Share via

APIM OAuth 2.0 Multitenant Scenario

Basujita Bhattacharya 41 Reputation points Microsoft Employee
2024-02-29T17:10:37.5466667+00:00

My customer had an ask around being able to Test if policy on APIM, deployed in one Entra ID tenant, access an API in another Entra ID tenant. I tried it in my subscription for multitenant app but ran into issue.

I have 2 tenants : MS Non Prod(APIM is hosted) and Contoso (APIs are hosted).

Followed the usual steps as per doc link but just across 2 different Tenants (screenshots attached.)> Protect API in API Management using OAuth 2.0 and Microsoft Entra ID - Azure API Management | Microsoft Learn

  1. Am calling the API from APIM Developer portal using Contoso tenant. The the authorization_code is fetched but with this auth code the API call gives a 403 error.
HTTP/1.1 403 Forbidden
    1. Calling the API from MS Non Prod Tenant gives below error while trying to generate the authorization_code itself.

Note: I don't have admin privilege allow creation of SP here.

Am I missing something?

The app is trying to access a service 'xxxxx'(DemoxxxAPIBackend) that your organization 'xxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.

User's image
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2024-03-01T07:28:40.3266667+00:00

    @Basujita Bhattacharya

    Regarding the first scenario:

    HTTP 403 - Forbidden error can be thrown when there is any access restriction policy implemented.

    1. Check the APIM inspector trace and you should notice the existence of a 'ip-filter' policy that filters (allows/denies) calls from specific IP addresses and/or address ranges.
    2. To check the scope of the 'ip-filter' policy, select the Calculate effective policy button. If you don't see any access restriction policy implemented at any scopes, next validation step should be done at product level, by navigating to the associated product and then click on Policies option.

    Regarding the 2nd one i.e., Calling the API from MS Non Prod Tenant gives below error while trying to generate the authorization_code itself.

    1. To access the API from a different tenant you need to Create a app registration as multi-tenant application in tenant A (eg: TenantAAPI) and expose it as an API (api://app-id/app.read).
    2. In Tenant B:
      1. Try to access that TenantAAPI multi-tenant application using a user of Tenant B, so that the application gets added to Tenant B as a service principal.
      2. Once the application TenantAAPI gets added to Tenant B, you should be able to see its entry under the Enterprise Registration section.
      3. Create another App Registration in Tenant B (eg: TenantBApp).
      4. In the API Permissions section of TenantBApp, you can add a permission: Add a Permission --> Select an API --> APIs my Organization Uses --> here search for the api of tenant A i.e TenantAAPI
      5. Once you find the TenantAAPI, Add its exposed permission i.e app.read as it would be listed there.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.