Creating a a multi-tenant azure AD application's Service Principal to expose its permissions in a different AAD tenant

1
votes

I have created an application in Azure AD and flipped the multi-tenant switch to make the application a multi-tenant one.

Then I followed the steps listed in the article How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern to sign-in users from other Azure AD tenants to my multi-tenant application.

The code looks like as follows

string aadInstance = "https://login.microsoftonline.com/{0}";
string tenant = "common";
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);

Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext context = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);

AuthenticationResult result = await context.AcquireTokenAsync("https://XXXX.onmicrosoft.com/TodoListServiceMT", AppIdOfAppInDifferentTenant, new Uri("https://localhost:44399/"), new PlatformParameters(PromptBehavior.Always));

But during authentication, I keep running into the following error..

AADSTS65005: The client application has requested access to resource 'https://XXXX.onmicrosoft.com/TodoListServiceMT'. This request has failed because the client has not specified this resource in its requiredResourceAccess list

The fix for the error requires me to add permissions for my multi-tenant app in my client application in the other Azure AD tenant.

But I am unable to locate my multi-tenant application in the Configure Permissions screen of my client application in the other Azure AD tenant. All I see in that list is Azure AD Graph, ARM and Azure Active Directory.

Has anyone successfully tried this approach before? What needs to be done to expose my multi-tenant application in other Azure AD tenants?

A basic outline of Tenants, apps and resources at work here..

Tenant A 
  -> Multi-tenant App, resource id(App Id URI)-"https://XXXX.onmicrosoft.com/TodoListServiceMT"

Tenant B
  -> Client App (AppIdOfAppInDifferentTenant)

For authentication, I am using an admin user in Tenant B

I tried adding the AppIdOfAppInDifferentTenant to Multi-tenant app's app manifest's knownclientapplications section, but one can only add app Ids of apps in the same tenant.

Solution

I still do not know why my code isn't able to generate a Consent prompt to successfully register the SP, but I attempted the same using the newly released Azure Active Directory V2 PowerShell Module and it worked for me.

The order of commands to create a SP of a multi-tenant application in a different tenant is as follows..

Connect-AzureAD -TenantId "TenantId as Guid"
New-AzureADServicePrincipal -AppId "Client/Application Id of the multi tenant application"

Once the command completes successfully, the multi-tenant app will start to show up in the "Required Permissions" screen of the client app

2
openidazure-active-directorymulti-tenantopenid-connectadal
Can you describe different apps and tenants in play here? Something like this: Tenant A: Client App 1, Resource App 1. Tenant B: User 1. Client App 1 needs to call Resource App 1. User 1 from Tenant B is trying to sign into Client App 1 and receives an error that Client App 1 has not registered Resource App 1 as a required resource access.Shawn Tabrizi

2 Answers

1
votes

Generally speaking, you can try to use an account in tenant 2, to login your application in tenant 1, after successful login, your application will be added in tenant 2 automatically .You can try to follow the following steps:

  1. Enable the MULTI-TENANT in AD application's config blade: enter image description here

  2. Modify your config when using adal, set tenantId to common

  3. Run your application, use a user in tenant 2 to sign in your application. enter image description here
    Accept the permission consent from your application in tenant 1 enter image description here

  4. After successfully login, you can find your application is added in tenant 2.
    enter image description here

0
votes

Gary Liu's answer is mostly correct and outlines how the service principal is created in tenant B. After doing them, you should be able to:

  1. Go to the new Portal
  2. Find your client app under App Registrations
  3. Go to Required permissions
  4. Click Add
  5. Click Select an API
  6. Enter the name of the multi-tenant app or part of it in the search bar that appears
  7. Select the multi-tenant app and then define which permissions your client requires on it