0

So we developed an app, published in our AzureAD (AAD), tested and it works as desired.

Now the next step is to make it available to users that are administered in their own AAD. It should be possible to federate with another AAD right?

But how do we achieve that? All I can find is about directory integration with local ADservers...

I have watched this (and the subsequent) video's, and got the impression that it would have be possible (even a couple of years ago!)

All serious suggestions are welcome!

Peter Klein
  • 1,010
  • 1
  • 10
  • 19
  • The way you have asked the question is likely the reason you had issues finding answers. You don't want to federate multiple Azure AD tenants, you just want users from different tenants to be able to access your app, right? @Martyn C's answer points you in the right direction. – Philippe Signoret Nov 17 '16 at 10:39
  • @Philippe: you're right. Part of the problem with this issue is my confusion in terminology used through the years for the same concepts. This also holds for the article Martyn C links to. Again introduction of new concepts mixed up with well-known parts. E.g. from the four steps he mentions, I had undertaken the first three. For the first time now I get introduced to "admin consent". I will keep on studying though.... Pointing in the right direction helps, but does not bring me to the final solution as yet. – Peter Klein Nov 24 '16 at 10:26
  • Indeed, things change fast! (This is A Good Thing.) Have you looked at the documentation from the [Azure AD Developer Guide](https://learn.microsoft.com/en-us/azure/active-directory/active-directory-developers-guide)? The [Authentication Scenarios](https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios) and [Integrating Applications](https://learn.microsoft.com/en-us/azure/active-directory/active-directory-integrating-applications) articles both include details on consent and multi-tenant applications. – Philippe Signoret Nov 24 '16 at 11:50
  • @PhilippeSignoret I will study this and let you know my proceedings. Also see my comment on the other thread below – Peter Klein Nov 25 '16 at 19:19

2 Answers2

1

You will need to make your application multi-tenant in your Azure AD. Microsoft have published a great guide on setting this up.

You need to perform four steps to get to where you need:

  1. Update your application registration to be multi-tenant
  2. Update your code to send requests to the /common endpoint
  3. Update your code to handle multiple issuer values
  4. Understand user and admin consent and make appropriate code changes
Martyn C
  • 1,109
  • 9
  • 18
  • i will study the article, mainly the concept of admin consent, which I had not seen before. In my experience the changes in AAD and ADAL stumble over each other and new terminology is introduced time after time. It is really hard to filter the right stuff. If you would take the trouble to watch the video's I referred to, you will notice that it is presented as if available "off the bat" but the opposite is true unfortunately. Thanks for providing the link. – Peter Klein Nov 24 '16 at 10:31
  • @PeterKlein It would really help understand where you are having issues if you could update your question with the specific errors you are seeing, or the specific step you are having trouble completing. – Philippe Signoret Nov 24 '16 at 11:44
  • @Philippe Signoret It's not that I get any errors, but I don't see how I can pass this message: "no user exists with this username in a directory where you have access" after selecting to add a "user in another Microsoft Aazure Active Directory". I guess there needs to be an admin with access rights to both AADs in order to do such thing, but it is not clear to how to achieve that. – Peter Klein Nov 25 '16 at 19:16
1

It's also worth to take a look at Azure Active Directory B2B collaboration. It allows you to invite users from different Azure Active Directories.

Later on you can assign them to different roles/groups and basing on that assign different rights (which you can later use to hide some content of your application).

Dawid Rutkowski
  • 2,658
  • 1
  • 29
  • 36
  • Dawid, thanks for this suggestion, but in one of the video's I quoted VIttorio suggests that uploading CSV's would be a bad practice. And I agree: the moment you upload the file, it may be superseeded by a new situation. – Peter Klein Nov 24 '16 at 07:41
  • There is already new AzureAD B2B Invitation API! Take a look here: https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/azuread-b2b-invitation-api-is-now-in-public-preview/ – Dawid Rutkowski Nov 24 '16 at 07:43
  • Would it really be true that a concept that was intoduced in the video of March 2014, only is available in a preview by October 2016??? What did companies do in the mean time to give access to users in other (3rd party) tenants? Is that by uploading CSV's ? I'm still looking for the right (and stable!!) solution. – Peter Klein Nov 24 '16 at 10:37
  • Careful. Using Azure AD B2B to invite external users into your tenant is when you want to share your organization's resources with other users (e.g. files and sites on SharePoint, access to your instance of a given application, etc.). This is entirely different from building a multi-tenant application. – Philippe Signoret Nov 24 '16 at 11:42
  • @PhilippeSignoret:please take a look at my original case / question. I never brought up the B2B variant. I already have received a lot of tips and warnings what NOT to do. I'm just looking for what I SHOULD do. – Peter Klein Dec 05 '16 at 22:32