how do I add a role assignment for my app on an another Azure AD that doesn't have my app registered, but has given consent to it?
Yes, you can.
When the app has been consent in your another tenant, azure will create an enterprise application for your app registration in that tenant, you can find in the Azure Active Directory
-> Enterprise applications
(search with All Applications
).
To add the assignment for it, just need to navigate to the Subscription
in the portal -> Access control (IAM)
-> add your Enterprise application(service principal) as a role e.g. Owner
/Contributor
.
Then you can use the client credentials flow
to get the access token for your service principal, the client_secret
is the one in your first tenant. Then you can use the token to call the rest api in your question.
Update:
I do not recommend you to use User Account to get access token. Because when you enable MFA, you could not use UserCredential to get. If you use Visual Studio, you could use AzureServiceTokenProvider
to get access token.
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com");
BTW, I still suggest you to use service principal which has existing in subscription to get access token, so that you could use the flow you use before.
Hope it helps you.