Multi tenant Daemon office 365 app registration on consumer AAD by granting admin consent, Does it also require separate registration on consumer?

1
votes

I am developing a multi-tenant Office 365 daemon that requires access to user calendars.

I have successfully registered in the company tenant (Tenant1) that has deployed this app using certificates and I am able to get access tokens.

Now I created a separate AAD tenant (Tenant 2) and logged in to daemon app using administrator account of Tenant 2, it prompted the Admin Consent screen and I provided consent. There was no errors returned.

When I tried to get an app token however, I am able to get a token but with blank permissions. If I call the Office 365 API using this token, I get a 401.

I was of the view that service principal objects should be created. Also I am unable to see this app in Tenant 2 app registrations.

Do all my consumers have to register this app manually in their AD tenant and modify application manifest file to add certificate details?

I am not sure about the benefit of multi tenancy if that's the case.

I found the follow in the Azure Active Directory documentation:

The following diagram illustrates the relationship between an application's application object and corresponding service principal objects, in the context of a sample multi-tenant application called HR app. There are three Azure AD tenants in this scenario:

  • Adatum - the tenant used by the company that developed the HR app
  • Contoso - the tenant used by the Contoso organization, which is a consumer of the HR app
  • Fabrikam - the tenant used by the Fabrikam organization, which also consumes the HR app
1
azure-active-directorymicrosoft-graph-apioffice365api
I think you need to share some code samples here. In general, you should NOT need to register multiple applications in multiple tenants. As long as your main app in Tenant 1 is multi-tenant enabled, then it should work the same across any number of tenants.Shawn Tabrizi

1 Answers

1
votes

You do not need to have each tenant register your application. In fact, you shouldn't since having dozens (or hundreds) of unique App IDs floating around would only create headaches for you.

Each tenant does however need to execute the Admin Consent workflow. This will authorize the App ID you've registered on your end to access the scopes you've requested.

Generally, I recommend using the v2 Endpoint and the apps.dev.microsoft.com portal for registering your app. While you can also register your app in your own Active Directory, the portal makes it a lot easier to manage.

The general process is:

  1. Register you application in the Registration Portal

  2. Populate the "Application Permissions" in the Microsoft Graph Permissions section.

  3. Launch the Admin Consent workload using https://login.microsoftonline.com/common/adminconsent?client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

  4. Get a beer

A couple of tips:

  • The Registration Portal only supports MSA (i.e. personal) accounts at the moment. I'd suggest creating a new Outlook.com account for this purpose so you can easily share the credentials with folks who need them internally.

  • If you create a shared Outlook.com account, you should also set up forwarding rules for all of the interested parties internally. This is in case something should every go wrong or change down the road and you need to recover the account.

  • I wrote a v2 Endpoint and Admin Consent primer that you might find helpful. They assume you're using the Authorization Code flow but the concepts remain the same for Client Credentials.