Microsoft Graph how to access client directory with a multi-tenant app registration

0
votes

I've made an app registration in our Azure AD (AAD) that's enabled for multi-tenancy. This registration is successful registered in another (client) AAD tenant (admin consent has been given).

I'm using .Net Core 2.1 and the MSAL 2.0 library for authentication.

I need to access the client AAD with Microsoft Graph from our management app to read the client AAD Groups when I'm logged in with an user from the original AAD (where the app registration was created).

I've followed this article https://docs.microsoft.com/en-us/graph/auth-v2-service and requested a token from the client AAD (Step 4). When I use this token to access the client AAD groups I get an access denied error.

When I create an app registration without multi-tenancy enabled within the client tenant AAD it works just fine. Isn't it possible what I want to achieve? I thought that I'm not the only one who want to access a client AAD from a management app, but I can't find any other articles describing this problem.

1
c#microsoft-graph-apimulti-tenantmsal

1 Answers

1
votes

I need to access the client AAD with Microsoft Graph from our management app to read the client AAD Groups when I'm logged in with an user from the original AAD (where the app registration was created).

You can only login with accounts in client AAD's organization , you can't login with an user from the original AAD . Unless you add the user from the original AAD to client AAD .

For example , you registers an app in AAD1 , you can login with accounts in AAD1 to manage resource which protected by AAD1 ; If app is multi-tenant app , after grant permission in AAD2, users in AAD2 can login app with their accounts to manage resource which protected by AAD2 . Unless you add the user from the original AAD to client AAD as guest user .

I've followed this article https://docs.microsoft.com/en-us/graph/auth-v2-service and requested a token from the client AAD (Step 4). When I use this token to access the client AAD groups I get an access denied error.

You are acquiring token using Client Credential Flow with app's identity instead of user's identity. You should use OAuth 2.0 code grant flow if you want to login app using user's identity .