Access personal accounts Onedrive with Azure AD Multi tenant

0
votes

I would like to create a daemon app on Azure that would allow to access multiple personal Microsoft accounts (not in same tenant). My idea: I create a multi tenant app in my tenant. Each user that authorizes access to his personal account, should give explicit consent.

I feel like it's possible when I read the doc but I'm not able to do it. What I currently did:

  1. Create a V2 Multi Tenant app in Azure AD
  2. Give Graph API: Files.Read.All and User.Read access on App permissions

Then I'm not sure how I should ask for the consent of users ? And then how can I get a token for a particular user to have daemon access ? (without explicitly having to ask again his consent)

Thanks for the help!

1
azuremicrosoft-graph-apimulti-tenant
This is an interesting question. The documentation did not explicitly say that you can't use app permissions with personal accounts. So those might work. You'll need to construct a login URL for your app, there they can consent to your permissions. You can use the "consumers" endpoint to only allow personal accounts.juunas
App permissions would of course work differently for a personal since they are all in the same organisation technically. If app permissions don't work, you'll have to use delegated permissions + refresh tokens to run your background work.juunas

1 Answers

1
votes

Even if it is not really clear out of the documentation of Microsoft as first it seems it's possible, I have the impression that it's not possible: Daemon applications can work only in Azure AD tenants. It wouldn't make sense to build a daemon application that attempts to manipulate Microsoft personal accounts. If you're a line-of-business (LOB) app developer, you'll create your daemon app in your tenant. If you're an ISV, you might want to create a multitenant daemon application. Each tenant admin will need to provide consent. (https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/develop/scenario-daemon-overview)