question

SHAKILSHAIKH-8202 avatar image
0 Votes"
SHAKILSHAIKH-8202 asked JamesTran-MSFT commented

How two applications from different tenant can access each other

I have asked the above question with following description
Hi,
I am working one POC where two applications from different tenant will trust on each other. I will make call to api of application of tenant B from the application of tenant A. This call will send the token in authorization header and that token will be verified in application of tenant B.
I am confused how the application from tenant A will generate the token and how the application in tenant B will verify it.
I was looking to authorization code flow. Please help me on this along with the endpoint.
I am new on azure AD and also token generation.

I got an answer from @soumi-MSFT as follows

Hello @SHAKILSHAIKH-8202, thank you for reaching out. This is a very classic scenario for Service-To-Service calls where one app would be calling an API internally (without human interaction). The only difference here is that the app is in AAD Tenant A and the API is registered in AAD Tenant B. We can get this scenario working too. Please refer to the steps mentioned below:
1) Register an API in AAD Tenant B as a multi-tenant app
2) Make sure you expose the API so that the scopes for that API are available to be used by the app registered in AAD Tenant A in its request for the token to access this API. Here since this API needs to be called non-interactively by service calls, hence application permissions need to be added. You can use the App Roles for defining the Application Permissions.
3) Since this API would be called non-interactively, from another Tenant i.e Tenant A, this API needs to be first added to Tenant A. Also since this API uses Application Permissions, we can do this together by providing admin consent for this app. This can be done by preparing an URL similar to this: https://login.microsoftonline.com/common/adminconsent?client_id={App-ID of the API registered in Tenant B}&state=12345&redirect_uri={RedirectURI registered for API in Tenant B}
4) Once the admin consent is provided, the service principal object of API of Tenant B gets registered in Tenant A. This API now can be found under Enterprise Registration Blade of AAD.
5) In your actual APP present in Tenant A, now you can add these API scopes under the API Permissions > Add a permission > APIs my organization uses.
6) Once these API scopes are added to the API Permissions section of the App registration in Tenant A, make sure you provide an admin grant to the scopes since these are application permissions and would need an admin grant.
7) The you can use the Client_Credentials flow of OAuth2.0 and you can try to request an access-token from AAD of Tenant A and use that access-token to make calls to the API.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query

But I am confused with step 2) and 3)

1) I have registered application in tenant B with multitenant
2) create API role Demo.Access
3) Added API permission for Demo.Access
4) following URL prepared
https://login.microsoftonline.com/common/adminconsent?client_id={App-ID of the API registered in Tenant B}&state=12345&redirect_uri={RedirectURI registered for API in Tenant B}
5) In login page when I am selecting tenantA user account then it shows
Selected user account does not exist in tenant 'Default Directory' and cannot access the application 'd2c910fc-3c42-49a6-a65f-bafab0851d3f' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SHAKILSHAIKH-8202
Thank you for the detailed post and I apologize for the delayed response!

I just wanted to check in and see if you're still having issues or if you were able to resolve this issue? I've also reached out to Soumi regarding this issue.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

0 Answers