Granting Access to External Tenants

Joseph Wylie 25 Reputation points
2023-11-16T20:04:13.4466667+00:00

I have created an application that uses the Microsoft Graph API to access files inside my companies One Drive or SharePoint Sites. I registered an app with the Azure Active Directory and have configured application level permissions because my app has no UI or a redirect URI. The app works as expected with my tenant ID but how do I allow other tenants or companies to use my app with their One Drives and Sites?

I want to allow other external tenants to use my application to access their own sites and drives.

I am using this endpoint:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

with these headers:

client_id, scope, client_secret, grant_type

to get an access token.

Is it as simple as having another company use their tenant-id or will they have to grant permissions by login in somewhere?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,002 questions
OneDrive
OneDrive
A Microsoft file hosting and synchronization service.
1,110 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,684 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,692 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 41,941 Reputation points
    2023-11-17T07:45:39.75+00:00

    Hi @Joseph Wylie

    If you want other tenants to be able to access your app, you must configure your app as a multi-tenant app.

    Find your app and change its supported account types to the following:

    User's image

    Next, you need to run the administrator consent URL in the browser and log in with the administrator of the target tenant and consent. After that, your multi-tenant app will be added to the target tenant as an enterprise app.

    https://login.microsoftonline.com/{id of the target tenant}/adminconsent?client_id={client id}
    

    Finally you need to change /{tenant-id} to the id of the target tenant to get an access token for the target tenant.

    https://login.microsoftonline.com/{id of the target tenant}/oauth2/v2.0/token
    

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.