0
votes

I've registered multitenant application and using app-only identity but we have multiple tenants and we want to play with data of different tenants(get users etc). We have web application using which new tenant admin logs-in first time and give permission to our web application to access their data.

Now we want to get their user and all but the problem is, in our web api where I configured appsettings.json, I have configured for one tenant(where I registered the web app), we need to write general code which accepts different tenant ids and create their graphserviceclient for that tenant and then I'll use graphserviceclient.users to get their tenant users.
How do I generalize this in my webApi?

I'm able to get data of other tenants if I put another tenant Id and create graphServiceClient for their tenant, but I have to hardcode the tenantId then (and also make sure that the tenant admin allow the permissions), I need a generalize solution for that.(Also we don't want to use Delegated Identity)

1
Is that you want to use client certificate flow(docs.microsoft.com/en-us/azure/active-directory/develop/…) to call Microsoft graph in your web API?Jim Xu
Yes, I'm using Client Credential Flow. But new tenants will be registered through a web application and I want to register that tenant instance in my webAPI i.e create a graphServiceClient for that tenant by providing their tenant id and my application cient id and client secret. I want a generalize design for that.dev
Could you please tell me why you need client certificate flow? in normal, in the multiple tenant application, we should use Delegated Identity.Jim Xu
Because, we need to manage the tenants data ourself, it's one of the requirement. It's needed in my scenario and Delegated identity is not fulfilling the scenario which I needed.dev
What do you mean manage the tenants data ourself? If you just use Delegated identity, other tenant users also can not manage your tenant data.Jim Xu

1 Answers

1
votes

You need to do client credentials. In its most simple shape you must (mostly manually):

  1. Provisionate the multi-tenant app creating a service principal in each one of the target tenants. EG:
    New-AzureADServicePrincipal -AppId {multi tenant app id}
  2. Interactively, grant admin consent to the provisioned multi-tenant application in each tenant : https://login.microsoftonline.com/{target tenant id}/adminconsent?client_id={multi tenant app id}
  3. Create a client secret for each created service principal:
    New-AzureADServicePrincipalPasswordCredential -ObjectId {provisioned multi tenant app service principal object id} -CustomKeyIdentifier {identifier} -StartDate (Get-Date) -EndDate (Get-Date).AddDays(1) -Value {secret}

In the auth implementation do something like this to get the tenant specific token and pass it to the graph client calls:

var app = ConfidentialClientApplicationBuilder.Create({multi tenant app id})
           .WithAuthority(AzureCloudInstance.AzurePublic, {target tenant id})
           .WithClientSecret({provisioned multi tenant app service principal secret})
           .Build();

var result = await app.AcquireTokenForClient("htps://graph.microsoft.com/.default")
                   .ExecuteAsync();

So basically use tenantId to locate target tenant specific details as the client secret (or, again, client credential). That's pretty much it.