0

We have a client that owns two separate Azure Cloud tenants: ACloud and BCloud.

ACloud contains their regular SaaS and Azure AD users log in with userName@clientACloud.onmicrosoft.com BCloud contains only IT/sysadmin users managing cloud PaaS resources and users log in with userName@clientBCloud.onmicrosoft.com

We have deployed an API to BCloud which requires Azure AD authentication. The API is being called from a mobile app written in React. There, users are presented with a login screen and must login using username@clientBCloud.onmicrosoft.com However, we want users to be able to log in using their normal userName@clientACloud.onmicrosoft.com

Is there a way to configure the API in BCloud to use ACloud’s Azure AD for authentication to an API hosted in BCloud?

One resource from Microsoft recommended using the graph API. I think the graph API would allow the mobile app to authenticate the user’s ACloud account, but that SAML token won’t work against BCloud’s API. We are looking for some way that the API in BCloud can accept user tokens from ACloud, so I suspect there is some configuration we need to make in BCloud to trust ACloud’s Azure AD.

Thanks in advance!

Anthony
  • 1
  • To clarify your question, you have users with two different accounts, one in ACloud and one in BCloud. You want to be able to specify which account the user signs in with? Or are you trying to establish federation between ACloud and BCloud? Or are you just trying to build a multi-tenant application? – Shawn Tabrizi Aug 28 '18 at 18:23
  • You could invite them as guests to BCloud. Then they should be able to login, assuming you use the tenant-specific authorization endpoint and not the common endpoint. – juunas Aug 28 '18 at 18:29
  • We want the users in ACloud to be able to log in using their ACloud username and password. I'm not sure whether we need federation for this. I looked into multi-tenant applications, but stopped when I read this: "Multi-tenant applications must be provisioned in each tenant where users need access" The ACloud is SaaS only and has no PaaS Azure subscription to support the PaaS API. This is why the API was deployed to BCloud which supports PaaS. We also do not want to add the ACloud users to BCloud, as they should not have access to BCloud except for this API endpoint. – Anthony Aug 28 '18 at 19:50
  • Considering what you want, the best is to establish federation between ACloud and BCloud. – SunnySun Aug 29 '18 at 08:56
  • I'm not sure where you read that line, but it is a fairly misleading. A multi-tenant application _do_ get provisioned in each tenant, but this doesn't mean you register in each tenant. It simply means it allows user's from multiple tenants to authenticate. The first time this happens a record for that application is generated automatically behind the scenes, the user has no idea it's happening. The only caveat would be if you're app uses scopes that require Admin Consent. If so, they'll need to go through the Admin Consent flow once for each of the tenants. – Marc LaFleur Aug 30 '18 at 19:47
  • https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-plan-identity "If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant." However, I can't find any details on how to register a gov API in a commercial AAD. I've also heard multitenant apps are not supported in Azure Gov US, so looking for confirmation on that or an alternative approach. – Anthony Sep 11 '18 at 19:28

0 Answers0