6566667+00:00

Hi,
I just want to know that how to allow external users to authenticate themselves using graph API without adding them tenant in azure portal?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,813 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,038 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,701 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,079 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 38,686 Reputation points
    2023-05-02T06:39:00.98+00:00

    Hi @Hamza Iqbal

    If you want external users to sign in to your app and authenticate, you must configure your app as a multi-tenant app.

    User's image

    Then use the auth code flow to interactively log in the external user in the browser to obtain the authorization code, and use the authorization code to redeem the access token of the graph API.

    Note that you must change /{tenant id} to /common to allow external users to log in.

    1.Request an authorization code in the browser.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id={client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=openid offline_access User.Read
&state=12345

    2.Redeem token.

    https://login.microsoftonline.com/common/oauth2/v2.0/token 
client_id={client id}
&scope=openid offline_access User.Read
&code={code}
&redirect_uri={redirect_uri}
&grant_type=authorization_code
&client_secret={client_secret}

    8

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    2 people found this answer helpful.
  2. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-01T14:01:49.7233333+00:00

    Hello @hamza iqbal !

    Welcome to Microsoft QnA!

    To allow external users to authenticate themselves using Graph API without adding them to your Azure AD tenant in the Azure portal, you can use Azure AD B2B collaboration. Azure AD B2B collaboration allows you to invite external users to collaborate with your organization by granting them access to resources in your tenant.

    Here are the steps you can follow to allow external users to authenticate themselves using Graph API:

    Set up Azure AD B2B collaboration: In the Azure portal, go to Azure Active Directory > External Identities > B2B Collaboration and set up B2B collaboration for your tenant.

Invite external users: In the Azure portal, go to Azure Active Directory > External Identities > B2B Collaboration > Invitation and invite external users to collaborate with your organization.

Configure the application permissions: In the Azure portal, go to Azure Active Directory > App registrations and select your app registration for the Graph API. Under the API permissions section, add the necessary application permissions for the Graph API.

Grant consent: Once you have configured the necessary application permissions, you need to grant consent to the external users to allow them to use the Graph API. You can do this by having the external users sign in to your app using their own credentials and grant consent to the required permissions.

    Once these steps are completed, the external users can use the Graph API to access the resources in your tenant that they have been granted access to through B2B collaboration. Note that the external users will need to authenticate themselves using their own credentials and will not have access to your Azure AD tenant in the Azure portal.

    Kindly mark this answer as Accepted in case it helped or post your feedback !

    Regards

    0 comments