I wanted to confirm that the access token returned from the /{tenant}/oauth2/v2.0/token endpoint in client credentials flow (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow) is only usable to fetch data from the tenant that's specified in the request - i.e. it cannot be used to make an api call against another tenant who's admin has installed the app?
Can you confirm that my understanding is correct? Thanks!
From the documentation on Azure AD, yes. The token you obtained against a specific tenant is only good enough to communicate with endpoints that are configured/permissioned to access by that Tenant.
If you want a multi-tenant approach, you need to follow multi-tenant application flow which specifically mention about /commonendpoint.
Update your code to send requests to /common
In a single tenant application, sign-in requests are sent to the tenant’s sign-in endpoint. For example, for contoso.onmicrosoft.com the endpoint would be: https://login.microsoftonline.com/contoso.onmicrosoft.com. Requests sent to a tenant’s endpoint can sign in users (or guests) in that tenant to applications in that tenant.
With a multi-tenant application, the application doesn’t know up front what tenant the user is from, so you can’t send requests to a tenant’s endpoint. Instead, requests are sent to an endpoint that multiplexes across all Azure AD tenants: https://login.microsoftonline.com/common
