How to grand app B in tenant B access to app A in tenant A

Jason Zhao 20 Reputation points Microsoft Employee
2023-07-12T19:03:36.11+00:00

I have an app A in tenant A and an app B in tenant B.
I want to give app B permission to access app A. So in app B, I open the “Api permissions” and tried to add a permission which I need to find it from “APIs my organization uses” Since app A and app B are in two different tenants. 1

I’m not able to find app A from the “APIs my organization uses” list. Then I use Azure CLI to run below scripts:
Import-Module AzureAD
az login
Connect-AzureAD -TenantId <tenant B TenantId>
$requiredAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" $requiredAccess.ResourceAppId = <app A client id>
$requiredAccess.ResourceAccess = (New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList “<app A role id from the screenshot below>”,"Role")
Set-AzureADApplication -ObjectId <app B object-id> -RequiredResourceAccess @($requiredAccess)
2

Then I’m getting the error shows BadRequest Property requiredResourceAccess.resourceAccess is invalid
3

Before this error, sometimes I also got the error for the same scripts shows that BadRequest Property identifierUris is invalid.
4

Would anyone let me know what I'm missing, please?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,705 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 15,036 Reputation points Microsoft Employee
    2023-07-17T08:18:31.6533333+00:00

    @Jason Zhao

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that you have an API in A tenant and want to give its permission to an App in Tenant B.

    Please do correct me if this is not the case by responding in the comments section.

    Kindly follow the below steps:

    • On tenant A, make under authentication you have selected "Accounts from any directory".

    User's image

    • API must have exposed URI:

    User's image

    • You must have at-least user.read graph API permission added to the API:

    User's image

    • Now you need to access this API of tenant A a with a user of tenant B (I prefer admin)

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=***{client ID of API in Tenant A}&response_type=code&redirect_uri={redirect URI of API in tenant A}***&response_mode=fragment&scope=openid&state=12345

    • Now it would take you to a consent screen, accept and access the app:

    User's image

    • Now you could navigate to Tenant B > App registration> select the App you want to access the API > API permissions > APIs my organization uses, and you would be able to see the API you want to access.

    User's image

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful