0

I have a "hub and spoke" model for a single ASP.NET Core website, and several "spoke APIs" that are located in N other AzureAD tenants.

enter image description here

... which calls API Apps located in other tenants ...

enter image description here

My goal is to have this "hub" website use incremental consent with external partners that align with the scenario: Protected AzureAD API calling another Protected API. The key difference in my situation is that the second API is located in another tenant, managed by another administrator whom I don't know. (should I beware of dragons? If so what are they?)

Since I need to use the On-Behalf-Of flow to access these external websites, the website becomes a trusted client. The AAD samples include only Desktop and SPA trusted client apps for this scenario (sample1, sample2)

Question

  1. Is this a supported scenario? (Tenants offering services to other Tenants)
  2. What is the preferred way to share API Scopes, Permissions, and other GUID/Identifiers?
  3. In the v2 Endpoint, are both Personal and AAD accounts supported?
  4. How would I translate Tenant GUIDs for scopes and other contents in the app Manifest into a display name?
Tony Ju
  • 14,891
  • 3
  • 17
  • 31
TLDR
  • 1,198
  • 1
  • 12
  • 31
  • This is supported. If you check your sample 2 link, the OBO is happening to a Web API that you dont own (MS Graph). I would recommend reading that sample `readme.md` so you can understand the concepts of **knownClienApplications** and **/.default scope**. – Tiago B Oct 18 '19 at 19:05
  • You should ask one question in one post. Your other questions are not clear, can you post a new one? – Tony Ju Oct 31 '19 at 09:47
  • Did you try this? https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis . It is possible to configure an external application id(client ID) to access a Web APi across tenants. – Prashant Nov 01 '19 at 04:37

1 Answers1

0

Is this a supported scenario? (Tenants offering services to other Tenants)

Yes, this is supported. If you are have a webapi in A tenant(webapi A), and want to access webapi in B tenant(webapi B must be multi-tenant application), the webapi B must exist in A tenant under Enterprise applications(Someone in A tenant ever logged in webapi B).

In the v2 Endpoint, are both Personal and AAD accounts supported?

Yes, V2 endpoint supports both Personal and AAD accounts.

Tony Ju
  • 14,891
  • 3
  • 17
  • 31