Granting Access to External Tenants

Question

Granting Access to External Tenants

Joseph Wylie 25

I have created an application that uses the Microsoft Graph API to access files inside my companies One Drive or SharePoint Sites. I registered an app with the Azure Active Directory and have configured application level permissions because my app has no UI or a redirect URI. The app works as expected with my tenant ID but how do I allow other tenants or companies to use my app with their One Drives and Sites?

I want to allow other external tenants to use my application to access their own sites and drives.

I am using this endpoint:
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

with these headers:

client_id, scope, client_secret, grant_type

to get an access token.

Is it as simple as having another company use their tenant-id or will they have to grant permissions by login in somewhere?

Accepted answer

0 additional answers

Your answer

Answer 1

CarlZhao-MSFT 46,371

Hi @Joseph Wylie

If you want other tenants to be able to access your app, you must configure your app as a multi-tenant app.

Find your app and change its supported account types to the following:

User's image

Next, you need to run the administrator consent URL in the browser and log in with the administrator of the target tenant and consent. After that, your multi-tenant app will be added to the target tenant as an enterprise app.

https://login.microsoftonline.com/{id of the target tenant}/adminconsent?client_id={client id}

Finally you need to change /{tenant-id} to the id of the target tenant to get an access token for the target tenant.

https://login.microsoftonline.com/{id of the target tenant}/oauth2/v2.0/token

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Joseph Wylie 25 Reputation points

2023-11-17T19:35:46.3733333+00:00

Thanks for the reply!
I have a few questions on this.

The client_id is the ID associated with the app that I created in Azure right?
The target tenant ID is the ID of the tenant that is trying to gain access to my Azure app right?
That can be found once they login to Microsoft Azure and navigate to the Microsoft Entra ID right?

Currently my app does not have a redirect URI. I tried to follow the link and filled out the client ID and the tenant ID based on the assumptions above and it asked me to login with a Microsoft account. So I logged in with an account outside of the tenant that created the application. It asked me to accept the requested permissions, once I did that it threw an error:

AADSTS500113: No reply address is registered for the application.

Is this related to the redirect URI?
CarlZhao-MSFT 46,371 Reputation points

2023-11-20T07:04:48.3133333+00:00

Hi @Joseph Wylie

The client_id is the ID associated with the app that I created in Azure right?

Yes.

The target tenant ID is the ID of the tenant that is trying to gain access to my Azure app right?

Yes.

That can be found once they login to Microsoft Azure and navigate to the Microsoft Entra ID right?

Yes, they can find your multi-tenant app in enterprise apps.

Is this related to the redirect URI?

Yes, when logging in to a multi-tenant app in the browser, the redirect URL is essential.
Joseph Wylie 25 Reputation points

2023-11-20T14:02:45.1766667+00:00

Thanks for the reply! Last thing, is there a way to have a user grant the multi-tenant app the requested permissions without the need for a redirect URI? Or is the only way to do this through the browser?
CarlZhao-MSFT 46,371 Reputation points

2023-11-21T03:05:19.4166667+00:00

You can certainly grant permissions for your multi-tenant app in your tenant without going through the browser, but for other tenants who use your multi-tenant app, they must grant permissions through the browser, because your multi-tenant app is not registered in other tenants.

Share via

Granting Access to External Tenants

0 additional answers

Your answer