Convert SingleTenant to Multitenant application in Azure

0
votes

I have a client application which runs as daemon mode [no interfaces]. This daemon will speak to app created in Azure (single-tenant currently) to fetch users using O365 Graph API. Authentication mechanism used is Auth2 certificate/thumbprint. Permission to app is given directly by admin while creating app in azure itself.

Now i need to make this daemon (client) and app in azure as multi tenant. Things i followed after reading some articles

  1. Mark app as multi-tenant in azure
  2. Point to /common in token url in client (which runs as daemon) https://login.microsoftonline.com/common/oauth2/token.

Questions:

  1. After this i was able to get access token , but for any query i make i am getting error "The identity of the calling application could not be established".

  2. Since there is no user intervention here , how do i give permission for tenant B app to access tenant A's data like users in my case ? Anything i can do in manifest file

  3. If tenant B's app is accessing tenant's A data , should both app in azure be mutlitenant ?

Lot of articles explains how is the flow based on user login (user consent). But my client application runs as daemon. How do i give permission directly/mechanism in azure app for accessing other tenant's data ? [Assume i am admin of both tenants and i have complete access to both tenant]

1
azureoffice365azure-active-directorymicrosoft-graph-apioffice365-apps

1 Answers

0
votes
  1. It isn't possible to use the common endpoint when using the client_credentials flow to log into the \OAuth2\token endpoint. This is because common is designed to identify the user's "home" directory and when they log in interactively they are redirected to sign into their home directory unless overwritten.

2 & 3. Tenant B doesn't get a registered application it only get an Enterprise Application. The linked Registered App would be the one is Tenant A, communication here isn't bi-directional. A has an Enterprise Application in A and an Enterprise Application in B. You set the permissions for all the Enterprise Applications using the Registered Application in A but an Admin/User -dependant on the permission type- will have to grant permissions in their respective tenant (A & B). When you log in as a user you utilise the Application Registration. In order to access B you will have to call the token endpoint containing B's tenant id.

To enable one application to be able to access multiple tenants you need to:

  1. make the Application Multi-Tenanted. Make a note of the application's ApplicationId.
  2. Using PowerShell log into the tenant you want to give the Application access to.
  3. Use the Cmdlet New-AzureRmServicePrincipal -ApplicationId <ApplicationId> where is the one you noted earlier.

This will create a service principal in tenant B based on the application in Tenant A. The application in A when then be able to use the token endpoint for Tenant B to log in an access.