Multi tenant support for Microsoft Graph API

4
votes

As i am playing with the Microsoft Graph API (https://graph.microsoft.io/) I want to understand the multi-tenancy support for Graph API.

As i understand, we need to first create and register our app (http://dev.office.com/app-registration) with the O365 Azure AD before we can use it to access the graph API.

This is is consistent with the earlier model, where apps were created directly in the underlying AD. I believe the above app creation step does the same.

While this allows the app to access the graph API for the tenant where we have registered the app, the app cannot access other tenant data. How do we do that?

AD apps earlier had a grant access flow, where the app used to present a dialog to user in other tenant to authorize the app. Does this flow still holds good?

Any guidance in this regards would be helpful.

3
office365microsoft-graph-api

3 Answers

3
votes

As an alternative, if you use the App Registration Portal linked to directly from the Microsoft Graph site, you will not need to do anything extra to make your app work with multiple tenants. It will require switching your authentication strategy over to the v2.0 Authentication Endpoints (aka Converged authentication). This also has some benefits to you such as dynamic scopes and being able to support enterprise and consumer authentication and graph APIs with the same authentication flow.

Depending on your platform of choice, there are several samples under the Microsoft Graph GitHub account that will assist you if you need it. Many of the samples have already been switched to this new authentication flow and the others are being worked on to switch over as well.

Extra

If you have questions about the options for the {tenant} segment for the v2.0 authentication endpoint, you can read about them here.

  • common => Allows users with both personal Microsoft accounts and work/school accounts from Azure Active Directory to sign into the application.
  • organizations => Allows only users with work/school accounts from Azure Active Directory to sign into the application.
  • consumers => Allows only users with personal Microsoft accounts (MSA) to sign into the application.
  • {tenant guid | name} => Allows only users with work/school accounts from a particular Azure Active Directory tenant to sign into the application. Either the friendly domain name of the Azure AD tenant or the tenant's guid identifier can be used.
1
votes

To enable the app for multiple tenants, we need to login the Azure portal and enable it like figure below: enter image description here

0
votes

Most importantly, use common as your tenant id when dealing with multi-tenant apps. See how it's done below:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=<YOUR_AAD_CLIENT_ID_HERE>&redirect_uri=<YOUR_REDIRECT_URI_HERE>'

There is no clear mention about that because their documentation is the worse. There is no excuses for a company the size of Microsoft.