1

I have a back-end service that needs to read from and write into Azure AD. I was able to read and write using graph api by authenticating using tenant info, client id and secret key (these values come from Authentication Scenarios for Azure AD | Basics of Registering an Application in Azure AD).

Using the tenant info, client id and secret key for authentication means that end users need to register their tenants by manually specifying these values and I am trying to avoid this manual step of registration where users need to specify these values.

I have also looked at the multi-tenant application admin/user consent and its associated sampleIntegrating applications with azure active directory. However, the issue with the admin consent is that it enables all users in the directory to have access to the directory.

Is there any other way where I can provide a registration link of some sort, let the global admin user authenticate and consent for permission at which point some sort of an access or refresh token can be persisted for use by the back-end service?

simplicity
  • 31
  • 4

1 Answers1

0

I have the reverse problem (see How to use Azure AD Graph API access for service principals?), but can answer your question. Daemon apps can run as either single tenant or multi-tenant, and use user/password authentication, so can be limited to the rights/roles for that user. I've tested this by using both client ID/secret and user/password using the same app for both - you just need to add the required permissions to the app for the user/password case (that doesn't seem to apply for SP's).

In my case, I'm using adal4j, but I'm sure you can adapt it as needed, e.g.:

final ExecutorService service = Executors.newFixedThreadPool(1);
final AuthenticationContext context = new AuthenticationContext(authority, true, service);
final Future<AuthenticationResult> future = context.acquireToken("https://graph.windows.net", clientID, userName, decryptedPassword, null);
final AuthenticationResult result = future.get();

...
Community
  • 1
  • 1
MushyMiddle
  • 419
  • 6
  • 14