Is it possible to create a User (Entra ID) for Tenant B from Tenant A?

31121989 20 Reputation points
2024-04-01T08:09:08.7966667+00:00

Hello everyone,

I have a situation as follows:
I have 2 Tenants, Tenant A and Tenant B. User A belongs to Tenant A.

After User A logs into Tenant A, they make a call to the Graph API to create/edit a user for Tenant B.

I want to ask if the above situation is possible? If so, what steps need to be taken?

Currently, I don't have any direction to solve this situation. I sincerely hope for your assistance.
Thank you.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,625 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,539 questions
Accepted answer
  1. CarlZhao-MSFT 36,976 Reputation points
    2024-04-02T09:24:04.7533333+00:00

    Hi @31121989

    Yes, it is possible.

    First, you need to add users from tenant A to tenant B as guests and grant them the user administrator role. Next, create an app in tenant B and grant User.ReadWrite.All delegated permissions.

    After that log in to the app using a guest user from tenant A to get a user token (using auth code flow), and finally you will be able to use the token to call the graph API to create/edit users in tenant B.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Azar 19,170 Reputation points
    2024-04-01T08:44:30.39+00:00

    Hey there 31121989

    Thars a good question and thanks for using QandA platform

    I guess its possible

    Firstly, in Tenant A's Azure AD, you'll need to register an application that will act as the intermediary between User A and Tenant B.

    Once you've registered is donee , grant it the necessary permissions.

    After User A logs into Tenant A, your application will need to obtain an access token on behalf of User A. This access token will allow your application to make calls to the Microsoft Graph API.

    Next, using the obtained access token, your application can make calls to the Microsoft Graph API's endpoint for creating/editing users in Tenant B.

    Microsoft Graph API documentation:

    https://docs.microsoft.com/en-us/graph/overview

    Azure AD authentication and authorization documentation:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

    For detailed info follow the above documentations,

    If this helps kindly accept the answer thanks much.