0
votes

I have an application that I registered in my Azure portal, which requires permissions to access Azure Service Management API. In order for it to work with Azure resources, I need to add a role assignment to a subscription for my application, to be able, for example, to make an API call such as this:

https://management.azure.com/subscriptions/xxxx-xxxx-xxxx-xxxx/resourcegroups?api-version=2017-05-10

I want to have my app work with different Azure portals. My question is - how do I add a role assignment for my app on an another Azure AD that doesn't have my app registered, but has given consent to it? Am I approaching this wrong?

1

1 Answers

0
votes

how do I add a role assignment for my app on an another Azure AD that doesn't have my app registered, but has given consent to it?

Yes, you can.

When the app has been consent in your another tenant, azure will create an enterprise application for your app registration in that tenant, you can find in the Azure Active Directory -> Enterprise applications(search with All Applications).

To add the assignment for it, just need to navigate to the Subscription in the portal -> Access control (IAM) -> add your Enterprise application(service principal) as a role e.g. Owner/Contributor.

Then you can use the client credentials flow to get the access token for your service principal, the client_secret is the one in your first tenant. Then you can use the token to call the rest api in your question.

Update:

I do not recommend you to use User Account to get access token. Because when you enable MFA, you could not use UserCredential to get. If you use Visual Studio, you could use AzureServiceTokenProvider to get access token.

 var azureServiceTokenProvider = new AzureServiceTokenProvider();
 string accessToken =  azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com");

BTW, I still suggest you to use service principal which has existing in subscription to get access token, so that you could use the flow you use before.

Hope it helps you.