I have a service registered as a multi-tenanted Web API in an AAD tenant “A”. And a client registered as a web app in a different AAD tenant “B”. The question is, whether do I need any additional configuration on Azure portal in order for the client app in tenant “B” to successfully access the web API in the tenant “A” (app to app authentication) ? Does AAD support such scenario? Currently, I get Unauthorized status code as response from the service when the service is deployed to Azure.
The service in tenant A doesn’t show up when I try to manually manage permissions for the client app in tenant B. Is this step necessary or am I missing some config set up?
The service is built on asp.net MVC application and it uses JWT bearer authentication scheme. The client successfully acquires its token from its own AAD tenant. So it doesn't seem like an authentication issue. On the service side, I have added the client's tenant to be one of the valid token issuers as well.
I'm not sure if a service principal for the service app is created in the client's tenant automatically (the consent page has never showed up so far).
