How to query another Azure Active Directory tenant from Graph Explorer

Question

I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.

The API I am calling (with new user log-in) to first retrieve all applications:

https://graph.microsoft.com/beta/applications

Response is:

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}

Of course I have apps in that tenant.

Please add the details of your request to query the apps list in a tenant_y with the new user created in tenant_y, including the response. — Allen Wu, Mar 31 '20 at 01:06
Based on your response, it successfully returns an empty result because there are no Azure AD applications in your tenant_y. Please check the applications list on Azure Portal: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps to see if you have any applications. — Allen Wu, Mar 31 '20 at 08:37
Is your new user added in tenant_y a guest user? If it's a personal account, the result will be empty because Microsoft Graph Explorer will treat it as personal account rather than a guest user in tenant_y. Please share more details about the new user. Is it invited into tenant_y? Maybe you could provide the user name. — Allen Wu, Apr 01 '20 at 02:32
I have created a new gmail.com user account for me. And added it as guest in the tenant. Is this treated as personal? Then how can I have real guest? — toto', Apr 01 '20 at 08:00
Yes, your guest user is treated as personal by Microsoft Graph Explorer. You have to use a guest user to query the apps list? Why not use a user under tenant_y to query the apps list? Just create (not invite) a user in tenant_y. — Allen Wu, Apr 01 '20 at 08:02
ok i did it. Now i get error when I call this API: https://graph.microsoft.com/beta/applications, { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "request-id": "4b580be2-03ce-4ff7-98c2-fd7b33a9764f", "date": "2020-04-01T09:55:45" } } } Strange since I gave the user Global Reader role. — toto', Apr 01 '20 at 09:56
The new user you just created doesn't have enough permission. Based on https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-beta&tabs=http#permissions, it requires delegated permissions: `Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All`. So you need to give it the one of the permissions listed like this: https://i.stack.imgur.com/Jt9Iz.png. — Allen Wu, Apr 01 '20 at 12:08

score 2 · Answer 1 · answered Apr 29 '22 at 16:49

Today that's possible if you pass the tenant query string parameter like this:

https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com

Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).

If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.

Allen Wu · Accepted Answer · 2020-04-01T12:11:34.767

Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.

Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.

So it will query the apps list for the personal account rather than tenant_y.

So now you have two choices:

Create a new user in tenant_y by following add a new user and then use this new user to log into Microsoft Graph Explorer to query the apps list.
Implement Get access on behalf of a user and make sure that you call {your tenant} endpoint rather than common endpoint while requesting the access token. And you should use another tool (for example Postman) instead of Microsoft Graph Explorer.

Update:

You can modify the permissions in Microsoft Graph Explorer like this：

Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.

This feature is supported now. see my answer – Abhishek Agrawal Jul 10 '20 at 19:07 — Abhishek Agrawal, Jul 10 '20 at 19:07

score 0 · Answer 3 · answered Apr 01 '20 at 10:18

Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format

https://login.microsoftonline.com/{tenantId}/V2.0

Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).

The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.

Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.

this feature is supported now – Abhishek Agrawal Jul 10 '20 at 19:07 — Abhishek Agrawal, Jul 10 '20 at 19:07

How to query another Azure Active Directory tenant from Graph Explorer

3 Answers3

Linked