Azure Resource Manager on behalf of Azure AD Multitenant App

1
votes

General Overview of what I am trying to achieve

I am trying to build an Azure AD Multitenant Web application which allows me to manage resources in customer subscriptions/tenants using the Azure Resource Manager (ARM) APIs. I am pretty new to Azure AD Multitenancy.

The Ideal control flow

1. A customer browses the Applications (ideal an admin of the customer tenant)
2. Will be granted with Azure AD authorize flow 
3. Accepts everything and grants admin consent for the AD App in their tenant
4. Unclear: The AD App will be granted contributer access on a subscription or resource
5. My Web App will be able to use the AD App credentials to manage the customer resources using the ARM APIs

Problem

Steps 1-3, 5: Are clear and I know how to build that.
Step 4: I am not sure how to build that so that step happens automatically.

Solutions I have considered

The worst case would be the customer AD Admin must manually grant the AD App access to a subscription or resource using the Azure Portal.

1
azureazure-active-directorymulti-tenant

1 Answers

2
votes

One idea that came to my mind is that you require the user_impersonation permission on Azure Service Management API. After the user logs in, you could list out the subscriptions available, allowing the user to select one. Then list out the resource groups if needed.

Once the user confirms a selection, your app could add itself as a Contributor on the targeted resource through the Management API, on behalf of the currently signed-in user.

To do this, you will need the object id of the service principal for your app created in the target tenant. You can get it by acquiring an app-only token for e.g. the Azure Management API from that tenant's token endpoint after the user has logged in. The token will contain an oid claim, which is the object id for the service principal.

Of course the user who signs in would have to have the ability to modify access to the target resource.

I would say the downside of this approach is that the organization must trust your app to only do the thing it claims to do. The approach where they grant the access manually allows them to be in control fully.